Clear FORWARD_CLEAR_MARK setting in the remaining config files

This commit is contained in:
Tom Eastep 2010-10-09 11:28:13 -07:00
parent 3733f2f132
commit aad8a7b213
9 changed files with 47 additions and 43 deletions

View File

@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -208,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=Yes REQUIRE_INTERFACE=Yes
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=Yes COMPLETE=Yes

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -190,7 +190,7 @@ LOAD_HELPERS_ONLY=No
REQUIRE_INTERFACE=No REQUIRE_INTERFACE=No
FORWARD_CLEAR_MARK=Yes FORWARD_CLEAR_MARK=
COMPLETE=No COMPLETE=No

View File

@ -34,46 +34,50 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>Proxy ARP (RFC 1027) is a way to make a machine physically located on <section>
one network appear to be logically part of a different physical network <title>Overview</title>
connected to the same router/firewall. Typically it allows us to hide a
machine with a public IP address on a private network behind a router, and
still have the machine appear to be on the public network "in front of" the
router. The router "proxys" ARP requests and all network traffic to and from
the hidden machine to make this fiction possible.</para>
<para>Consider a router with two interface cards, one connected to a public <para>Proxy ARP (RFC 1027) is a way to make a machine physically located
network PUBNET and one connected to a private network PRIVNET. We want to on one network appear to be logically part of a different physical network
hide a server machine on the PRIVNET network but have it accessible from the connected to the same router/firewall. Typically it allows us to hide a
PUBNET network. The IP address of the server machine lies in the PUBNET machine with a public IP address on a private network behind a router, and
network, even though we are placing the machine on the PRIVNET network still have the machine appear to be on the public network "in front of"
behind the router.</para> the router. The router "proxys" ARP requests and all network traffic to
and from the hidden machine to make this fiction possible.</para>
<para>By enabling proxy ARP on the router, any machine on the PUBNET network <para>Consider a router with two interface cards, one connected to a
that issues an ARP "who has" request for the server's MAC address will get a public network PUBNET and one connected to a private network PRIVNET. We
proxy ARP reply from the router containing the router's MAC address. This want to hide a server machine on the PRIVNET network but have it
tells machines on the PUBNET network that they should be sending packets accessible from the PUBNET network. The IP address of the server machine
destined for the server via the router. The router forwards the packets from lies in the PUBNET network, even though we are placing the machine on the
the machines on the PUBNET network to the server on the PRIVNET PRIVNET network behind the router.</para>
network.</para>
<para>Similarly, when the server on the PRIVNET network issues a "who has" <para>By enabling proxy ARP on the router, any machine on the PUBNET
request for any machines on the PUBNET network, the router provides its own network that issues an ARP "who has" request for the server's MAC address
MAC address via proxy ARP. This tells the server to send packets for will get a proxy ARP reply from the router containing the router's MAC
machines on the PUBNET network via the router. The router forwards the address. This tells machines on the PUBNET network that they should be
packets from the server on the PRIVNET network to the machines on the PUBNET sending packets destined for the server via the router. The router
network.</para> forwards the packets from the machines on the PUBNET network to the server
on the PRIVNET network.</para>
<para>The proxy ARP provided by the router allows the server on the <para>Similarly, when the server on the PRIVNET network issues a "who has"
PRIVNETnetwork to appear to be on the PUBNET network. It lets the router request for any machines on the PUBNET network, the router provides its
pass ARP requests and other network packets in both directions between the own MAC address via proxy ARP. This tells the server to send packets for
server machine and the PUBNET network, making the server machine appear to machines on the PUBNET network via the router. The router forwards the
be connected to the PUBNET network even though it is on the PRIVNET network packets from the server on the PRIVNET network to the machines on the
hidden behind the router.</para> PUBNET network.</para>
<para>Before you try to use this technique, I strongly recommend that you <para>The proxy ARP provided by the router allows the server on the
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
Guide</ulink>.</para> pass ARP requests and other network packets in both directions between the
server machine and the PUBNET network, making the server machine appear to
be connected to the PUBNET network even though it is on the PRIVNET
network hidden behind the router.</para>
<para>Before you try to use this technique, I strongly recommend that you
read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
Guide</ulink>.</para>
</section>
<section id="Example"> <section id="Example">
<title>Example</title> <title>Example</title>