Re: arp magic

To: debian-firewall@lists.debian.org
Subject: Re: arp magic
From: "Andrei D. Caraman" <adc@floater.org>
Date: Sun, 27 Oct 2002 14:48:36 -0500
Message-id: <[🔎] 20021027194836.GC3282@king.floater.org>
Reply-to: adc@floater.org
In-reply-to: <[🔎] 20021027193153.GL11546@valiant.sbg.palfrader.org>
References: <[🔎] 20021026101853.GA1070@valiant.sbg.palfrader.org> <[🔎] 200210271918.g9RJIASW032374@monkey.nat.blars.org> <[🔎] 20021027193153.GL11546@valiant.sbg.palfrader.org>

On Sun, Oct 27, 2002 at 08:31:53PM +0100, Peter Palfrader wrote:
> On Sun, 27 Oct 2002, Blars Blarson wrote:
> 
> > weasel@debian.org writes:
> > 
> > >I've the following setup:
> > >
> > >                 10.200.118.0/24 (internal)
> > >                     |
> > >                     |
> > >                     | eth0:10.200.118.1
> > >                 +--------+
> > >                 | marvin |
> > >                 +--------+
> > >                     | eth1: 10.2.2.20
> > >                     |
> > >                     |
> > >                  10.0.0.0/8 (external)
> > >
> > >Now if a host on the external network sends an 'arp who-has
> > >10.200.118.1' request marvin answers on eth1.
> > >Is there any way to _stop_ that behaviour?

Maybe I'm blind, and then I appologize for increasing the noise
level on this list, but why would you want to stop that behaviour?

How will the external hosts be able to reach internal ones?  For
example, how does 10.3.3.3/8 find it's way to 10.200.118.1? 
Don't tell me every machine on marvin's eth1 network has a route
to 10.200.118.0/24 via marvin!  While it is possible,
maintaining such a configuration would be a nightmare, unless,
of course dynamic routing is used on the external network (RIP
may be a choice), but then why bother stopping that arp
behaviour?


> > I assume what you realy want is eth1 to have all of 10.0.0.0/8 except
> > 10.200.118.0/24.  This is possible but ugly.  Better solutions in most
> > cases involve either renumbering one of the networks (the
> > 172.16.0.0/12 range is available in most cases) or putting a more
> > restrictive netmask on eth1.
> 
> Such a setup is quite possible and if you come to think about it, it's
> not much different from having say 192.168.25.0/24 on one side and
> 0.0.0.0/0 on the other. One is a real subset of the other.

Yes, but there's a slight difference here:  10/8 is not quite 0/0 :-)
0/0 is a special case, as it is not a subset of any other network
(while 10/8 is, unless in your configuration it IS the whole world)  

> Therefore the routing table is checked in the order of longest prefix
> first. Splitting the routes is not necessary (and would not help).

It might help ease maintaining a consistent routing configuration.



Just my .02,
adc

Reply to:

Follow-Ups:
- Re: arp magic
  - From: Peter Palfrader <weasel@debian.org>

References:
- arp magic
  - From: Peter Palfrader <weasel@debian.org>
- Re: arp magic
  - From: Blars Blarson <blarson@blars.org>
- Re: arp magic
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: arp magic
Next by Date: Re: arp magic
Previous by thread: Re: arp magic
Next by thread: Re: arp magic
Index(es):
- Date
- Thread