Hi guys,
I have been struggling with a problem for a bit of time now, and thought that
it might be time to post here to see what information anyone knows about this.
Firstly let me give you some background. I am trying to monitor computers on
a local subnet behind a shorewall firewall via snmp. Due to identical local
subnets I am using the netmap feature to access these machines. That part all
works nicely e.g. 172.20.7.5 maps, and routes to 192.168.0.5 which is behind
firewall 123.243.7.40. I can ssh and connect back and forth without a drama.
However when I try to use snmp I am finding that it the packet that is sent
back is broken. Here is an example of what I mean.
1. Working
snmpwalk -v 2c -c test 123.243.7.40
IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
IP-MIB::ipAdEntAddr.123.243.7.40 = IpAddress: 123.243.7.40
IP-MIB::ipAdEntAddr.172.20.7.5 = IpAddress: 172.20.7.5
IP-MIB::ipAdEntAddr.192.168.0.5 = IpAddress: 192.168.0.5
IP-MIB::ipAdEntIfIndex.127.0.0.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.123.243.7.40 = INTEGER: 4
IP-MIB::ipAdEntIfIndex.172.20.7.5 = INTEGER: 2
IP-MIB::ipAdEntIfIndex.192.168.0.5 = INTEGER: 2
IP-MIB::ipAdEntNetMask.127.0.0.1 = IpAddress: 255.0.0.0
IP-MIB::ipAdEntNetMask.123.243.7.40 = IpAddress: 255.255.255.255
IP-MIB::ipAdEntNetMask.172.20.7.5 = IpAddress: 255.255.255.255
IP-MIB::ipAdEntNetMask.192.168.0.5 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntBcastAddr.127.0.0.1 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.123.243.7.40 = INTEGER: 0
IP-MIB::ipAdEntBcastAddr.172.20.7.5 = INTEGER: 1
IP-MIB::ipAdEntBcastAddr.192.168.0.5 = INTEGER: 1
2. Broken
snmpwalk -v 2c -c test 172.20.7.5
IP-MIB::ipAdEntAddr.127.0.0.1 = IpAddress: 127.0.0.1
IP-MIB::ipAdEntAddr.123.243.7.40 = IpAddress: 123.243.7.40
IP-MIB::ipAdEntAddr.172.20.7.5 = IpAddress: 172.20.7.5
Timeout: No Response from 172.20.7.5
After using tcpdump to obtain the actual packets that are being transfered it
turns out that packet is being garbled along the way.
Below is an example of what the packet looks like when it''s broken:
1.3.6.1.2.1.4.20.1.1.192.168.0.5: 172.168.0.5 (172.168.0.5)
So when the agent receives this packet it is being told that
192.168.0.5 = 172.168.0.5, now the agent is unable to translate that into
anything useful, so it attempts to get the same information again, and it gets
the same response. then after the maxium retries it gives up.
Through many hours of debugging and banging my head against the wall, I have
finally discovered that the issue is with shorewall, as I have stopped shorewall
and the packets come through as per example 1, but as soon as you start it again
it breaks as per example 2.
Network Layout:
-----------------
| ONMS |
| 172.10.239.1 |
| (vpn) |
| 150.101.222.88 |
------------------
/ \
/ \
Network 1 / \ Network 2
--------------------------------------- ------------------------------------
| firewall 1 | | firewall 1 |
| 192.10.239.5 | | 192.10.239.9 |
| (vpn) | | (vpn) |
| 123.243.7.50 | | 123.243.7.75 |
| client client | | client client |
| 172.20.7.5 172.20.7.10 | | 172.20.8.5 172.20.8.10 |
| (above routed through fw/vpn) | | (above routed through fw/vpn) |
| 192.168.1.5 192.168.1.10 | | 192.168.1.5 192.168.1.10 |
--------------------------------------- ------------------------------------
Any help or feedback would be appreciated, even a document that I may need to
read in order to understand what is happening
Now I am not sure why shorewall is affecting the packet, but any input into
this would be greatly appreciated.
Tom Higgins
Epoch Labs
p: 03 8320 1000
w: www.epochlabs.com.au
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables
unlimited royalty-free distribution of the report engine
for externally facing server and web deployment.
http://p.sf.net/sfu/businessobjects
Tom Higgins wrote:> Through many hours of debugging and banging my head against the wall, I have > finally discovered that the issue is with shorewall, as I have stopped shorewall > and the packets come through as per example 1, but as soon as you start it again > it breaks as per example 2.How does it work after ''shorewall stop'' if it depends on netmap to work at all? And do you really believe that all versions of Shorewall from 1.0 to 4.3.10 (including both -shell and -perl) work exactly the same? You must since you didn''t bother to give us *any* details about your Shorewall configuration; even the version! (see http://www.shorewall.net/support.htm#Guidelines). So much for my ranting.... I''m guessing that Shorewall is loading an SNMP ''helper'' module (''ip_nat_snmp_basic'' or ''nf_nat_snmp_basic'') and that''s what is causing the problem. I suggest that you: a) stop shorewall b) Modify /etc/shorewall/shorewall.conf to specify DONT_LOAD=<whichever module gets loaded in your case> c) rmmod <whichever module gets loaded in your case> d) start shorewall Does it now work any better? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Hi Tom, First let me apologize most profusely in regards to my poor etiquette!!! Shorewall version = 4.0.6 (shorewall-shell) OS = Ubuntu 8.04 I am truly sorry for not abiding to the guidelines Second thank you so much for suggestion, that was exactly what I needed. I have now been trying to understand what this module does and why it is breaking it. I will keep on searching, but if there is somewhere you can suggest to look that would be awesome. Once again, thank you!!! Tom Tom Higgins Epoch Labs p: 03 8320 1000 w: www.epochlabs.com.au ----- "Tom Eastep" <teastep@shorewall.net> wrote:> Tom Higgins wrote: > > > Through many hours of debugging and banging my head against the > wall, I have > > finally discovered that the issue is with shorewall, as I have > stopped shorewall > > and the packets come through as per example 1, but as soon as you > start it again > > it breaks as per example 2. > > How does it work after ''shorewall stop'' if it depends on netmap to > work > at all? > > And do you really believe that all versions of Shorewall from 1.0 to > 4.3.10 (including both -shell and -perl) work exactly the same? You > must > since you didn''t bother to give us *any* details about your Shorewall > configuration; even the version! (see > http://www.shorewall.net/support.htm#Guidelines). > > So much for my ranting.... > > I''m guessing that Shorewall is loading an SNMP ''helper'' module > (''ip_nat_snmp_basic'' or ''nf_nat_snmp_basic'') and that''s what is > causing > the problem. > > I suggest that you: > > a) stop shorewall > b) Modify /etc/shorewall/shorewall.conf to specify > DONT_LOAD=<whichever > module gets loaded in your case> > c) rmmod <whichever module gets loaded in your case> > d) start shorewall > > Does it now work any better? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net > \________________________________________________ > > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables > unlimited royalty-free distribution of the report engine > for externally facing server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Tom Higgins wrote:> Hi Tom, > First let me apologize most profusely in regards to my poor etiquette!!! > Shorewall version = 4.0.6 (shorewall-shell) > OS = Ubuntu 8.04Tom, I recommend migrating to Shorewall-perl at the earliest opportunity. Support for Shorewall-shell ends when Shorewall 4.4 is released toward the end of this year.> Second thank you so much for suggestion, that was exactly what I needed. > I have now been trying to understand what this module does and why > it is breaking it. I will keep on searching, but if there is somewhere > you can suggest to look that would be awesome.There doesn''t seem to be much information available about the module other than what appears at the top of the source: --------------------------------------------------------------------- Basic SNMP Application Layer Gateway This IP NAT module is intended for use with SNMP network discovery and monitoring applications where target networks use conflicting private address realms. Static NAT is used to remap the networks from the view of the network management system at the IP layer, and this module remaps some application layer addresses to match. The simplest form of ALG is performed, where only tagged IP addresses are modified. The module does not need to be MIB aware and only scans messages at the ASN.1/BER level. Currently, only SNMPv1 and SNMPv2 are supported. More information on ALG and associated issues can be found in RFC 2962 ---------------------------------------------------------------------- -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects