[Shorewall-users] Proxy-arp

Joseph Watson jtwatson at datakota.com
Mon May 5 21:06:27 PDT 2003


On Monday May 5 2003 07:51 pm, Tom Eastep wrote:
>
> From the 'setup_proxy_arp' function in Shorewall:
>
> 	arp -Ds $address $external pub
>
> 	echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp
> 	echo 0 > /proc/sys/net/ipv4/conf/$external/proxy_arp
>
> Note: $address   = the address of the system 	$external  = the external
> interface
> 	$interface = the internal interface
>
>
> In other words, I add a persistent ARP cache entry for the address on the
> external interface and I turn on the proxy_arp flag for the internal
> interface.
>
> Doing it that way prevents external hosts on the same subnet from being
> able to use ARP to probe the configuration of your internal network.
>
> -Tom

Thankyou very much Tom, that clears it up very well.

-- 
Regards

Joseph Watson


More information about the Shorewall-users mailing list