[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: Re: [Sidewinder] Arp problems.
From: sidewinder () adeptech ! com
Date: 2005-09-12 20:08:51
Message-ID: 200509122008.j8CK8pSL058764 () hugo10 ! ka ! punkt ! de
[Download RAW message or body]
Hi, folks!
Since I didn't really understand the original posters topology from
the information provided in this thread, I didn't answer, yet.
> One thing to think about is if you are expecting the sidewinder to respond
> to ARP requests you can get it to do so by assigning aliases to the
> interface you are expecting it to respond from. IE on the External interface
> of most of the sidewinders everyone has a bunch of aliases this is so the
> Cisco Routers can arp for the addresses on their local network that services
> are being translated through. If you are doing similar functions on another
> interface you will need to setup some aliases just as you would on your
> external interfaces then your sidewinder will respond to ARP requests.
But this rings a bell ...
Maybe the OP comes from different background than proxy firewalls?
With proxy firewalls (aka Application Level Gateways) you usually
don't do proxy ARP. If you want an external address/port combination
to be redirected to some internal or DMZ host, you define an alias
address externally - the firewall then performs regular ARP for
this address, no magic going on here. Then you define a proxy
redirecting ("handing off") the request to the real server.
With dumb packet filters like the PIX usually you don't define
alias addresses. Therefore these addresses don't respond to ICMP
echo - great for debugging. :-/
Redirecting an address different from your firewall's
primary address and a corresponding port to some other host involves
only a static NAT rule going from external to DMZ or what-have-you.
The firewall (so called firewall ;-) will then provide proxy ARP
requests for the external address in question.
And people keep wondering why I hate PIXen ;-))
Another general note:
Hosts will only ever generate ARP requests for other hosts considered
to be part of your local network. So if a system is to provide
proxy ARP replies, the addresses it replies for are usually
a range from the local subnet. Typical scenarios involve network
access servers that connect single dial-up hosts or VPN gateways
that connect single hosts via PPTP or similar. This way these
hosts are part of the local subnet and all the magic of broadcast
based network protocols (Netbios, Zeroconf, ...) "just works".
With a proxy firewall there should never be a need for that.
And if you demand proxy ARPing for hosts from different
(i.e. layer 3 separated) subnets, your topology is broken.
Redesign and fix it ;-)
HTH,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic