RE: intermittent and unreliable behaviour with iptables scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Title: RE: intermittent and unreliable behaviour with iptables scripts

Thanks to everyone that has responded to my numerous submissions.
I think that I finally have my issues resolved which seem to have been related to
ARP requests being answered by an improper interface due to my switch set up and the kernel.

In searching for kernel related ARP articles per Julian using Google I found the following suggestion.
        echo 1 > /proc/sys/net/ipv4/conf/all/hidden
However this file did not exist on my RedHat 8 box. But I did find /proc/sys/net/ipv4/conf/arp_filter.
After doing some quick reading I found that echoing a value of 1 to this file will cause your computer respond to ARP requests only with the interface that they were received on. This has fixed my problem until I can re-cable my set up.

Thanks,
Doug Watson
Director of Information Systems
1stBooks Library
http://www.1stbooks.com
dwatson@1stbooks.com
 

-----Original Message-----
From: Julian Gomez [mailto:kluivert@tm.net.my]
Sent: Sunday, December 08, 2002 2:38 AM
To: Doug Watson
Subject: RE: intermittent and unreliable behaviour with iptables scripts


On Fri, 6 Dec 2002, Doug Watson wrote:

(snip)

> At some point my workstation made an arp request to find out what mac
> address was associated with the ip address on the internal interface
> of the firewall, which is my workstations default gateway. The
> firewall may have choosen to respond with it's external interface
> which is plugged

Yup.

(snip)

> on the wrong interface at the firewall such as http requests to the
> internet that should first arrive that the firewall's internal
> interface and then be routed out to the web. Please let me know if I
> have failed to understand this.

Correct. I suggest you separate both the switches if possible though
(physically). Usually for my uplink ports to the ISPs I just throw in an
el-cheapo 10mbit hub.
 
> As for your search suggetion I did find some suggestions to basically
> hide an interface to prevent it from responding to arp requests. Here
> is one example that I found, note I have not tried this yet but may
> very soon.  I don't know what other consequences this may have though.
>
> # Allow hiding interfaces
> echo 1 > /proc/sys/net/ipv4/conf/all/hidden

I've never used the hidden options, but the above proc entries are the
ones to modify however -- you're right. Its not available in the default
pristine kernel, you'll need to patch it.

> Again, thank you very much for you help. If I understand this like I
> think I do I guess I understand why my problem is occuring. I just
> don't understand why the kernel would respond to an arp request on any
> interface other than the one that I came in on.

If I remember correctly, its partly to help load balancing. Its a specific
Linux kernel behaviour though, I don't think it happens on BSD variants
for example.

HTH.


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux