Tom Eastep wrote: > Gaëtan Minet wrote: > >> This causes problems in one of my networks where I have a single >> broadcast domain with two distinct IP subnets and two distinct >> firewalls (during a transition phase). >> One of the firewalls is using a shorewall setup in transparent >> proxyarp mode, with manual entries in /etc/shorewall/proxyarp. >> As shorewall sets the proxy_arp kernel option to 1, the kernel on that >> firewall automatically replies arp requests for any IP address it has >> a route to. And as the firewall has a default route (0.0.0.0), as a >> consequence it replies to arp requests for any host, even the one >> targeted at the second subnet, including the second firewall's >> internal IP. > > Only if it is receiving those arp requests on an interface other than > the one with the most specific route to the other firewall's internal IP > address. It the other firewall's IP in a different IP network from the > Shorewall box's internal net?
That last sentence should begin "_If_ the other...". Let's suppose that the internal IP of the firewall box is 206.124.146.176/32 and that the hosts 206.124.246.177 and 206.124.146.178 are in the /etc/shorewall/proxyarp. Further suppose that the internal IP address of your other firewall is 206.124.146.1. The solution to this problem is not to reset the proxyarp flag on the Shorewall box's internal interface but rather to add a direct route to 206.124.146.146 out of that interface. ip route add 206.124.146.1/32 dev <interface> -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
