Using Arp Advanced Settings - D-Link NetDefend DFL-210 User Manual

Network security firewall
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

3.4.5. Using ARP Advanced Settings

Another use is publishing multiple addresses on an external interface, enabling NetDefendOS to
statically address translate communications to these addresses and send it onwards to internal
servers with private IP addresses.
There are two publishing modes; Publish and XPublish. The difference between the two is that
XPublish "lies" about the sender Ethernet address in the Ethernet header; this is set to be the same as
the published Ethernet address rather than the actual Ethernet address of the Ethernet interface. If a
published Ethernet address is the same as the Ethernet address of the interface, it will make no
difference if you select Publish or XPublish, the result will be the same.
3.4.5. Using ARP Advanced Settings
This section presents some of the advanced settings related to ARP. In most cases, these settings
need not to be changed, but in some deployments, modifications might be needed. A summary of all
ARP advanced settings can be found in the next section.
Multicast and Broadcast
ARP requests and ARP replies containing multicast or broadcast addresses are usually never correct,
with the exception of certain load balancing and redundancy devices, which make use of hardware
layer multicast addresses.
The default behavior of NetDefendOS is to drop and log such ARP requests and ARP replies. This
can, however, be changed by modifying the advanced settings ARP Multicast and ARP Broadcast.
Unsolicited ARP Replies
It is fully possible for a host on the LAN to send an ARP reply to NetDefendOS, even though a
corresponding ARP request has not been issued. According to the ARP specification, the recipient
should accept these types of ARP replies. However, because this can facilitate hijacking of local
connections, NetDefendOS will normally drop and log such replies.
The behavior can be changed by modifying the advanced setting Unsolicited ARP Replies.
ARP Requests
The ARP specification states that a host should update its ARP Cache with data from ARP requests
received from other hosts. However, as this procedure can facilitate hijacking of local connections,
NetDefendOS will normally not allow this.
To make the behavior compliant with the RFC 826 specification, the administrator can modify the
setting ARP Requests. Even if this is set to Drop (meaning that the packet is discarded without
being stored), NetDefendOS will reply to it provided that other rules approve the request.
Changes to the ARP Cache
NetDefendOS provides settings that control the management of changes to the ARP cache.
A received ARP reply or ARP request can possibly alter an existing entry in the ARP cache.
Allowing this to take place may allow hijacking of local connections. However, not allowing this
may cause problems if, for example, a network adapter is replaced, as NetDefendOS will not accept
the new address until the previous ARP cache entry has timed out.
Tip: Using Proxy ARP to publish networks
In the configuration of ARP entries, addresses may only be published one at a time.
However, you can use the ProxyARP feature to handle publishing of entire networks
(see Section 4.2.5, "Proxy ARP").
97
Chapter 3. Fundamentals

Advertisement

Table of Contents
loading

Table of Contents