alex wrote:> Hi list!
> I have problem with receiving SNMP answers by UDP. I have rule that
> accept SNMP traffic from one zone to another:
>
> SNMP/ACCEPT loc:192.168.5.59 rts
>
> But in ''shorewall.log'' i see:
>
> Dec 14 20:04:05 gate Shorewall:rts2loc:REJECT:IN=eth3 OUT=eth0
> SRC=172.17.35.3 DST=192.168.5.59 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=64977
> PROTO=UDP SPT=161 DPT=1585 LEN=69
>
> It seams as Shorewall don''t create reverse rules for SNMP
answer by UDP.
That''s correct. Shorewall does not create reverse rules at all. And
Netfilter doesn''t create expectations based on broadcasts. That means
that
for ANY broadcast-based protocol, including SNMP, needs an explicit reverse
rule.
ACCEPT rts loc:192.168.5.59 udp - 161
In general, the macros do not create these reverse rules for you because
such rules are actually a bit of a security hazard.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace