Hi All, wonder if you can help with my little problem? I run SNMP server from my local network 192.168.0.3 but unable to get any responses back from the remote sources. What do I need to put in my rules to allow these through the zone net is connected to my cable modem the zone loc is my local private network I have tried ACCEPT loc net udp snmp ACCEPT loc net tcp snmp ACCEPT net loc udp snmp ACCEPT net loc tcp snmp I''m guessing that this is not enough info, could you tell me what other info you need of me. Thanks Martyn ------------------------------------------------ www.chetnet.co.uk Cable Modem FAQ and forum ------------------------------------------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.385 / Virus Database: 217 - Release Date: 04/09/2002
I have these rules in my rules file for snmp ACCEPT $FW $FW udp 161 ACCEPT $FW $FW udp 162 --- Aaron Axelsen AIM: AAAK2 Email: axelseaa@amadmax.com URL: www.amadmax.com <http://www.amadmax.com/> "It said, ""Insert disk #3,"" but only two will fit!" "One picture is worth 128K words." -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Chet Sent: Sunday, September 15, 2002 12:42 PM To: shorewall-users@shorewall.net Subject: [Shorewall-users] SNMP Hi All, wonder if you can help with my little problem? I run SNMP server from my local network 192.168.0.3 but unable to get any responses back from the remote sources. What do I need to put in my rules to allow these through the zone net is connected to my cable modem the zone loc is my local private network I have tried ACCEPT loc net udp snmp ACCEPT loc net tcp snmp ACCEPT net loc udp snmp ACCEPT net loc tcp snmp I''m guessing that this is not enough info, could you tell me what other info you need of me. Thanks Martyn ------------------------------------------------ www.chetnet.co.uk Cable Modem FAQ and forum ------------------------------------------------- --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.385 / Virus Database: 217 - Release Date: 04/09/2002
Aaron Axelsen wrote:> I have these rules in my rules file for snmp > > > ACCEPT $FW $FW udp 161 > ACCEPT $FW $FW udp 162 > >Those rules are simply placebos -- Shorewall doesn''t filter $FW->$FW connections. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
> -----Original Message----- > From: Chet [mailto:martyn@chetnet.co.uk] > Sent: Sunday, September 15, 2002 12:42 PM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] SNMP > > > Hi All, wonder if you can help with my little problem? > > I run SNMP server from my local network 192.168.0.3 but > unable to get any responses back from the remote sources. > > What do I need to put in my rules to allow these through > > the zone net is connected to my cable modem > the zone loc is my local private network > > I have tried > ACCEPT loc net udp snmp > ACCEPT loc net tcp snmp > ACCEPT net loc udp snmp > ACCEPT net loc tcp snmp > > > I''m guessing that this is not enough info, could you > tell me what other info you need of me. >Your right, I can''t tell from your post if your wanting to issue an snmpget towards remote sites on the other side of your firewall or are you trying to allow snmpgets/snmptraps from remote sites and forward these requests to your snmp server. If your simply trying to issue an snmpget from behind your firewall and you are masquerading your "loc" zone, you should not have to add any additional rules. If you are trying to forward snmp/snmptrap requests from remote sites to your server at 192.168.0.3... the following rules might get you started. DNAT net loc:192.168.0.3 tcp snmp DNAT net loc:192.168.0.3 udp snmp DNAT net loc:192.168.0.3 udp snmptrap Steve Cowles
Chet wrote:> Hi All, wonder if you can help with my little problem? > > I run SNMP server from my local network 192.168.0.3 but unable to get > any responses back from the remote sources. > > What do I need to put in my rules to allow these through > > the zone net is connected to my cable modem > the zone loc is my local private network > > I have tried > ACCEPT loc net udp snmp > ACCEPT loc net tcp snmp > ACCEPT net loc udp snmp > ACCEPT net loc tcp snmp > > > I''m guessing that this is not enough info, could you tell me what other > info you need of me. >If you have retained the default loc->net policy of ACCEPT, the first two rules are extra rubbish. Since you use RFC 1918 addresses in your local zone, you must use port forwarding (DNAT) to redirect snmp requests from the net: DNAT net loc:192.168.0.3 udp snmp DNAT net loc:192.168.0.3 tcp snmp -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
I didn''t heard any reference about SNMP via TCP protocol. My RH (lsof -i:161) or Win2k (netstat -an|find "161") never shows a daemon listening on TCP port 161. Opening (or allowing) port 161/162 for TCP protocol is unnecessary. -Gilson At 9/15/2002 03:33 PM, you wrote:>>ACCEPT loc net udp snmp >>ACCEPT loc net tcp snmp >>ACCEPT net loc udp snmp >>ACCEPT net loc tcp snmp >DNAT net loc:192.168.0.3 udp snmp >DNAT net loc:192.168.0.3 tcp snmp