Re: [gentoo-user] ARP-Caching of non-link-local adresses

[Pandu Poluan <pandu@poluan.info>]

[-- Attachment #1: Type: text/plain, Size: 3106 bytes --]

On Jan 5, 2012 12:28 AM, "Pandu Poluan" <pandu@poluan.info> wrote:
>
>
> On Jan 4, 2012 11:20 PM, "Peter Pan" <osaka@gmx.net> wrote:
> >
> > Hi list,
> >
> >
> >
> > I’m kind of despair.
> >
> > The history: We recently brought up a new firewall with Gentoo.
> >
> > There are (for my finding) some big nets behind this firewall (1x
public /24, 2x public /27, 1x public /26, at least 2 private /24).
> >
> > Filtering is done via iptables and snort should jump as IPS on
software-bridge br0. If it helps: There is also ip rule involved for
source-based routing.
> >
> >
> >
> > The new firewall replaces an older Gentoo-system which did not show
this behavior. We therefore copied several configfiles from the old to the
new one.
> >
> >
> >
> > After getting it live, it runs well for a few hours and then becomes
unreachable (also for hosts behind the bridge).
> >
> > Dmesg / kern.log stated at this time a neighbor table overflow and
indeed, arp –n | wc –l showed a lot of entry’s.
> >
> >
> >
> > As Google suggested, We then adjusted /proc/sys/net/ipv4/neigh/default/
to:
> >
> > gc_thershold1 -> 8192
> >
> > gc_thershold2 -> 16384
> >
> > gc_thershold3 -> 32768
> >
> >
> >
> > Fireing an “arp –d $bogus-ip-adress” is failing with
„SIOCDARP(dontpub): Network is unreachable”, adding –i br0 doesn’t fail,
but does not remove the line in the arp-table (it only says “incomplete”
after greping arp -n again)..
> >
> > Therefore we are currently killing the arp-cache  with “ip link set arp
off dev br0 && ip link set arp on dev br0” by a cronjob.
> >
> >
> >
> > The combination of these workarounds are keeping the firewall reachable
and “alive”.
> >
> >
> >
> > After stabilizing, we looked at the output of arp –n and noticed, that
about 99(.999)% of the roundabout 11.000 (and rising) arp-cache-entry’s
contained public addresses for which the bridge of the firewall should not
feel responsible (e.g. the public Google-dns-resolver and a load of more).
> >
> > The MAC-entry for these public addresses is always the one of our
router, which is for sure the correct next hop.
> >
> >
> >
> > But from my understanding,  it should arp-cache only “our” net’s
directly at the cable and not those public ones.
> >
> > It looks like a configuration-issue, but I don’t know, where to start
looking. I’ve already checked the default-gateway, netmasks,
broadcast-addresses and to me, they are looking fine, so any poke where to
start looking is greatly appreciated.
> >
> >
> >
> > In case it will help, I attached the /etc/conf.d/net, ifconfig –a and
route -n.
> >
> > If something else is needed, feel free to ask.
> >
> >
> >
> > Hope, anyone can help.
> >
>
> Try turning off proxy ARP on the internal and/or external interfaces.
>

Bah, tapped "Send" accidentally. Here's a reference on turning ON Proxy ARP:

http://www.sjdjweis.com/linux/proxyarp/

Use "echo 0" to turn off.

If it works, make the concomitant changes in /etc/sysctl.conf

Rgds,

[-- Attachment #2: Type: text/html, Size: 4094 bytes --]