Date: Tue, 28 Apr 1998 10:40:06 -0400 From: "Allen Smith" <easmith@beatrice.rutgers.edu> To: freebsd-stable@FreeBSD.ORG Subject: Proxy ARP: arp -s vs choparp Message-ID: <9804281040.ZM4530@beatrice.rutgers.edu>
next in thread | raw e-mail | index | archive | help
Hi. We're looking at using a FreeBSD-stable system as a firewall machine. We've got the problem with this that, due to internal political problems, we can't actually set the machine up as a router. I'm therefore intending on using ip_filter and its fastroute capabilities, under which things get chucked to a rule-determined interface without worrying about routed et al. However, this has the problem of how are machines on the outside interface going to know that they should send packets for the inner machines to the outside interface's ethernet address. The solution appears to be proxy ARP. I now have the question of how to do proxy ARP. There appear to be two possibilities: 1. arp -s Advantages: A. Doesn't require running a choparp process, thus consuming CPU cycles (of concern when filtering an Ethernet, especially since we're considering going to 100Base-TX) B. Doesn't require a permanent BPF, which is a potential security problem (sniffing et al if somebody breaks into the firewall machine) Disadvantages: A. I don't know how to make sure the kernel doesn't try using the entries itself when it's routing stuff via the interior interface B. I don't know how to make sure the broadcasts aren't out the interior interface 2. choparp (in the net/ports) Advantages: A. The broadcasts are automatically interface-linked B. So far as I can tell from reading over the kernel source code (I'm admittedly not much of a C programmer - I prefer Perl), the kernel will ignore ARP responses coming from itself Disadvantages: A. See above under arp -s's advantages Any advice? Should I also send this to freebsd-isp@FreeBSD.ORG (as the people who deal most with firewalls) and/or freebsd-hackers@FreeBSD.ORG (where I've found the most proxy arp discussions)? Thanks, -Allen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9804281040.ZM4530>