August 12th, 2002, 09:01 PM
Webservers, firewalls, RH linux 7.2, and ARP
Right now, I have a RH Linux 7.2 box set up with Checkpint's FW-1. NAT is configured to translate an incoming packet destined for a public IP to a private IP on the internal network. IP-forwarding is enabled, and everything looks like its running fine until....ARP. I would like the firewall to answer when an ARP request for the specified IP comes to the network. Then NAT should take over and route it to the proper server on the internal network.
I've run the command "arp -s <IP ADDRESS> <MAC ADDRESS> pub" , but after I run the command, restart the fw services, it still doesn't work. The sniffer on the firewall sees all the ARP requests coming through, but the firewall never answers them.
So how can I make my firewall answer ARP requests for IP addresses other than its own? I'd like to be able to specify each of the IP addresses it should answer to as well.
Is this the right way to go about putting a webserver behind a firewall? Seems like a rather simple concept, but I've never done it before.
I'm running Kernel version 2.4.9-34 as well.
I'd rather not use port forwarding either.
August 12th, 2002, 09:27 PM
Your firewall should not need to proxy-arp for the specified host because the next router should have a route in it which routes the packets via your firewall.
I have never seen a configuration which requires a firewall like that to proxy arp - the only things I know proxy arp is used for is dial-ins etc.
Reconfigure your router in front of the firewall rather than using proxy arp.
August 13th, 2002, 02:31 PM
Ok forget proxy_arp, how do I make my firewall answer ARP requests? I'm not sure what you mean by the 'next router'. Which one would you be referring to? The last router I control before the internet is in front of the firewall. Is this the one you mean? If this is the case, then I have to add a route on the router to send packets through the firewall for the IP in question?
There's gotta be a way to make the firewall answer ARP requests though.
August 13th, 2002, 02:53 PM
Yes...you are correct, you do need to configure static ARP's on your firewall. The only thing I can think of is that you probably have the MAC address wrong in the arp -s. It should use the MAC address of the interface you would like the FW to reply on for the ARP request.
let me know if this does not help you, but everything you are doing looks correct. You might also want to try a TCPdump from the FW to make sure the FW sees the ARPs.
August 13th, 2002, 05:14 PM
Well, I ran the command "arp -Ds xxx.xxx.xxx.38 eth0 pub" Where eth0 is the external interface on the firewall. Restarted the firewall services. Then ran "arp -na" to see whats in the arp table, and saw this entry: "? (xxx.xxx.xxx.38) at * PERM PUP on eth0". That doesn't look right to me. Shouldn't the MAC address be there instead of PUP?
I'm also running ethereal on the firewall, and the firewall does see the arp requests for xxx.xxx.xxx.38. Firewall IP is xxx.xxx.xxx.37, btw.
I also ran the command "arp -s xxx.xxx.xxx.38 <MAC address of external interface of firewall> pub" I received the same result when I ran "arp -na".
I verified the MAC address of the interface by running "ifconfig eth0", and used the entry in the HWaddr field.
I also tried to ping the xxx.xxx.xxx.38 IP from the firewall, and saw ARP requests from the fw machine. So the fw machines doesn't even know about its static ARPs.
Let me know what you think.
At least I know I'm on the right track.
One more note:
I just tried to set the ARP again using the external interface of the FW. I received the (xxx.xxx.xxx.38) at * PERM PUP on eth0 when I ran "arp -na". I then tried to ping that IP from the external interface from the FW. I checked "arp -na" again, and a new entery is in there besides the old one: (xxx.xxx.xxx.38) at <incomplete> on eth0.
Now I know incomplete = bad! So what could I be screwing up here? I've verified the MAC address 3 or 4 times every time I ran arp -s.
August 14th, 2002, 04:50 PM
When I run the command "arp -v -H ether -i eth0 -s xxx.xxx.xxx.38 <HW Address>", I get a complete entry in the arp tables, and the FW machine can then "find" that IP address. If I were to run "arp -v -H ether -i eth0 -s xxx.xxx.xxx.38 <HW Address> pub", then I would get the incomplete arp entry.
Its just weird.