On Jan 5, 2012 12:28 AM, "Pandu Poluan" <pa...@poluan.info> wrote: > > > On Jan 4, 2012 11:20 PM, "Peter Pan" <os...@gmx.net> wrote: > > > > Hi list, > > > > > > > > I’m kind of despair. > > > > The history: We recently brought up a new firewall with Gentoo. > > > > There are (for my finding) some big nets behind this firewall (1x public /24, 2x public /27, 1x public /26, at least 2 private /24). > > > > Filtering is done via iptables and snort should jump as IPS on software-bridge br0. If it helps: There is also ip rule involved for source-based routing. > > > > > > > > The new firewall replaces an older Gentoo-system which did not show this behavior. We therefore copied several configfiles from the old to the new one. > > > > > > > > After getting it live, it runs well for a few hours and then becomes unreachable (also for hosts behind the bridge). > > > > Dmesg / kern.log stated at this time a neighbor table overflow and indeed, arp –n | wc –l showed a lot of entry’s. > > > > > > > > As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/ to: > > > > gc_thershold1 -> 8192 > > > > gc_thershold2 -> 16384 > > > > gc_thershold3 -> 32768 > > > > > > > > Fireing an “arp –d $bogus-ip-adress” is failing with „SIOCDARP(dontpub): Network is unreachable”, adding –i br0 doesn’t fail, but does not remove the line in the arp-table (it only says “incomplete” after greping arp -n again).. > > > > Therefore we are currently killing the arp-cache with “ip link set arp off dev br0 && ip link set arp on dev br0” by a cronjob. > > > > > > > > The combination of these workarounds are keeping the firewall reachable and “alive”. > > > > > > > > After stabilizing, we looked at the output of arp –n and noticed, that about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s contained public addresses for which the bridge of the firewall should not feel responsible (e.g. the public Google-dns-resolver and a load of more). > > > > The MAC-entry for these public addresses is always the one of our router, which is for sure the correct next hop. > > > > > > > > But from my understanding, it should arp-cache only “our” net’s directly at the cable and not those public ones. > > > > It looks like a configuration-issue, but I don’t know, where to start looking. I’ve already checked the default-gateway, netmasks, broadcast-addresses and to me, they are looking fine, so any poke where to start looking is greatly appreciated. > > > > > > > > In case it will help, I attached the /etc/conf.d/net, ifconfig –a and route -n. > > > > If something else is needed, feel free to ask. > > > > > > > > Hope, anyone can help. > > > > Try turning off proxy ARP on the internal and/or external interfaces. >
Bah, tapped "Send" accidentally. Here's a reference on turning ON Proxy ARP: http://www.sjdjweis.com/linux/proxyarp/ Use "echo 0" to turn off. If it works, make the concomitant changes in /etc/sysctl.conf Rgds,
