To Proxy-ARP or not to Proxy-ARP - Firewalls

This is a discussion on To Proxy-ARP or not to Proxy-ARP - Firewalls ; I'm leasing a block of 16 IP addresses in order to service a DNS server, 2 mail servers and a number of e-commerce sites, each of which needs its own IP address for the security certificate. I ran a small ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: To Proxy-ARP or not to Proxy-ARP

  1. To Proxy-ARP or not to Proxy-ARP

    I'm leasing a block of 16 IP addresses in order to service a DNS
    server, 2 mail servers and a number of e-commerce sites, each of which
    needs its own IP address for the security certificate. I ran a small
    group of servers on a single IP before to service a hobby, but the
    software firewall on the Linux distro was adequate for that. With the
    new setup, I need a dedicated system, but I'm a little out of my depth.

    The hardware I have available is a 75 mHz Pentium I with 64 MB of
    memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
    a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
    firewall system then I'd rather pull the card out to use it for some
    devices on the network. It would also improve my comfort level on the
    firewall system.

    I'd rather have the internal network obscured from the Internet, but
    the whole point of the leased addresses is to sure that security
    certificates for the websites and reverse pointers for the mail servers
    work properly. Is Proxy-ARP the best solution for this? I think I
    recall one firewall distro dropping Proxy-ARP support for security
    reasons; What validity is there to that issue?

    With 16 external addresses to route, is proxy-ARP a better solution
    than SNAT? Which Linux or BSD based firewall distros provide the
    necessary functionality? Are any of them significantly more transparent
    in their controls than the others? I'm not looking for a plug and play
    configuration, but something that lets me see what is going on and make
    any changes without having some script reverse them out when I reboot 3
    months from now.

    One wrinkle... At least at the beginning there won't be a physical
    interface for each of the inbound IP Addresses. For example, the mail
    server may be on eth0, but several websites will be on virtual
    interfaces in the network. Am I asking for trouble interjecting IP
    Masquerading into this or is there any simpler way to implement this
    (without buying more hardware right away)?

    Thank you for your assistance,
    Chris


  2. Re: To Proxy-ARP or not to Proxy-ARP

    Chris Bab**** wrote:

    > I'm leasing a block of 16 IP addresses in order to service a DNS
    > server, 2 mail servers and a number of e-commerce sites, each of which

    ....
    > The hardware I have available is a 75 mHz Pentium I with 64 MB of
    > memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
    > a 4.3 MB SCSI hard drive. If I don't need the hard drive in the


    There are plenty of BSD and Linux based firewall distributions that
    will run from a floppy disk or small compact flash drive. Here are just a
    few that I've used in the past:

    http://m0n0.ch/wall
    http://www.zelow.no/floppyfw
    http://www.coyotelinux.com

    Of the 3, m0n0wall might be best suited for your needs.

    > Is Proxy-ARP the best solution for this?

    ....
    > One wrinkle... At least at the beginning there won't be a physical
    > interface for each of the inbound IP Addresses.


    Proxy ARP probably isn't necessary but your NSP/ISP should be able to answer
    that for you. http://doc.m0n0.ch/handbook/faq-ipalias.html

    And unless you're setting up a DMZ or have multiple LANs, you'd only
    want extra interfaces for the inside. Multiple WAN interfaces would only
    be used for redundancy from the same provider or multiple providers. In
    that case, I'm not sure any of the floppy based distros would suit you.
    PCX, Shorewall, Smoothwall, OpenBSD's pf, FreeBSD's ipfw, and several
    others might work but you'll need to check their resource requirements
    and consider the flash drive option if you still want to ditch your hard
    drive.

    -Gary

  3. Re: To Proxy-ARP or not to Proxy-ARP

    On Jan 22, 4:54 pm, Chris Bab**** wrote:
    > I'm leasing a block of 16 IP addresses in order to service a DNS
    > server, 2 mail servers and a number of e-commerce sites, each of which
    > needs its own IP address for the security certificate. I ran a small
    > group of servers on a single IP before to service a hobby, but the
    > software firewall on the Linux distro was adequate for that. With the
    > new setup, I need a dedicated system, but I'm a little out of my depth.
    >
    > The hardware I have available is a 75 mHz Pentium I with 64 MB of
    > memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
    > a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
    > firewall system then I'd rather pull the card out to use it for some
    > devices on the network. It would also improve my comfort level on the
    > firewall system.
    >
    > I'd rather have the internal network obscured from the Internet, but
    > the whole point of the leased addresses is to sure that security
    > certificates for the websites and reverse pointers for the mail servers
    > work properly. Is Proxy-ARP the best solution for this? I think I
    > recall one firewall distro dropping Proxy-ARP support for security
    > reasons; What validity is there to that issue?
    >
    > With 16 external addresses to route, is proxy-ARP a better solution
    > than SNAT? Which Linux or BSD based firewall distros provide the
    > necessary functionality? Are any of them significantly more transparent
    > in their controls than the others? I'm not looking for a plug and play
    > configuration, but something that lets me see what is going on and make
    > any changes without having some script reverse them out when I reboot 3
    > months from now.
    >
    > One wrinkle... At least at the beginning there won't be a physical
    > interface for each of the inbound IP Addresses. For example, the mail
    > server may be on eth0, but several websites will be on virtual
    > interfaces in the network. Am I asking for trouble interjecting IP
    > Masquerading into this or is there any simpler way to implement this
    > (without buying more hardware right away)?
    >
    > Thank you for your assistance,
    > Chris


    Proxy-arp is never a 'better solution'

+ Reply to Thread