Proxy ARP

 

Proxy ARP allows you to insert a firewall in front of a set of servers without changing their IP addresses and without having to re-subnet.

The following figure represents a Proxy ARP environment.

Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) subnet.  Assuming that the upper firewall interface is eth0 and the lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp:

ADDRESS INTERFACE EXTERNAL HAVEROUTE
130.252.100.18 eth1 eth0 no
130.252.100.19 eth1 eth0 no

Be sure that the internal systems (130.242.100.18 and 130.252.100.19  in the above example) are not included in any specification in /etc/shorewall/masq or /etc/shorewall/nat.

Note that I've used an RFC1918 IP address for eth1 - that IP address is irrelevant.

The lower systems (130.252.100.18 and 130.252.100.19) should have their subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured.

Last updated 5/16/2002 - Tom Eastep

Copyright © 2001, 2002 Thomas M. Eastep.