[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setting up firewall on 2 interface within same subnet?

Proxy ARP should not normally used for routing.

It was  a compatability hack, for when sub-nettting was introduced, rather
than the old fixed size networks based on Classes A, B & C.

A node incorrectly configured will perform an ARP, using the network mask,
rather than the sub-network mask correct for it's LAN.  Proxy ARP means the
router will reply to this ARP request, and give it's MAC address to the
source host, and then route the packet on to the destination from then on.

It is possibly to use proxy ARP in creative ways, I've done it to reduce
configuration on PCs running Windows, and solve the one-hop problem on
multi-homed hosts, where clients address the other interface.

But you really don't want to go near proxy ARP unless you really know why
you're doing it, cos you'll just confuse yourself.

For your needs :

1)  Decide if you want to route or bridge.  Should hosts in your segments,
think they're in same LAN, or a different one.

2)  If you need firewalling then decide where your Internet perimeter
network is (DMZ|), and firewall between it and any of your interior
networks.  If your bad guys are internal, then treat them same as for the

3) If there's still a requirement for transparent bridging, then look into
using Linux bridge, but it'll be simpler and cheaper (if you cost your time)
to simply buy a switching hub, at a few hundred dollars, unless you're doing
this as a hobby.  In which case why the complexity?   Surely one LAN, and a
packet filter/ proxy firewall with dial up to the Internet will suffice.


----- Original Message -----
From: "Jason Chan <MIS Dept.>" <jsonchan@ebhk.com.hk>
To: <erich.schubert@mucl.de>
Cc: <debian-firewall@lists.debian.org>
Sent: Tuesday, October 24, 2000 4:18 AM
Subject: RE: Setting up firewall on 2 interface within same subnet?

DO u have any idea if i use Proxy-ARP to route the packets on the same
subnet with IPchains filter or Bridge w/IPchains filter, which one will be a
good F.W solution??

I'm had just a little bit confused inside.

Reply to: