I'm in the process of building a custom firewall and I have stumbled onto
what I think may be a bug:
I'm trying to implement the "any-ip" functionality where a user can connect
to a public access network port and get network access
without changing his IP settings. The idea is to use a firewall and NAT
along with some custom software to add interface aliases and
routes.
What is screwing me up at the moment is that I expect to only get ARP
requests for machines on a hosts subnet.
Here is an example:
Client Firewall
------------------
---------------------------------------------
TRUSTED UNTRUSTED
10.1.0.5/255.0.0.0 <----------> 10.1.0.1 (alias) 172.16.0.2
192.168.250.1
^
|
V
192.168.250.4 (internal web server)
So, what happens is that 10.1.0.5 sends out an ARP request for 10.1.0.1.
I see that and create an alias on the fly for the trusted interface and a
route to 10.1.0.5/255.255.255.255
So far, so good. Then I get an ARP for 192.168.250.4, which is not on
10.1.0.5's subnet.
To my simple minded way of thinking, the client should see that it has no
route to 192.168.250.4 and just send those
packets to 10.1.0.1. So it has no business ARPing 192.168.250.4.
This is confusing my program, since I assume that the client is arping its
gateway and I end up adding
an additional alias for 192.168.250.4 on the trusted interface of the
firewall (and an additional route via that
interface) which is just wrong.
I suppose, since I have no control over the clients that will be connecting
to my system, that I need to fix this in my code,
but I thought someone should be aware of this unexpected behavior.
Mark Z.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
