Simple proxy-arp setup needed

Hi folks,

I have an existing network with an entire /24 of public addresses.
There are several machines I want to move behind a firewall but I
can't subnet the /24 (address usage is spread out over its entirety)
and I can't change the IP addresses of the servers (addresses have
been hard-coded in several places - not by me, but...)

I've used Watchguard Firebox products before and they feature a
drop-in mode that lets them sit transparently between machines on any
two interfaces and still filter traffic. I'm pretty sure they use
proxy-arp to achieve this. We can't afford a Firebox to do this job,
but I need something similar.

What's the shortest path to a working firewall that will achieve this.
I am comfortable with command-line only but the longer term
maintenance of the firewall will require a web interface or gui of
some kind. I've seen some mention of this stuff with Shorewall,
Mandrake MNF, Astaro and other options but I'd love to have some
feedback from the group about what has worked easily for you.

Thanks,

JS

On 30 Sep 2003 08:57:58 -0700, Jonas Simpson <(E-Mail Removed)> wrote:
> Hi folks,
>
> I have an existing network with an entire /24 of public addresses.
> There are several machines I want to move behind a firewall but I
> can't subnet the /24 (address usage is spread out over its entirety)
> and I can't change the IP addresses of the servers (addresses have
> been hard-coded in several places - not by me, but...)
>
> I've used Watchguard Firebox products before and they feature a
> drop-in mode that lets them sit transparently between machines on any
> two interfaces and still filter traffic. I'm pretty sure they use
> proxy-arp to achieve this. We can't afford a Firebox to do this job,
> but I need something similar.
>
> What's the shortest path to a working firewall that will achieve this.
> I am comfortable with command-line only but the longer term
> maintenance of the firewall will require a web interface or gui of
> some kind. I've seen some mention of this stuff with Shorewall,
> Mandrake MNF, Astaro and other options but I'd love to have some
> feedback from the group about what has worked easily for you.

If you enable proxy_arp on an interface, current kernels automatically do
proxy arp for routing that goes to any other interface (assuming
ip_forward is enabled). I use that for a wireless subnet:

eth0 192.168.1.1 (255.255.255.0) proxy_arp enabled
eth1 192.168.1.241 (192.168.1.240/255.255.255.248)
|
WAP11 192.168.1.246 (192.168.1.240/255.255.255.248)

wlan0 192.168.1.245 (192.168.1.240/255.255.255.248)
default gw 192.168.1.241


In your case, since IPs behind it would be mixed, you would need to
configure eth1 with netmask 255.255.255.255 broadcast same as IP, then set
a -host route for each IP hanging off eth1. Enable proxy_arp for both
eth0 and eth1:

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
(make sure /proc/sys/net/ipv4/ip_forward is also 1)

Then set up boxes behind eth1 with normal netmask 255.255.255.0 and same
gateway your main LAN uses. eth0 would answer arp for eth1 IPs and eth1
would answer arp for eth0 IPs. I just tried this on my wireless LAN by
enabling eth1 proxy_arp, and on wlan0: adding a -net route
192.168.1.0/255.255.255.0, deleting my default route to 192.168.1.241 and
adding default to my gateway on main LAN (it works).

Then you just need to figure out your firewall.

--
David Efflandt - All spam ignored http://www.de-srv.com/
http://www.autox.chicago.il.us/ http://www.berniesfloral.net/
http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/