> We have a DCD setup, including a proxy dmz. > > SNMP queries work everywhere, excepting systems residing on that dmz. > Let me clarify that: snmp queries respond properly from clients inside > the private network; but, *not* from the DCD firewall nor internet > hosts. > > Running iptraf on the firewall, we see the snmp queries properly > forwarded to the dmz host; but, *nothing* returns from that host. > Instead, we see a flurry of these: > > <timestamp> ICMP; lo; 99 bytes; from bluetrout.private.network \ > to bluetrout.private.network; dest unrch (port) > > Notice that bluetrout is the firewall. > > We're unclear as to why snmp queries have anything to do with icmp. > > What is going on here? What are possible solutions? > > What do you think?
Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly? Since it sounds like the packets may actually be getting to the DMZ host, do you maybe have a network configuration issue on that system? Your error report lacks enough detail for me to figure out exactly what's happening...not only am I unfamiliar with iptraf output (more of a tcpdump man), IP addresses would be more helpful (does the above really indacate your firewall is pinging itself over the loopback interface, like I think it does?), as well as other details (like details on the packets that you think were OK and went through to the DMZ host). If your local net can see SNMP services on the DMZ host (you indicate it can), but the firewall cannot, something wierd is going on. The internal snmp requests should be using the same query IP as the firewall, since the internal net is masqueraded to the DMZ. Are your firewall rules blocking anything? Did you remember to check (watch the byte/packet counts before and after trying to access your non-working service)? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
