mike,
this is your problem: http://www.phildev.net/ipf/long.html#prob8 ipf will not "bounce" a connection (packet comes in on an interface, gets rewritten via rdr/map, and goes out the same interface). routing principles in general, and unix kernel routing specificially, do not natively support this behaviour. as i wrote in the FAQ entry, "The golden RDR rule: rdr works *only* when the packet traverses the firewall (i.e. in one interface and out on another interface)." so, you need to use a separate userland utility to do this. n.b. note that rewriting SNMP packet headers will likely break SNMP, as SNMP is definitely not a NAT-friendly protocol. this is not the fault of ipf: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#Q23 Q. Why doesn't Cisco IOS NAT support SNMP traffic? A. The SNMP packet format depends on the particular MIB being used and is not self-describing. There is no single format for SNMP requests and responses that can be processed in a general fashion. see also http://www.faqs.org/rfcs/rfc2962.html can you just run SNMPd in a separate zone on the original box? or does the client not want to do this, or are you not on Sol10? can you reconfig the source to send snmp pkts to the .127 box && can you install ipf on the .127 box? then you can rewrite the destination port as needed on the inbound interface. that is, run snmpd on $port_unpriv and do a rdr to localhost:$port_unpriv. this allows you to run snmpd as non-root per your client. jim Mike Epplin wrote:
They are 2 separate boxes on the same subnet. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Sandoz Sent: Thursday, June 29, 2006 11:36 AM To: [email protected] Subject: Re: Question about using nat to redirect SNMP traps mike, sorry, i need a little more clarity here. are 10.170.24.126 and 10.170.24.127 separate boxes on the same subnet, or are these just two IP's assigned to the same physical interface on the same box? jim
