Gaëtan Minet wrote: > Hi, > > When I put individual proxy arp entries in /etc/shorewall/proxyarp, it > seems shorewall automatically sets > /proc/sys/net/ipv4/conf<interface>/proxy_arp to 1. Of course the > proxyarp option is _not_ set in /etc/shorewall/interfaces for any > interface. > Following the comment in the interfaces file, I understood that the / > proc/sys/net/ipv4/conf<interface>/proxy_arp should/would not be > activated when using only /etc/shorewall/proxyarp with manual entries. > Am I wrong ?
Yes. > > This causes problems in one of my networks where I have a single > broadcast domain with two distinct IP subnets and two distinct > firewalls (during a transition phase). > One of the firewalls is using a shorewall setup in transparent > proxyarp mode, with manual entries in /etc/shorewall/proxyarp. > As shorewall sets the proxy_arp kernel option to 1, the kernel on that > firewall automatically replies arp requests for any IP address it has > a route to. And as the firewall has a default route (0.0.0.0), as a > consequence it replies to arp requests for any host, even the one > targeted at the second subnet, including the second firewall's > internal IP. Only if it is receiving those arp requests on an interface other than the one with the most specific route to the other firewall's internal IP address. It the other firewall's IP in a different IP network from the Shorewall box's internal net? > > Of course manually resetting the /proc/sys/net/ipv4/conf<interface>/ > proxy_arp to 0 immediately solves the problem. > I tested this behavior with shorewall 2.2.x through 3.2.5. Could this > be solved in 4.x ? > Proxy ARP doesn't work without it -- it will never be 'solved'. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
