Shorewall users - Mar 2002 - Fw: SNMP Rejected in all2all, Despite Rules?

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "dgilleece" <dgilleece@optimumnetworks.com>
Sent: Sunday, March 10, 2002 8:49 AM
Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?

> Dan,
>
> ----- Original Message -----
> From: "dgilleece" <dgilleece@optimumnetworks.com>
> To: <shorewall-users@shorewall.net>
> Sent: Sunday, March 10, 2002 7:59 AM
> Subject: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?
>
>
> > Hi Tom,
> >
> > I''ve hit a snag that could use a few of your brain cycles :)
> >
> > I have a system that is running 1.2.5 at a client site, and
I''d like to
> > upgrade it, but I can''t get phyically at the machine for
another couple
of
> > weeks.  So, for now, 1.2.5 it is.  I don''t know if the
version matters
for
> > this particular behavior or not.
> >
> > You may recall, this is the config you helped me build for a
> > legally-addressed /25 subnet.  It all works beautifully, other than my
> > inability to get MRTG stats from the firewall.  Here''s the
scenario:
> >
> >
> > ISP
> >  |
> >  |
> > ______________
> > 209.98.33.123
> > eth0
> >  |
> > SHOREWALL BOX Proxy ARP
> >  |
> > eth1
> > 192.168.2.1
> > ______________
> >  |
> >  |
> >  |                            Protected Subnet
> >  +-----+--------------+-----  209.98.33.0/25
> >        |              |
> >        |              |
> >     209.98.33.122
> >     Running MRTG
> > (also has 209.98.33.125 outside firewall, running PopTop host)
> >
> >
> >
> > The problem is SNMP packets getting rejected in the all2all chain,
> > apparently as the replies try to exit (?) like so:
> >
> > MRTG cfgmaker barfs (selected sampling):
> >
> >    SNMPv1_Session (remote host: "209.98.33.123"
[209.98.33.123].161)
> >                   community: "public123"
> >    -
> >    -
> >    SNMPWALK Problem for 1.3.6.1.2.1.2.2.1.7 on public123@209.98.33.123
> >    --base: Walking ifOperStatus
> >
> >    SNMP Error:
> >    no response received
> >
> >
> > Log shows:
> >
> >    Mar 10 10:00:48 netgate kernel: Shorewall:all2all:REJECT:IN=
OUT=eth1
> >    SRC=192.168.2.1 DST=209.98.33.122 LEN=235 TOS=0x00 PREC=0x00 TTL=64
> ID=0
> >    DF PROTO=UDP SPT=161 DPT=1057 LEN=215
> >
>
> I''m having a hard time understanding how to make snmpd use a
particular
> address but I notice that in my configuration, snmpd is using an internal
> address (192.168.1.254) and I run MRTG in my DMZ. This seems to work fine.
> The problem for you is that your snmpd is using 209.98.33.123 yet the
reply
> packets have a source address of 192.168.2.1; that makes the replies
appear
> unrelated to the original request.
>
> You can solve this problem either by getting snmpd to use 192.168.2.1 and
by
> pointing MRTG at that address or you can add the following rule:
>
> ACCEPT    fw    loc    udp    -    161
>
> -Tom
>  --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>
>

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: <shorewall-users@shorewall.net>
Sent: Sunday, March 10, 2002 8:50 AM
Subject: Fw: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?

>> >
> > I''m having a hard time understanding how to make snmpd use a
particular
> > address but I notice that in my configuration, snmpd is using an
internal
> > address (192.168.1.254) and I run MRTG in my DMZ.
I should probably clarify. The -p option can be used to direct snmpd to use
a particular address but my init scripts aren''t including that option.
Even
so, snmpd is only listening on one of the three IP addresses on my firewall.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "dgilleece" <dgilleece@optimumnetworks.com>
Sent: Sunday, March 10, 2002 10:57 AM
Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?

>
> ----- Original Message -----
> From: "dgilleece" <dgilleece@optimumnetworks.com>
> To: "Tom Eastep" <teastep@shorewall.net>
> Sent: Sunday, March 10, 2002 10:49 AM
> Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?
>
>
> > > >
> > > You can solve this problem either by getting snmpd to use
192.168.2.1
> and
> > by
> > > pointing MRTG at that address or you can add the following rule:
> > >
> > > ACCEPT    fw    loc    udp    -    161
> >
> > Putting in the rule above now seems to make it protest about the MAC
> > address, changing the log entry to:
> >
> > Mar 10 13:33:15 netgate kernel: Shorewall:all2all:REJECT:IN=eth1
OUT> > MAC=00:03:47:08:01:db:00:03:47:08:02:4b:08:00 SRC=209.98.33.122
> > DST=209.98.33.123 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=43127 PROTO=UDP
> > SPT=1057 DPT=161 LEN=58
>
> Looks like you removed the rule that said:
>
> ACCEPT    loc    fw    udp    161
>
> >
> > I tried making the ucdsnmpd listen on 192.168.2.1, using the
instructions
> > specified for SuSE (-p 161@192.168.2.1), but that gave me "no
response
> > received," and nothing related in the logs.
>
> That''s what I see if I try to connect to an address other than
> 192.168.1.254.
>
> >
> > So, do I need to do anything with respect to the SPT=1057?  Is this
> > accounted for as  "related" traffic?
> >
>
> NO! That''s just a temporary port number -- the next time you
connect,
you''ll
> get a different one.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
>
>

Tom,

Thanks again for the help.  I think we nailed it.  I was seeing some weird
results that I didn''t fullytrack down, but now that I have multiple
issues
solved, it seems like this did the trick:

1.  Setup MRTG to point to 192.168.2.1
2.  Setup snmpd to listen on 192.168.2.1
3.  Put a host route on the MRTG ''listener'' (209.98.33.122) to
the Shorewall
box internal interface(192.168.2.1) via eth0 ( MRTG inside interface)
4.  Bingo

I believe (without using tcpdump to actually verify) MRTG was alternately
using eth1 and eth0 trying to find 209.98.33.123 --- since both machines
have interfaces on the internal and external segments of the split
209.98.33.0/25 subnet.  So after tail-chasing and second-guessing with
multiple permutations of snmpd.conf, mrtg parameters, and IP addresses-- it
was getting wrapped around the axle.  Giving it ONE clear path to the
destination gave me room to make sure all other setting were correct .  Does
this sound like a reasonable self-debrief?  :)

Thanks again!!

Dan
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@shorewall.net>
Sent: Sunday, March 10, 2002 1:18 PM
Subject: Fw: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?

>
> ----- Original Message -----
> From: "Tom Eastep" <teastep@shorewall.net>
> To: "dgilleece" <dgilleece@optimumnetworks.com>
> Sent: Sunday, March 10, 2002 10:57 AM
> Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?
>
>
> >
> > ----- Original Message -----
> > From: "dgilleece" <dgilleece@optimumnetworks.com>
> > To: "Tom Eastep" <teastep@shorewall.net>
> > Sent: Sunday, March 10, 2002 10:49 AM
> > Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite
Rules?
> >
> >
> > > > >
> > > > You can solve this problem either by getting snmpd to use
192.168.2.1
> > and
> > > by
> > > > pointing MRTG at that address or you can add the following
rule:
> > > >
> > > > ACCEPT    fw    loc    udp    -    161
> > >
> > > Putting in the rule above now seems to make it protest about the
MAC
> > > address, changing the log entry to:
> > >
> > > Mar 10 13:33:15 netgate kernel: Shorewall:all2all:REJECT:IN=eth1
OUT> > > MAC=00:03:47:08:01:db:00:03:47:08:02:4b:08:00
SRC=209.98.33.122
> > > DST=209.98.33.123 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=43127
PROTO=UDP
> > > SPT=1057 DPT=161 LEN=58
> >
> > Looks like you removed the rule that said:
> >
> > ACCEPT    loc    fw    udp    161
> >
> > >
> > > I tried making the ucdsnmpd listen on 192.168.2.1, using the
> instructions
> > > specified for SuSE (-p 161@192.168.2.1), but that gave me
"no response
> > > received," and nothing related in the logs.
> >
> > That''s what I see if I try to connect to an address other
than
> > 192.168.1.254.
> >
> > >
> > > So, do I need to do anything with respect to the SPT=1057?  Is
this
> > > accounted for as  "related" traffic?
> > >
> >
> > NO! That''s just a temporary port number -- the next time you
connect,
> you''ll
> > get a different one.
> >
> > -Tom
> > --
> > Tom Eastep    \ Shorewall - iptables made easy
> > AIM: tmeastep  \ http://www.shorewall.net
> > ICQ: #60745924  \ teastep@shorewall.net
> >
> >
> >
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Dan,

----- Original Message -----
From: "dgilleece" <dgilleece@optimumnetworks.com>
To: "Tom Eastep" <teastep@shorewall.net>; "Shorewall
Users"
<shorewall-users@shorewall.net>
Sent: Sunday, March 10, 2002 11:53 AM
Subject: Re: [Shorewall-users] SNMP Rejected in all2all, Despite Rules?

>
> 1.  Setup MRTG to point to 192.168.2.1
> 2.  Setup snmpd to listen on 192.168.2.1
> 3.  Put a host route on the MRTG ''listener''
(209.98.33.122) to the
Shorewall
> box internal interface(192.168.2.1) via eth0 ( MRTG inside interface)
> 4.  Bingo
>
> I believe (without using tcpdump to actually verify) MRTG was alternately
> using eth1 and eth0 trying to find 209.98.33.123 --- since both machines
> have interfaces on the internal and external segments of the split
> 209.98.33.0/25 subnet.
Ah -- that''s a key fact that you didn''t share with us.
> So after tail-chasing and second-guessing with
> multiple permutations of snmpd.conf, mrtg parameters, and IP addresses--
it
> was getting wrapped around the axle.  Giving it ONE clear path to the
> destination gave me room to make sure all other setting were correct .
Does
> this sound like a reasonable self-debrief?  :)
>
Yes.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom,
> > I believe (without using tcpdump to actually verify) MRTG was
alternately
> > using eth1 and eth0 trying to find 209.98.33.123 --- since both
machines
> > have interfaces on the internal and external segments of the split
> > 209.98.33.0/25 subnet.
>
> Ah -- that''s a key fact that you didn''t share with us.
Well, not exactly --- it was noted on my diagram; but I''ll admit it was
thrown in there like a "probably not relevant" side note. :)  How
wrong I
was....

> Does
> > this sound like a reasonable self-debrief?  :)
> >
See?  I learn slow....but DO learn :P

Many thanks,

Dan