If I deploy a pf firewall on a network where the attached routers or hosts can not or will not route the appropriate traffic to the firewall, then the firewall must direct that traffic to itself by either binding the addresses of devices behind it or by publishing proxy-arp for them.
For various reasons, binding the addresses either doesn't work or is very inconvenient. That leaves me with proxy arp. I have written rc.d scripts to publish proxy arp for all my non NATed addresses behind the firewall, and/or to read my pf.conf and proxy for all the addresses that are the object of one or more translation rules at startup. But two cases where this static approach becomes problematic are: translation rules that are dynamically added & removed inside anchors, and on redundant CARP firewalls where it is not obvious how the shell can determine the shared MAC address of carpN and presumably only the the box with the fastest heartbeat should be proxying unless it goes down. I think the first case be handled by adding an option to pfctl to add (or delete) an appropriate pub entry in the arp cache any time it is called to add/delete a translation rule, but I am at a bit of a loss for to handle the 2nd case cleanly. Would it cause contention if all the hosts sharing an address via CARP were doing proxy arp for one or more other addresses? Comments? suggestions? thanks, tom _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
