On 12/31/2012 09:17 AM, Simon Hobson wrote: > Tom Eastep wrote: > >> In this setup, I would simply set the 'proxyarp' option on all >> interfaces and not worry about entries in /etc/shorewall/proxyarp. > > I have one question here. I use routing entries to direct traffic for > specific IP addresses to the right VLAN, and proxy-arp takes care of > the rest. If a device is misconfigured, it'll then send out ARP > requests giving it's own incorrect IP address as it's source. As I > understand it, the proxy ARP code will simply repeat that ARP request > over the appropriate interface - which means we could "hijack" an IP > address that's in use. So I definitely need to do <something> to > prevent this - I know the misconfigured device won't actually get any > replies, but it could still poison ARP caches on the network. Or have > I missed something ?
The ARP request will be dropped as a martian if you set route_filter on the VLAN interfaces. > > >> And I would not use a bridge -- I would subnet the /24 and route >> between the VLANs. > > Yes, that would be the ideal way, but for a variety of reasons it > isn't going to happen. Not least, it would probably take weeks (or > even months !) to shuffle stuff around - I could shift my stuff > fairly quickly, but there's stuff I don't manage, and it can be > "difficult" getting changes made. Amongst the changes needed would be > to move the default gateway - which of course means reconfiguring > everything on the network - while not updating the netmask ona few > things might not be the end of the world. Very much a case of "I > wouldn't start from here" if I had the choice. Shorewall can't help you in the case of a bridge -- neither can routefilter. You would have to use arptables to prevent a misconfigured host from hijacking your network. > > Also, once I've got it working, there may be other sites we'd want to > use it on where we wouldn't have the luxury of spare addresses. We've > just lost one site where we had just a /28 (14 usable addresses) and > over a dozen customers connected. > > ------------------------------------------------------------------------------ > > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills > current with LearnDevNow - 3,200 step-by-step video tutorials by > Microsoft MVPs and experts. SALE $99.99 this month only -- learn more > at: http://p.sf.net/sfu/learnmore_122412 > _______________________________________________ Shorewall-users > mailing list [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122412
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
