alex wrote: > Hi list! > I have problem with receiving SNMP answers by UDP. I have rule that > accept SNMP traffic from one zone to another: > > SNMP/ACCEPT loc:192.168.5.59 rts > > But in 'shorewall.log' i see: > > Dec 14 20:04:05 gate Shorewall:rts2loc:REJECT:IN=eth3 OUT=eth0 > SRC=172.17.35.3 DST=192.168.5.59 LEN=89 TOS=0x00 PREC=0x00 TTL=255 ID=64977 > PROTO=UDP SPT=161 DPT=1585 LEN=69 > > It seams as Shorewall don't create reverse rules for SNMP answer by UDP.
That's correct. Shorewall does not create reverse rules at all. And Netfilter doesn't create expectations based on broadcasts. That means that for ANY broadcast-based protocol, including SNMP, needs an explicit reverse rule. ACCEPT rts loc:192.168.5.59 udp - 161 In general, the macros do not create these reverse rules for you because such rules are actually a bit of a security hazard. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
