[Firewall] Problem with SNMP queries

Andy andy at thebmwz3.co.uk
Wed Jul 30 18:19:53 MDT 2008


Hi all,
Very strange one thats started happening. I'm unable to determine what 
has suddenly caused this, I've just tried upgrading the arno firewall to 
a newer version.

Both linux hosts are running debian kernel 2.6.21, both using identical 
installs/packages of snmp, both arno iptables firewalled, and both 
external interfaces are via an external ADSL modem over ethernet.

So:
LAN --> (eth1) machine1 (eth0) --> adsl modem ethernet --> internet

LAN --> (eth1) machine2 (eth0) --> adsl modem ethernet --> internet

Machine 2 runs snmpd (udp 161), and LAN users behind machine1 queries it.
Machine 1 external ip == 11.11.11.11
Machine 2 extenral ip == 22.22.22.22

When it queries it I see the query on machine2:

Jul 31 01:16:33 lanserv1 snmpd[6635]: Connection from UDP: 
[11.11.11.11]:43608

Then on the arno firewall log on machine 1:
Jul 31 00:16:34 voyage kernel: Connection attempt (UNPRIV): IN=eth1 OUT= 
MAC=00:40:f4:67:ff:77:00:0e:50:3a:2c:c0:08:00 SRC=22.22.22.22 
DST=11.11.11.11 LEN=136 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP 
SPT=10053 DPT=43608 LEN=116
Jul 31 00:16:37 voyage kernel: Connection attempt (UNPRIV): IN=eth1 OUT= 
MAC=00:40:f4:67:ff:77:00:0e:50:3a:2c:c0:08:00 SRC=22.22.22.22 
DST=11.11.11.11 LEN=136 TOS=0x00 PREC=0x00 TTL=58 ID=0 DF PROTO=UDP 
SPT=10053 DPT=43608 LEN=116


You see how on the arno server where the snmp query came from it logs 
inbound UDP connections on high ports that match the UDP outgoing port 
on the machine serving the snmp requests??

Those port numbers change, as per normal, and keep matching up in both 
the snmp logs and the arno firewall logs!

Can somebody advise what on earth is going on here, what I can do to 
resolve it and/or what has happened thats just caused this to be a problem!!

I can post the configs, but they are pretty much standard out of the 
box, usual nat forwarding setup, external and internal IP blocks 
defined. Inbound nat rule for udp 161 for the snmp server.

Thanks in advance!

-- 
Andy
e: andy at broadcast-tech.co.uk
e: andy at thebmwz3.co.uk

w: http://www.broadcast-tech.co.uk
w: http://www.thebmwz3.co.uk



More information about the Firewall mailing list