Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Apr 1998 10:40:06 -0400
From:      "Allen Smith" <easmith@beatrice.rutgers.edu>
To:        freebsd-stable@FreeBSD.ORG
Subject:   Proxy ARP: arp -s vs choparp
Message-ID:  <9804281040.ZM4530@beatrice.rutgers.edu>
next in thread | raw e-mail | index | archive | help 
Hi. We're looking at using a FreeBSD-stable system as a firewall
machine. We've got the problem with this that, due to internal
political problems, we can't actually set the machine up as a
router. I'm therefore intending on using ip_filter and its fastroute
capabilities, under which things get chucked to a rule-determined
interface without worrying about routed et al.

However, this has the problem of how are machines on the outside
interface going to know that they should send packets for the inner
machines to the outside interface's ethernet address. The solution
appears to be proxy ARP. I now have the question of how to do proxy
ARP. There appear to be two possibilities:

	1. arp -s
           Advantages:
	   A. Doesn't require running a choparp process, thus
	      consuming CPU cycles (of concern when filtering an
	      Ethernet, especially since we're considering going to
	      100Base-TX)
	   B. Doesn't require a permanent BPF, which is a potential
	      security problem (sniffing et al if somebody breaks into
	      the firewall machine)
	   Disadvantages:
	   A. I don't know how to make sure the kernel doesn't try
	      using the entries itself when it's routing stuff via the
	      interior interface
	   B. I don't know how to make sure the broadcasts aren't out
	      the interior interface

	2. choparp (in the net/ports)
	   Advantages:
	   A. The broadcasts are automatically interface-linked
	   B. So far as I can tell from reading over the kernel source
	      code (I'm admittedly not much of a C programmer - I
	      prefer Perl), the kernel will ignore ARP responses
	      coming from itself
	   Disadvantages:
	   A. See above under arp -s's advantages

Any advice? Should I also send this to freebsd-isp@FreeBSD.ORG (as the
people who deal most with firewalls) and/or
freebsd-hackers@FreeBSD.ORG (where I've found the most proxy arp
discussions)?

	Thanks,

	-Allen



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9804281040.ZM4530>