Hi, When I put individual proxy arp entries in /etc/shorewall/proxyarp, it seems shorewall automatically sets /proc/sys/net/ipv4/conf<interface>/proxy_arp to 1. Of course the proxyarp option is _not_ set in /etc/shorewall/interfaces for any interface. Following the comment in the interfaces file, I understood that the / proc/sys/net/ipv4/conf<interface>/proxy_arp should/would not be activated when using only /etc/shorewall/proxyarp with manual entries. Am I wrong ?
This causes problems in one of my networks where I have a single broadcast domain with two distinct IP subnets and two distinct firewalls (during a transition phase). One of the firewalls is using a shorewall setup in transparent proxyarp mode, with manual entries in /etc/shorewall/proxyarp. As shorewall sets the proxy_arp kernel option to 1, the kernel on that firewall automatically replies arp requests for any IP address it has a route to. And as the firewall has a default route (0.0.0.0), as a consequence it replies to arp requests for any host, even the one targeted at the second subnet, including the second firewall's internal IP. Of course manually resetting the /proc/sys/net/ipv4/conf<interface>/ proxy_arp to 0 immediately solves the problem. I tested this behavior with shorewall 2.2.x through 3.2.5. Could this be solved in 4.x ? Kind regards, Gaetan ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
