To Proxy-ARP or not to Proxy-ARP

I'm leasing a block of 16 IP addresses in order to service a DNS server, 2 mail servers and a number of e-commerce sites, each of which needs its own IP address for the security certificate. I ran a small group of servers on a single IP before to service a hobby, but the software firewall on the Linux distro was adequate for that. With the new setup, I need a dedicated system, but I'm a little out of my depth.

The hardware I have available is a 75 mHz Pentium I with 64 MB of memory. The available media include a 3-1/2 inch floppy, a DVD-ROM and a 4.3 MB SCSI hard drive. If I don't need the hard drive in the firewall system then I'd rather pull the card out to use it for some devices on the network. It would also improve my comfort level on the firewall system.

I'd rather have the internal network obscured from the Internet, but the whole point of the leased addresses is to sure that security certificates for the websites and reverse pointers for the mail servers work properly. Is Proxy-ARP the best solution for this? I think I recall one firewall distro dropping Proxy-ARP support for security reasons; What validity is there to that issue?

With 16 external addresses to route, is proxy-ARP a better solution than SNAT? Which Linux or BSD based firewall distros provide the necessary functionality? Are any of them significantly more transparent in their controls than the others? I'm not looking for a plug and play configuration, but something that lets me see what is going on and make any changes without having some script reverse them out when I reboot 3 months from now.

One wrinkle... At least at the beginning there won't be a physical interface for each of the inbound IP Addresses. For example, the mail server may be on eth0, but several websites will be on virtual interfaces in the network. Am I asking for trouble interjecting IP Masquerading into this or is there any simpler way to implement this (without buying more hardware right away)?

Thank you for your assistance, Chris

Reply to
Chris Babcock
Loading thread data ...

There are plenty of BSD and Linux based firewall distributions that will run from a floppy disk or small compact flash drive. Here are just a few that I've used in the past:

formatting link
Of the 3, m0n0wall might be best suited for your needs.


Proxy ARP probably isn't necessary but your NSP/ISP should be able to answer that for you.

formatting link
And unless you're setting up a DMZ or have multiple LANs, you'd only want extra interfaces for the inside. Multiple WAN interfaces would only be used for redundancy from the same provider or multiple providers. In that case, I'm not sure any of the floppy based distros would suit you. PCX, Shorewall, Smoothwall, OpenBSD's pf, FreeBSD's ipfw, and several others might work but you'll need to check their resource requirements and consider the flash drive option if you still want to ditch your hard drive.


Reply to

Proxy-arp is never a 'better solution'

Reply to
AMR Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.