Damian Gerow wrote:
>
> The problem lies within logging. I tend to log everything that is
> denied or rejected, which has resulted in absurdly large log files in
> the past few weeks because of a network mapping package (IP
> 207.139.193.66) set up by our ISP. It sends out SNMP requests to
> each IP on all networks it is connected to, and if these requests
> fail, it relies on ICMP. I have allowed all ICMP from this computer
> in without a problem, but am having problems with SNMP. For some
> reason, all SNMP packets that are sent to 207.176.252.1 are DENYed,
> and subsequently logged. Here are all applicable firewalling rules:
>
> ipchains -F input
> ipchains -F forward
> ipchains -P forward DENY
>
> ipchains -A input -p udp -s 207.139.193.66 -d 207.139.193.46 161 -j ACCEPT
> ipchains -A forward -p udp -s 207.139.193.66 -d 207.176.252.0/24 161 -j ACCEPT
> ipchains -A input -p udp -s 207.139.193.66 -d 207.176.252.1 161 -j ACCEPT
Are you sure that these are *all* of the applicable rules? The "-A"
switch *appends* the rule to the chain, so if any intervening rule
logs the packet, it will get logged.
> Here is a section of the packets logged:
>
> Apr 5 15:56:08 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
>207.139.193.66:46670 207.176.252.1:161 L=77:57 S=0x00 I=15014 T=62
> Apr 5 15:56:19 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
>207.139.193.66:46714 207.176.252.1:161 L=77:57 S=0x00 I=15018 T=62
> Apr 5 15:56:30 pwfw kernel: Packet log: unserved DENY eth0 PROTO=UDP
>207.139.193.66:46766 207.176.252.1:161 L=77:57 S=0x00 I=28079 T=62
The "unserved" is the chain which denied the packet. You don't mention
this chain in your message.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
