Charles Steinkuehler wrote:
>
> > Did you see this, yesterday?
>
> Yeah...got distracted while analizing & it got dropped...
OK, sorry for my impatience . . .
> > > The final problem is the fact that you can't do an snmpwalk from the
> > > firewall to the DMZ. Apparently, the SNMP query packets are
> transmitted,
> > > but no response is recieved. I still don't understand why this is
> > > happening, especially if you can do an snmpwalk from the internal
> network (I
> > > think I remember you saying you could...)
> > >
> > > Patch your ipfilter.conf, and see how much farther that gets you. If
> you
> > > still can't snmpwalk from the firewall, take tcpdumps at both the
> firewall
> > > (DMZ IF) and the DMZ system, while trying to snmpwalk from both the
> firewall
> > > and from an internal system.
> >
> > Following are dumps for snmpwalk failure between DCD and one of its dmz
> > hosts. I have tried to remove spurious data, like Unknown IPX packet
> > stuff ;< The rest I could not rule out -- can you?
>
> We'll see...are you actually running an IPX network?
Yes, and else, too ;>
[ snip ]
> I'm confused. I don't think the firewall rules on the .65 machine can be
> your problem, since you're seeing the request packets go out, and even if
> the replies were being dropped, tcpdump would see them at the interface.
> About the only thing that comes to mind is your snmp configuration on the
> .66 machine. Are you *SURE* you've allowed snmp queries from the firewall
> IP and you're not firewalling any traffic on the .66 system? Which version
> of SNMP are you running?
Join the club ;>
w.x.y.66 is a netware v5.x box, a mail server running groupies, &c.
It's not my environment, but an associate's. I know (next to) nothing
about netware and he knows nearly nothing about snmp. I've queried snmp
v1, 2c and 3 -- all same results. No, there is not any ip filtering on
that box.
> If you can't find any problems with the configuration of the .66 machine, do
> a tcp dump on the DMZ IF of the the firewall while trying to snmpwalk from
> the firewall and from an internal network system (am I remembering correctly
> that you said internal systems could see the DMZ snmp server?). It would
> probalby also help if you provide the output of net ipfilter list and your
> snmp config file from the DMZ system...
Yes, I can snmpwalk w.x.y.66 *both* from a remote internet host _and_
from some moronic wintel box inside its internal network (notice, *not*
on the dmz).
This weekend, I will try to comply with your latest test . . .
Follows, hopefully readable, is output of net ipfilter list from subject
DCD:
Chain input (policy DENY: 7 packets, 801 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 DENY all ------ 0xFF 0x00
wan1 0.0.0.0/0
255.255.255.255 n/a
0 0 DENY icmp ----l- 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 DENY icmp ----l- 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 13 -> *
0 0 DENY icmp ----l- 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 14 -> *
0 0 DENY all ----l- 0xFF 0x00
wan1 0.0.0.0
0.0.0.0/0 n/a
1 43 DENY all ----l- 0xFF 0x00
wan1 255.255.255.255
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 127.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 224.0.0.0/4
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 10.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 172.16.0.0/12
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 192.168.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 128.0.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 191.255.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 192.0.0.0/24
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 223.255.255.0/24
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 240.0.0.0/4
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 192.168.1.0/24
0.0.0.0/0 n/a
0 0 dmzSpoof all ------ 0xFF 0x00
wan1 w.x.y.64/26
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 w.x.z.157
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 w.x.y.72
0.0.0.0/0 n/a
0 0 REJECT all ----l- 0xFF 0x00
wan1 0.0.0.0/0
127.0.0.0/8 n/a
0 0 REJECT all ----l- 0xFF 0x00
wan1 0.0.0.0/0
192.168.1.0/24 n/a
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 135
105 8190 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 135
4 192 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 135 -> *
17340 2940K dmzIn all ------ 0xFF 0x00
wan1 0.0.0.0/0
w.x.y.64/26 n/a
14 728 ACCEPT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 22
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 113
81135 71M ACCEPT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 123
1835 285K ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 161
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 162
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 514
3476 710K ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 500
0 0 DENY udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 67
1894 487K ACCEPT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 1024:65535
105 6175 ACCEPT icmp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> *
0 0 ACCEPT ospf ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 n/a
9 1064 ACCEPT 50 ------ 0xFF 0x00
wan1 0.0.0.0/0
w.x.z.157 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00
wan1 0.0.0.0/0
w.x.z.157 n/a
39 2061 DENY all ----l- 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 n/a
109K 23M ACCEPT all ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 DENY icmp ----l- 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 5 -> *
0 0 MASQ tcp ------ 0xFF 0x00
* 192.168.1.20
0.0.0.0/0 5631 -> *
0 0 MASQ udp ------ 0xFF 0x00
* 192.168.1.20
0.0.0.0/0 5632 -> *
14296 940K MASQ all ------ 0xFF 0x00
eth1 192.168.1.0/24
w.x.y.64/26 n/a
0 0 ACCEPT tcp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 110
2771 1879K ACCEPT tcp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 25
2250 157K ACCEPT tcp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 80
0 0 ACCEPT tcp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 7205
22 1668 ACCEPT udp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 161
16 1451 ACCEPT udp ------ 0xFF 0x00
wan1 w.x.y.66
0.0.0.0/0 161 -> *
0 0 ACCEPT udp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.66 * -> 7205
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 w.x.y.66
0.0.0.0/0 7205 -> *
28 2076 ACCEPT udp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.68 * -> 161
16 1416 ACCEPT udp ------ 0xFF 0x00
wan1 w.x.y.68
0.0.0.0/0 161 -> *
0 0 ACCEPT tcp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.67 * -> 5631
0 0 ACCEPT udp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.67 * -> 5632
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 w.x.y.67
0.0.0.0/0 5632 -> *
724 36354 ACCEPT tcp !y---- 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.64/26 * -> 1024:65535
372 18280 ACCEPT icmp ------ 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.64/26 * -> *
7257 4444K ACCEPT tcp ------ 0xFF 0x00
wan1 w.x.y.64/26
0.0.0.0/0 * -> *
4 136 ACCEPT icmp ------ 0xFF 0x00
wan1 w.x.y.64/26
0.0.0.0/0 * -> *
0 0 ACCEPT udp ------ 0xFF 0x00
wan1 w.x.y.64/26
0.0.0.0/0 53 -> *
178 12609 MASQ udp ------ 0xFF 0x00
wan1 w.x.y.64/26
0.0.0.0/0 * -> *
61687 9489K MASQ all ------ 0xFF 0x00
wan1 192.168.1.0/24
0.0.0.0/0 n/a
2117 109K DENY all ----l- 0xFF 0x00
eth1 0.0.0.0/0
w.x.y.64/26 n/a
0 0 DENY all ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
Chain output (policy DENY: 5 packets, 200 bytes):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
211K 99M fairq all ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 0.0.0.0
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 255.255.255.255
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 127.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 224.0.0.0/4
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 10.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 172.16.0.0/12
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 192.168.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 0.0.0.0/8
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 128.0.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 191.255.0.0/16
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 192.0.0.0/24
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 223.255.255.0/24
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
wan1 240.0.0.0/4
0.0.0.0/0 n/a
0 0 DENY all ------ 0xFF 0x00
wan1 192.168.1.0/24
0.0.0.0/0 n/a
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 137
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 135
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 138:139
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 * -> 138
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 137:138 -> *
0 0 REJECT udp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 135 -> *
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 137:139 -> *
0 0 REJECT tcp ------ 0xFF 0x00
wan1 0.0.0.0/0
0.0.0.0/0 135 -> *
211K 99M ACCEPT all ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
Chain fairq (1 references):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 RETURN ospf ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN ospf ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 n/a
0 0 RETURN udp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 * ->
520
0 0 RETURN udp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 520
-> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 * ->
179
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 179
-> *
0 0 RETURN tcp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 * ->
53
12 656 RETURN tcp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 53 ->
*
3109 210K RETURN udp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 * ->
53
1240 164K RETURN udp ------ 0xFF 0x00 *
0x1 0.0.0.0/0 0.0.0.0/0 53 ->
*
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2 0.0.0.0/0 0.0.0.0/0 * ->
23
0 0 RETURN tcp ------ 0xFF 0x00 *
0x2 0.0.0.0/0 0.0.0.0/0 23 ->
*
3 132 RETURN tcp ------ 0xFF 0x00 *
0x2 0.0.0.0/0 0.0.0.0/0 * ->
22
7988 1020K RETURN tcp ------ 0xFF 0x00 *
0x2 0.0.0.0/0 0.0.0.0/0 22 ->
*
Chain dmzSpoof (1 references):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 RETURN all ------ 0xFF 0x00
* w.x.z.158
0.0.0.0/0 n/a
0 0 RETURN all ------ 0xFF 0x00
* w.x.z.157
0.0.0.0/0 n/a
0 0 DENY all ----l- 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
Chain dmzIn (1 references):
pkts bytes target prot opt tosa tosx ifname mark
outsize source destination ports
0 0 RETURN all ------ 0xFF 0x00
* 0.0.0.0/0
w.x.z.158 n/a
0 0 RETURN all ------ 0xFF 0x00
* 0.0.0.0/0
w.x.z.157 n/a
17340 2940K ACCEPT all ------ 0xFF 0x00
* 0.0.0.0/0
0.0.0.0/0 n/a
AutoFW:
Type Prot Low High Vis Hid Where Last CPto CPrt Timer Flags
MarkFW:
fwmark rediraddr rport pcnt pref
PortFW:
prot localaddr rediraddr lport rport pcnt
pref
UDP w.x.z.157 192.168.1.20 55632 5632 10
10
TCP w.x.z.157 192.168.1.20 55631 5631 10
10
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
