How does a firewall configured to NAT connections for the outside interface on a given IP to an IP address behind the firewall handle the ARP replies for those addresses to the upstream router?
In other words, I've seen on check point firewalls that a firewall configured to NAT the destination address of incoming connections should be set up for proxy arp to cause the firewall to respond for that IP address with its MAC address even though no interfaces are configured with that address. Linux netfilter documentation seems to suggest that the outside network interfaces should be set up with aliases for the IP addresses that are to be rewritten to another destination IP. From what I can tell, OpenBSD requires neither of these from what I can tell in the docs; so what enables it to respond to the upstream router with its interface's ethernet address for a to-be-NAT'd address that it doesn't have on its interfaces? TIA -- DS
