To Proxy-ARP or not to Proxy-ARP

To Proxy-ARP or not to Proxy-ARP

am 22.01.2008 23:54:01 von Chris Babcock

I'm leasing a block of 16 IP addresses in order to service a DNS
server, 2 mail servers and a number of e-commerce sites, each of which
needs its own IP address for the security certificate. I ran a small
group of servers on a single IP before to service a hobby, but the
software firewall on the Linux distro was adequate for that. With the
new setup, I need a dedicated system, but I'm a little out of my depth.

The hardware I have available is a 75 mHz Pentium I with 64 MB of
memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
firewall system then I'd rather pull the card out to use it for some
devices on the network. It would also improve my comfort level on the
firewall system.

I'd rather have the internal network obscured from the Internet, but
the whole point of the leased addresses is to sure that security
certificates for the websites and reverse pointers for the mail servers
work properly. Is Proxy-ARP the best solution for this? I think I
recall one firewall distro dropping Proxy-ARP support for security
reasons; What validity is there to that issue?

With 16 external addresses to route, is proxy-ARP a better solution
than SNAT? Which Linux or BSD based firewall distros provide the
necessary functionality? Are any of them significantly more transparent
in their controls than the others? I'm not looking for a plug and play
configuration, but something that lets me see what is going on and make
any changes without having some script reverse them out when I reboot 3
months from now.

One wrinkle... At least at the beginning there won't be a physical
interface for each of the inbound IP Addresses. For example, the mail
server may be on eth0, but several websites will be on virtual
interfaces in the network. Am I asking for trouble interjecting IP
Masquerading into this or is there any simpler way to implement this
(without buying more hardware right away)?

Thank you for your assistance,
Chris

Re: To Proxy-ARP or not to Proxy-ARP

am 29.01.2008 19:25:57 von gary

Chris Babcock wrote:

> I'm leasing a block of 16 IP addresses in order to service a DNS
> server, 2 mail servers and a number of e-commerce sites, each of which
....
> The hardware I have available is a 75 mHz Pentium I with 64 MB of
> memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
> a 4.3 MB SCSI hard drive. If I don't need the hard drive in the

There are plenty of BSD and Linux based firewall distributions that
will run from a floppy disk or small compact flash drive. Here are just a
few that I've used in the past:

http://m0n0.ch/wall
http://www.zelow.no/floppyfw
http://www.coyotelinux.com

Of the 3, m0n0wall might be best suited for your needs.

> Is Proxy-ARP the best solution for this?
....
> One wrinkle... At least at the beginning there won't be a physical
> interface for each of the inbound IP Addresses.

Proxy ARP probably isn't necessary but your NSP/ISP should be able to answer
that for you. http://doc.m0n0.ch/handbook/faq-ipalias.html

And unless you're setting up a DMZ or have multiple LANs, you'd only
want extra interfaces for the inside. Multiple WAN interfaces would only
be used for redundancy from the same provider or multiple providers. In
that case, I'm not sure any of the floppy based distros would suit you.
PCX, Shorewall, Smoothwall, OpenBSD's pf, FreeBSD's ipfw, and several
others might work but you'll need to check their resource requirements
and consider the flash drive option if you still want to ditch your hard
drive.

-Gary

Re: To Proxy-ARP or not to Proxy-ARP

am 29.01.2008 21:50:25 von amr

On Jan 22, 4:54 pm, Chris Babcock wrote:
> I'm leasing a block of 16 IP addresses in order to service a DNS
> server, 2 mail servers and a number of e-commerce sites, each of which
> needs its own IP address for the security certificate. I ran a small
> group of servers on a single IP before to service a hobby, but the
> software firewall on the Linux distro was adequate for that. With the
> new setup, I need a dedicated system, but I'm a little out of my depth.
>
> The hardware I have available is a 75 mHz Pentium I with 64 MB of
> memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and
> a 4.3 MB SCSI hard drive. If I don't need the hard drive in the
> firewall system then I'd rather pull the card out to use it for some
> devices on the network. It would also improve my comfort level on the
> firewall system.
>
> I'd rather have the internal network obscured from the Internet, but
> the whole point of the leased addresses is to sure that security
> certificates for the websites and reverse pointers for the mail servers
> work properly. Is Proxy-ARP the best solution for this? I think I
> recall one firewall distro dropping Proxy-ARP support for security
> reasons; What validity is there to that issue?
>
> With 16 external addresses to route, is proxy-ARP a better solution
> than SNAT? Which Linux or BSD based firewall distros provide the
> necessary functionality? Are any of them significantly more transparent
> in their controls than the others? I'm not looking for a plug and play
> configuration, but something that lets me see what is going on and make
> any changes without having some script reverse them out when I reboot 3
> months from now.
>
> One wrinkle... At least at the beginning there won't be a physical
> interface for each of the inbound IP Addresses. For example, the mail
> server may be on eth0, but several websites will be on virtual
> interfaces in the network. Am I asking for trouble interjecting IP
> Masquerading into this or is there any simpler way to implement this
> (without buying more hardware right away)?
>
> Thank you for your assistance,
> Chris

Proxy-arp is never a 'better solution'