Proxy ARP for 'transparent firewalling'
Jonathan Hunter
Apologies if this has been discussed before, but I couldn't find it fully
covered in the list archives or other docs.
I need to set up a machine as a "transparent" firewall between an ADSL
router and our internal machines. Having found an excellent article at
http://lrp.c0wz.com/dox/ProxyARP/3246.html I decided that proxy ARP was the
best way to approach the problem. Reading this article, it would appear that
this works fine on Linux - but I would like to use OpenBSD and ipfilter if
possible. My setup looks like this:
[Internet] -> ADSL Router -> OpenBSD box -> [Internal hosts]
and of course, I am trying to make the OpenBSD box transparent so it looks
like this:
[Internet] -> ADSL Router -> [Internal hosts]
Has anybody yet succeeded at this with OpenBSD? I have seen a couple of
similar requests on this mailing list, but have found no success stories
unfortunately :-(
I have got as far as setting up the routing tables, and adding the static
ARP entries required for both the router and for the internal hosts. Having
done that though, I cannot ping the ADSL router from my internal test host,
nor the test host from the outside world.
The ARP table on the OpenBSD machine looks like this:
? (adsl-router) at [router-MAC]
? (openbsd-box) at [router-facing-MAC] static
? (internal-host) at [router-facing-MAC] static published
it which interface to bind the arp entry to. I haven't seen a similar option
in OpenBSD, so what I assume is happening is that when data comes in for the
internal host, the OpenBSD machine already has an ARP entry for it (needed
on the router-facing ethernet interface) and sends the packet out on the
internal wire with this (incorrect) MAC address.
Does this sound likely? I don't know all that much about the internals of
OpenBSD, or indeed the internals of how arp works on Linux - so I could be
barking up the wrong tree here. It's entirely possible that the routing
table on the OpenBSD box, or something else entirely, is screwed, but
looking at it it appears to be fine.
I would guess that if I can somehow tell OpenBSD that this static ARP entry
is just for the one ethernet interface, then things will start working. I'm
not entirely sure where to go from here though - I may try setting up a
Linux box in a similar fashion and see if I can get it going using the Linux
arp command..
And before you ask, the ADSL router is owned by the telco, not us. This
telco has been extremely un-cooperative in this matter, so there's no chance
we can get them to add static routes to the router - we have tried! They
also have a monopoly on ADSL in the country right now, so we can't change to
another telco either :(
Thanks for any pointers you might be able to give me,
Jonathan
Nick Evans
man brconfig
and then apply ipf's filtering rules to the inbound interfaces of the bridge
on both the internal and external sides.
Nick
Miles Sabin
> I need to set up a machine as a "transparent" firewall between
> an ADSL router and our internal machines. Having found an
> excellent article at http://lrp.c0wz.com/dox/ProxyARP/3246.html
> I decided that proxy ARP was the best way to approach the
> problem.
[What follows is distilled from a mere couple of months of
OpenBSD/firewall-bridge experience. Sanity checking by anyone who
knows better would be most welcome]
Rationale being you've got too few public addresses to subnet
and you haven't any control over the upstream router anyway?
Proxy ARP was an option I investigated for a very similar setup.
It should work, but a filtering bridge turned out to be a much
cleaner solution. Take a peek at,
http://www.openlysecure.org/content/html/bridge.html
(tho' you should ignore the recommendation to enable ip/ipv6
routing in /etc/sysctl.conf, it's completely unnecessary). Also
take a peek at the ipf-howto at,
http://www.obfuscation.org/ipf/
if you haven't already. It's a useful intro to ipf and there's a
brief section towards the end on filtering bridge firewalls. Also
man brconfig
man bridgename.if
Two things to keep in mind ...
First, in bridging mode you should only specify inbound rules
(ie. block in on, pass in on). ipf won't choke on outbound rules
but they won't have any effect. This might seem like a bit of a
limitation, but in practice it doesn't seem to be. On your
internal interface specify something like,
pass in on if1 proto tcp from <internal> to any flags \
<whatever> keep state
and on your external interface,
block in on if0
(nb. grossly oversimplified)
This allows outbound tcp traffic from your protected hosts in
through if1 and out through if0 to your BT router, and the 'keep
state' allows responses from external hosts back along the
reverse path, but nothing else. Remembering that packets passing
through the bridge will only be tested against the rules on the
inbound interface and transient rules set up by 'keep state'
helps a lot.
Second, if you need to run any services on the firewall machine
you can (tho' it probably isn't that good an idea). There doesn't
seem to be any particular problem with assigning addresses to any
of the interfaces participating in the bridge. I've seen
recommendations against doing that, but not had any problems. The
only issues seem to be that the lack of outbound rules is more of
a limitation in this case; and, of course, the fact that a
firewall running services can only be semi-transparent and
inherits any vulnerabilites in the services in question. A three
legged filtering bridge with the third branch out to a DMZ would
be better.
Cheers,
Miles
Jonathan Hunter
> > I need to set up a machine as a "transparent" firewall between
> > an ADSL router and our internal machines.
>
> and you haven't any control over the upstream router anyway?
Surprisingly enough, we have been allocated 128 IP addresses, as requested
through our ISP. Unfortunately, BT (the telco) will not configure the ADSL
router to route packets through another machine! It just chucks all 128 IP
addresses out onto the local ethernet. Not exactly useful in my book :-(
> Proxy ARP was an option I investigated for a very similar setup.
> It should work, but a filtering bridge turned out to be a much
> cleaner solution. Take a peek at,
I can see how that could work well. I'll try to set that up today - thanks
for the suggestion.
I only have one niggle at the back of my mind, I should probably have
mentioned this in my original post but I hadn't considered bridging (because
of it!) so of course didn't think to mention it... Currently we have a 64K
line with 128 IP addresses - hence the request for ADSL with 128 IP
addresses. My original plan was to keep the network layout exactly the
same - we effectively have four subnets of 32 hosts each, and I was planning
on simply renumbering the machines to the new IP addresses we got with ADSL.
Ideally, I would want the firewall to forward any packets for the top two
subnets (let's call them subnets 2 and 3) on through two gateway machines.
These are reachable through subnet 1, which is directly connected to the
firewall. If I give the (bridging) firewall an IP address and some routing
rules, so it's no longer a simple bridge, then as I understand it the
firewall would still have to do proxy ARP for the hosts on subnets 2 and 3.
This would bring us back to square 1, trying to get proxy ARP working :-)
So, it's back to the original question it seems - can I inject an ARP entry
into OpenBSD's cache that 'binds' to one network interface only? That seems
to be why proxy ARP wasn't working for me yesterday.
Thanks for all your help,
Jonathan