Hi Pandu,
thanks for your reply. As far as I can see, proxy_arp is not enabled on any interfaces: host conf # pwd /proc/sys/net/ipv4/conf Host conf # for f in $(find | grep -i proxy_arp | grep -v pvlan ); do echo $f && cat $f ;done ./all/proxy_arp 0 ./default/proxy_arp 0 ./lo/proxy_arp 0 ./sit0/proxy_arp 0 ./lan/proxy_arp 0 ./dmz/proxy_arp 0 ./isp/proxy_arp 0 ./dsl/proxy_arp 0 ./wlan/proxy_arp 0 ./mgm/proxy_arp 0 ./br0/proxy_arp 0 ./ppp0/proxy_arp 0 ./tun1/proxy_arp 0 ./tun0/proxy_arp 0 Regards, Ralf Von: Pandu Poluan [mailto:pa...@poluan.info] Gesendet: Mittwoch, 4. Januar 2012 18:29 An: gentoo-user@lists.gentoo.org Betreff: Re: [gentoo-user] ARP-Caching of non-link-local adresses On Jan 4, 2012 11:20 PM, "Peter Pan" <os...@gmx.net> wrote: > > Hi list, > > > > I’m kind of despair. > > The history: We recently brought up a new firewall with Gentoo. > > There are (for my finding) some big nets behind this firewall (1x public /24, > 2x public /27, 1x public /26, at least 2 private /24). > > Filtering is done via iptables and snort should jump as IPS on > software-bridge br0. If it helps: There is also ip rule involved for > source-based routing. > > > > The new firewall replaces an older Gentoo-system which did not show this > behavior. We therefore copied several configfiles from the old to the new one. > > > > After getting it live, it runs well for a few hours and then becomes > unreachable (also for hosts behind the bridge). > > Dmesg / kern.log stated at this time a neighbor table overflow and indeed, > arp –n | wc –l showed a lot of entry’s. > > > > As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/ to: > > gc_thershold1 -> 8192 > > gc_thershold2 -> 16384 > > gc_thershold3 -> 32768 > > > > Fireing an “arp –d $bogus-ip-adress” is failing with „SIOCDARP(dontpub): > Network is unreachable”, adding –i br0 doesn’t fail, but does not remove the > line in the arp-table (it only says “incomplete” after greping arp -n again).. > > Therefore we are currently killing the arp-cache with “ip link set arp off > dev br0 && ip link set arp on dev br0” by a cronjob. > > > > The combination of these workarounds are keeping the firewall reachable and > “alive”. > > > > After stabilizing, we looked at the output of arp –n and noticed, that about > 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s contained > public addresses for which the bridge of the firewall should not feel > responsible (e.g. the public Google-dns-resolver and a load of more). > > The MAC-entry for these public addresses is always the one of our router, > which is for sure the correct next hop. > > > > But from my understanding, it should arp-cache only “our” net’s directly at > the cable and not those public ones. > > It looks like a configuration-issue, but I don’t know, where to start > looking. I’ve already checked the default-gateway, netmasks, > broadcast-addresses and to me, they are looking fine, so any poke where to > start looking is greatly appreciated. > > > > In case it will help, I attached the /etc/conf.d/net, ifconfig –a and route > -n. > > If something else is needed, feel free to ask. > > > > Hope, anyone can help. > Try turning off proxy ARP on the internal and/or external interfaces. Rgds,
