pf and proxy arp
Tom Uffner
tom at uffner.com
Wed Jul 18 21:42:57 UTC 2007
If I deploy a pf firewall on a network where the attached routers or
hosts can not or will not route the appropriate traffic to the firewall,
then the firewall must direct that traffic to itself by either binding
the addresses of devices behind it or by publishing proxy-arp for them.
For various reasons, binding the addresses either doesn't work or is
very inconvenient. That leaves me with proxy arp.
I have written rc.d scripts to publish proxy arp for all my non NATed
addresses behind the firewall, and/or to read my pf.conf and proxy
for all the addresses that are the object of one or more translation
rules at startup.
But two cases where this static approach becomes problematic are:
translation rules that are dynamically added & removed inside anchors,
and on redundant CARP firewalls where it is not obvious how the shell
can determine the shared MAC address of carpN and presumably only the
the box with the fastest heartbeat should be proxying unless it goes
down.
I think the first case be handled by adding an option to pfctl to add
(or delete) an appropriate pub entry in the arp cache any time it is
called to add/delete a translation rule, but I am at a bit of a loss
for to handle the 2nd case cleanly. Would it cause contention if all
the hosts sharing an address via CARP were doing proxy arp for one or
more other addresses?
Comments? suggestions?
thanks,
tom
More information about the freebsd-pf
mailing list