From: Ray O. <ra...@co...> - 2003-04-22 04:33:39
|
At 09:44 PM 4/21/2003 -0500, Lynn Avants wrote: [...] > > -- with actual examples of how to do this in one or more versions of LEAF > > (or, even better, with underlying actual commands rather than, or in > > addition to, config-file entries). Well, to judge from questions posed on the users' list, Bering and Dach seem to be the main flavors in actual use, so they are the natural ones to turn to for examples. Bering is pretty closely tied to Shorewall. So that's one pairing to use. Dach has its built-in stuff, Seawall, and Echowall. Echowall has nothing built-in to do proxy-arp, and I don't recall how (even if) the others do it. So probably Dach with its own bulit-in firewalling for the second example. >Ok, I haven't run proxy-arp on Bering, but it should only be a toggle in >a file to enable it for interfaces X. What firewall programs/LEAF variants >should be used for examples? [...] > Assuming that I am not mistaken in my reasoning here, an improved version > > of this brief explanation would help newcomers to routing to understand why > > and when one might want to use proxy-arp. > >I've always used it as an alternative to SNAT for various reasons. Much of >the time with the local SBC-DSL connections that use /29 subnets do not use >the network-address of the subnet for the gateway, but rather a blanket >gateway on a /24 or /16 subnet instead. The general reason I've used proxy-arp >outside of PPP is a customer that *insists* that they are getting screwed if >they are not using *all* available ip's....go figure! I figure the only other >reason it would be used instead of SNAT is ease of setup depending on the >filtering being done. Are there any other good reasons I'm missing? One theoretical one (theoretical in that I can't offer you an actual example). If the protected host has to know its own real, external IP address ... say because some service it runs needs to know what address clients will be connecting to and there is no way to tell the service that this address is different from the host's interface address (this last part is what I can't think of an actual example of) ... then you have to use proxy arp instead of static NAT. |