Your ISP-router could have a static route for your 16 IPs. In that case both NT/Checkpoint and Linux/Iptables should function without any proxy-arps.
Otherwise the proxy arps are needed. The arp -s ... pub command on linux will do that. On Checkpoint/NT up to 4.1 you need $FWDIR\state\local.arp which you create manually. On Checkpoint NG the FW will automatically create the necessary proxy-arps for you. Niels Jespersen -----Oprindelig meddelelse----- Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]P� vegne af Antony Stone Sendt: 20. maj 2002 10:22 Til: [EMAIL PROTECTED] Emne: Re: ARP related iptables question On Monday 20 May 2002 8:47 am, Malcolm Turnbull wrote: > The other day I tried to replce an old checkpoint firewall with a linux > / iptables (mandrake 8.2)... Good boy :-) > After a long while I figured that I needed to define all 16 real IPs on > the external interface of the firewall (in order to respond to ARPs) and > then everything started working fine ! > > The thing is I can use either a checkpoint or a straight Nt firewall (on > different boxes) with my ISPs router ( with no need to mess around with > ARP) but if I use a linux box I DO need to sort out the ARP. I'm not surprised that you had to deal with the ARP problem on the Linux box, however I am surprised that you didn't have to do it on FW-1 as well. I used to install FW-1 for a living, and I recall that there's some file you have to create called conf.arp or something similar in the FW-1 configuration directory in order for it to publish ARP entries for addresses it's NATting. I wonder whether that file was part of your setup, and (because it doesn't show up in the FW-1 rulebase) you weren't aware it was there (you did say it was an old firewall, so presumably it was set up some time ago). I'm not aware that Check Point have made this an automatic feature of their software, so I think you'd still have to deal with it on a fresh FW-1 setup. Antony.
