Firewalls: Re: C & B 'Choke' Router config

Firewalls
(April 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: C & B 'Choke' Router config
From:	cwerner @ hsdemo . merit . edu (Christopher L. Werner)
Date:	Thu, 20 Apr 1995 04:59:55 -0500
To:	firewalls @ greatcircle . com

Thanks for all the help!

Unfortunately it was not a netmask problem but a static routing 'mirroring'
issue.  The icmp hint from Mr. Smith was on the right track - a sniffer added
to the troubleshooting tools showed that the Bastion at Y didn't have the right
MAC address in the arp table (The wires on the router had been reversed since
the system was configured).  Since the configuration of the Bastions are
symetrical (re: mirror one another) a more careful a/b comparison 'routed' out
the problem. ;-)

One question remains.
What is accomplished security-wise by turning off arp-proxy on the router?
Is it to prevent arp broadcasts on the a-b x-y lines?  Our router person
gave me alot of static about why I couldn't just leave it turned on since it
got traffic flowing anyway...

TTFN

>>Dual-homed Bastion -------- Choke Router ---------- Dual-homed Bastion
>>                  A        B             X         Y
>>
>>Solaris 2.4
>>ip_forwarding on both hosts off
>>arp table on A contains B
>>arp table on Y contains X
>>static route from A to B and network X-Y with B as gateway
>>static route from Y to X and network A-B with X as gateway
>>
>>Per page 91 of C & B:
>>
>>on Choke:
>>no service finger
>>no ip redirects
>>no ip route-cache
>>no ip proxy-arp
>>no mop enabled
>>no ip unreachables
>>
>>arp entry for A and Y
                  ^^^^^^
*NOT!*

>>all traffic blocked except specific ports
>>telnet access off
>>
>>
>>Q:
>>A can ping B and X but not Y
>>Y can ping X and B but not A
>>:-(
>>
>>*If* I enable ip proxy-arp A can ping Y and Y can ping A. :-)
>>
>>Why won't it work if ip proxy-arp is off?
>>I am assuming we want it off so someone with a sniffer would not be
>>able to intercept arp broadcasts on the sub-net.  Testing has shown
>>that the only MAC address returned by the router is it's own when
>>a ping of A or Y is initiated from within A-B or X-Y.  Do I care?

>On April 20 Donald J. Smith wrote:
>What about icmp. Thats what ping is based on but I see no mention of
>icmp-redirect etc... ( i know thats a cisco thing ;)

-----------------------------------------------------------------
Opinions expressed are my own and not those of Robert Bosch Corp.
-----------------------------------------------------------------
Christopher L. Werner         |  Robert Bosch Corporation
System Engineer               |  38000 Hills Tech Dr.
(810)553-1389                 |  Farmington Hills, MI 48331-3417

Indexed By Date	Previous:	Re: Internal's root.cache From: c . palmer @ dtt . co . nz (Chris Palmer)
Indexed By Date	Next:	Re: CISCO users group From: Carl Jolley <cjolley @ iac . net>
Indexed By Thread	Previous:	Re: C & B 'Choke' Router config From: lavondes @ tidtest . total . fr (Michel Lavondes)
Indexed By Thread	Next:	[no subject] From: ches @ plan9 . att . com