Charles Steinkuehler wrote: > > > We have a DCD setup, including a proxy dmz. > > > > SNMP queries work everywhere, excepting systems residing on that dmz. > > Let me clarify that: snmp queries respond properly from clients inside > > the private network; but, *not* from the DCD firewall nor internet > > hosts. > > > > Running iptraf on the firewall, we see the snmp queries properly > > forwarded to the dmz host; but, *nothing* returns from that host. > > Instead, we see a flurry of these: > > > > <timestamp> ICMP; lo; 99 bytes; from bluetrout.private.network \ > > to bluetrout.private.network; dest unrch (port) > > > > Notice that bluetrout is the firewall. > > > > We're unclear as to why snmp queries have anything to do with icmp. > > > > What is going on here? What are possible solutions? > > > > What do you think? > > Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly?
Yes -- that's how it works everywhere, excepting the dmz . . . > Since it sounds like the packets may actually be getting to the DMZ host, do > you maybe have a network configuration issue on that system? Actually, it is two (2) systems (netware ;<) on that dmz . . . > Your error report lacks enough detail for me to figure out exactly what's > happening...not only am I unfamiliar with iptraf output (more of a tcpdump > man), IP addresses would be more helpful (does the above really indacate > your firewall is pinging itself over the loopback interface, like I think it > does?), as well as other details (like details on the packets that you think > were OK and went through to the DMZ host). I was not certain what it is that you want to see -- see below. > If your local net can see SNMP services on the DMZ host (you indicate it > can), but the firewall cannot, something wierd is going on. The internal > snmp requests should be using the same query IP as the firewall, since the > internal net is masqueraded to the DMZ. Are your firewall rules blocking > anything? Did you remember to check (watch the byte/packet counts before > and after trying to access your non-working service)? tcpdump output, run on the local DCD : [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:13.592798 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:13.593156 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:13.621180 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:14.607662 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:14.608002 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:14.629095 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:15.611646 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:15.611993 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:15.630231 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] 14:47:16.623665 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] 14:47:16.624025 w.x.z.157.64943 > a.b.c.d.64861: udp 107 14:47:16.647831 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:07.689494 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:07.689727 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:07.707398 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:08.702497 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:08.702724 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:08.721155 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:09.712075 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:09.712311 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:09.733080 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] 14:50:10.719750 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:50:10.719978 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] 14:50:10.738522 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:48.470087 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:49.480079 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:50.490081 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] 14:51:51.500083 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] What do you think? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user