1 |
Hi Pandu, |
2 |
|
3 |
|
4 |
|
5 |
thanks for your reply. |
6 |
|
7 |
As far as I can see, proxy_arp is not enabled on any interfaces: |
8 |
|
9 |
|
10 |
|
11 |
host conf # pwd |
12 |
|
13 |
/proc/sys/net/ipv4/conf |
14 |
|
15 |
Host conf # for f in $(find | grep -i proxy_arp | grep -v pvlan ); do echo $f && cat $f ;done |
16 |
|
17 |
./all/proxy_arp |
18 |
|
19 |
0 |
20 |
|
21 |
./default/proxy_arp |
22 |
|
23 |
0 |
24 |
|
25 |
./lo/proxy_arp |
26 |
|
27 |
0 |
28 |
|
29 |
./sit0/proxy_arp |
30 |
|
31 |
0 |
32 |
|
33 |
./lan/proxy_arp |
34 |
|
35 |
0 |
36 |
|
37 |
./dmz/proxy_arp |
38 |
|
39 |
0 |
40 |
|
41 |
./isp/proxy_arp |
42 |
|
43 |
0 |
44 |
|
45 |
./dsl/proxy_arp |
46 |
|
47 |
0 |
48 |
|
49 |
./wlan/proxy_arp |
50 |
|
51 |
0 |
52 |
|
53 |
./mgm/proxy_arp |
54 |
|
55 |
0 |
56 |
|
57 |
./br0/proxy_arp |
58 |
|
59 |
0 |
60 |
|
61 |
./ppp0/proxy_arp |
62 |
|
63 |
0 |
64 |
|
65 |
./tun1/proxy_arp |
66 |
|
67 |
0 |
68 |
|
69 |
./tun0/proxy_arp |
70 |
|
71 |
0 |
72 |
|
73 |
|
74 |
|
75 |
Regards, |
76 |
|
77 |
Ralf |
78 |
|
79 |
|
80 |
|
81 |
Von: Pandu Poluan [mailto:pandu@××××××.info] |
82 |
Gesendet: Mittwoch, 4. Januar 2012 18:29 |
83 |
An: gentoo-user@l.g.o |
84 |
Betreff: Re: [gentoo-user] ARP-Caching of non-link-local adresses |
85 |
|
86 |
|
87 |
|
88 |
|
89 |
On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@×××.net> wrote: |
90 |
> |
91 |
> Hi list, |
92 |
> |
93 |
> |
94 |
> |
95 |
> I’m kind of despair. |
96 |
> |
97 |
> The history: We recently brought up a new firewall with Gentoo. |
98 |
> |
99 |
> There are (for my finding) some big nets behind this firewall (1x public /24, 2x public /27, 1x public /26, at least 2 private /24). |
100 |
> |
101 |
> Filtering is done via iptables and snort should jump as IPS on software-bridge br0. If it helps: There is also ip rule involved for source-based routing. |
102 |
> |
103 |
> |
104 |
> |
105 |
> The new firewall replaces an older Gentoo-system which did not show this behavior. We therefore copied several configfiles from the old to the new one. |
106 |
> |
107 |
> |
108 |
> |
109 |
> After getting it live, it runs well for a few hours and then becomes unreachable (also for hosts behind the bridge). |
110 |
> |
111 |
> Dmesg / kern.log stated at this time a neighbor table overflow and indeed, arp –n | wc –l showed a lot of entry’s. |
112 |
> |
113 |
> |
114 |
> |
115 |
> As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/ to: |
116 |
> |
117 |
> gc_thershold1 -> 8192 |
118 |
> |
119 |
> gc_thershold2 -> 16384 |
120 |
> |
121 |
> gc_thershold3 -> 32768 |
122 |
> |
123 |
> |
124 |
> |
125 |
> Fireing an “arp –d $bogus-ip-adress” is failing with „SIOCDARP(dontpub): Network is unreachable”, adding –i br0 doesn’t fail, but does not remove the line in the arp-table (it only says “incomplete” after greping arp -n again).. |
126 |
> |
127 |
> Therefore we are currently killing the arp-cache with “ip link set arp off dev br0 && ip link set arp on dev br0” by a cronjob. |
128 |
> |
129 |
> |
130 |
> |
131 |
> The combination of these workarounds are keeping the firewall reachable and “alive”. |
132 |
> |
133 |
> |
134 |
> |
135 |
> After stabilizing, we looked at the output of arp –n and noticed, that about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s contained public addresses for which the bridge of the firewall should not feel responsible (e.g. the public Google-dns-resolver and a load of more). |
136 |
> |
137 |
> The MAC-entry for these public addresses is always the one of our router, which is for sure the correct next hop. |
138 |
> |
139 |
> |
140 |
> |
141 |
> But from my understanding, it should arp-cache only “our” net’s directly at the cable and not those public ones. |
142 |
> |
143 |
> It looks like a configuration-issue, but I don’t know, where to start looking. I’ve already checked the default-gateway, netmasks, broadcast-addresses and to me, they are looking fine, so any poke where to start looking is greatly appreciated. |
144 |
> |
145 |
> |
146 |
> |
147 |
> In case it will help, I attached the /etc/conf.d/net, ifconfig –a and route -n. |
148 |
> |
149 |
> If something else is needed, feel free to ask. |
150 |
> |
151 |
> |
152 |
> |
153 |
> Hope, anyone can help. |
154 |
> |
155 |
|
156 |
Try turning off proxy ARP on the internal and/or external interfaces. |
157 |
|
158 |
Rgds, |