[EMAIL PROTECTED] wrote:
>
> Hi,
>
> I have an NOKIA IP440 and I would a remote host not to see the ip
> address of the NOKIA after doing an arp -a following a ping.
ARP is a layer 2 thing which is performed prior to processing the
rulebase. Note that to see the true MAC of the device I have to be on
the same logical subnet. If I'm on a remote network, the MAC I see is
that of my gateway.
> I don't no how to do a such stuff, even the ping is disable
> (responding by a "time out") the host can do an arp -a command and see
> that the ip @ is already alive!!!
It's the nature of IP. Assuming a local "source" system trying to Ping a
"target" which is a firewall, the transaction looks something like this:
Source system has the target system's IP address
Source uses the subnet mask to figure out the target is on the same
logical subnet
Source issues an ARP request to the target system's IP address
Target system responds to the source giving up its MAC address
Source makes an ARP entry for the address
Source attempts local delivery of echo-request using the target's MAC
address
Target receives the packet and passes it up the stack
Firewall software grabs the packet and determines it should not respond
to echo-request packets
See what I mean? The ARP entry is made long before the traffic is
compared to the rulebase.
I commonly use this trick when troubleshooting a firewall. Let's say you
try to Ping the firewall from a local host and it fails. Is it a
connectivity thing (dead switch, hub, NIC, etc.) or is it a firewall
rules thing? If you get an ARP entry, connectivity is fine.
> On sun solaris system there the following command which does what I
> want to do :"ifconfig hme0 -arp".
> But it still not work on the NOKIA IP 440 !!!
I think its trying to keep you from shooting yourself in the foot. ;)
What you are trying to do is tell the interface *not* to respond to ARP
requests. If you do this, systems on the wire will be unable to
communicate with this interface unless:
1) You create static MAC entries on each system
2) The interface talks to the system first, thus creating a dynamic ARP
entry
You are really better off leaving it "as-is" unless you have some weird
security requirement which dictates that local systems should not be
able to reach the firewall's interface. If this is the case, you are
better off doing this with a switch that will let you hard set MAC
connectivity.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
