Clear FORWARD_CLEAR_MARK setting in the remaining config files

This commit is contained in:
Tom Eastep 2010-10-09 11:28:13 -07:00
parent a3df46443e
commit 11f2c7772a
9 changed files with 47 additions and 43 deletions

View File

@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -208,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=Yes
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=Yes

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -190,7 +190,7 @@ LOAD_HELPERS_ONLY=No
REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes
FORWARD_CLEAR_MARK=
COMPLETE=No

View File

@ -34,46 +34,50 @@
</legalnotice>
</articleinfo>
<para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
one network appear to be logically part of a different physical network
connected to the same router/firewall. Typically it allows us to hide a
machine with a public IP address on a private network behind a router, and
still have the machine appear to be on the public network "in front of" the
router. The router "proxys" ARP requests and all network traffic to and from
the hidden machine to make this fiction possible.</para>
<section>
<title>Overview</title>
<para>Consider a router with two interface cards, one connected to a public
network PUBNET and one connected to a private network PRIVNET. We want to
hide a server machine on the PRIVNET network but have it accessible from the
PUBNET network. The IP address of the server machine lies in the PUBNET
network, even though we are placing the machine on the PRIVNET network
behind the router.</para>
<para>Proxy ARP (RFC 1027) is a way to make a machine physically located
on one network appear to be logically part of a different physical network
connected to the same router/firewall. Typically it allows us to hide a
machine with a public IP address on a private network behind a router, and
still have the machine appear to be on the public network "in front of"
the router. The router "proxys" ARP requests and all network traffic to
and from the hidden machine to make this fiction possible.</para>
<para>By enabling proxy ARP on the router, any machine on the PUBNET network
that issues an ARP "who has" request for the server's MAC address will get a
proxy ARP reply from the router containing the router's MAC address. This
tells machines on the PUBNET network that they should be sending packets
destined for the server via the router. The router forwards the packets from
the machines on the PUBNET network to the server on the PRIVNET
network.</para>
<para>Consider a router with two interface cards, one connected to a
public network PUBNET and one connected to a private network PRIVNET. We
want to hide a server machine on the PRIVNET network but have it
accessible from the PUBNET network. The IP address of the server machine
lies in the PUBNET network, even though we are placing the machine on the
PRIVNET network behind the router.</para>
<para>Similarly, when the server on the PRIVNET network issues a "who has"
request for any machines on the PUBNET network, the router provides its own
MAC address via proxy ARP. This tells the server to send packets for
machines on the PUBNET network via the router. The router forwards the
packets from the server on the PRIVNET network to the machines on the PUBNET
network.</para>
<para>By enabling proxy ARP on the router, any machine on the PUBNET
network that issues an ARP "who has" request for the server's MAC address
will get a proxy ARP reply from the router containing the router's MAC
address. This tells machines on the PUBNET network that they should be
sending packets destined for the server via the router. The router
forwards the packets from the machines on the PUBNET network to the server
on the PRIVNET network.</para>
<para>The proxy ARP provided by the router allows the server on the
PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
pass ARP requests and other network packets in both directions between the
server machine and the PUBNET network, making the server machine appear to
be connected to the PUBNET network even though it is on the PRIVNET network
hidden behind the router.</para>
<para>Similarly, when the server on the PRIVNET network issues a "who has"
request for any machines on the PUBNET network, the router provides its
own MAC address via proxy ARP. This tells the server to send packets for
machines on the PUBNET network via the router. The router forwards the
packets from the server on the PRIVNET network to the machines on the
PUBNET network.</para>
<para>Before you try to use this technique, I strongly recommend that you
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink>.</para>
<para>The proxy ARP provided by the router allows the server on the
PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
pass ARP requests and other network packets in both directions between the
server machine and the PUBNET network, making the server machine appear to
be connected to the PUBNET network even though it is on the PRIVNET
network hidden behind the router.</para>
<para>Before you try to use this technique, I strongly recommend that you
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink>.</para>
</section>
<section id="Example">
<title>Example</title>