Charles Steinkuehler wrote:
>
> > We have a DCD setup, including a proxy dmz.
> >
> > SNMP queries work everywhere, excepting systems residing on that dmz.
> > Let me clarify that: snmp queries respond properly from clients inside
> > the private network; but, *not* from the DCD firewall nor internet
> > hosts.
> >
> > Running iptraf on the firewall, we see the snmp queries properly
> > forwarded to the dmz host; but, *nothing* returns from that host.
> > Instead, we see a flurry of these:
> >
> > <timestamp> ICMP; lo; 99 bytes; from bluetrout.private.network \
> > to bluetrout.private.network; dest unrch (port)
> >
> > Notice that bluetrout is the firewall.
> >
> > We're unclear as to why snmp queries have anything to do with icmp.
> >
> > What is going on here? What are possible solutions?
> >
> > What do you think?
>
> Do you have SNMP_BLOCK and SNMP_MANAGER_IPS set properly?
Yes -- that's how it works everywhere, excepting the dmz . . .
> Since it sounds like the packets may actually be getting to the DMZ host, do
> you maybe have a network configuration issue on that system?
Actually, it is two (2) systems (netware ;<) on that dmz . . .
> Your error report lacks enough detail for me to figure out exactly what's
> happening...not only am I unfamiliar with iptraf output (more of a tcpdump
> man), IP addresses would be more helpful (does the above really indacate
> your firewall is pinging itself over the loopback interface, like I think it
> does?), as well as other details (like details on the packets that you think
> were OK and went through to the DMZ host).
I was not certain what it is that you want to see -- see below.
> If your local net can see SNMP services on the DMZ host (you indicate it
> can), but the firewall cannot, something wierd is going on. The internal
> snmp requests should be using the same query IP as the firewall, since the
> internal net is masqueraded to the DMZ. Are your firewall rules blocking
> anything? Did you remember to check (watch the byte/packet counts before
> and after trying to access your non-working service)?
tcpdump output, run on the local DCD :
[1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66)
via DCD external port (w.x.z.157)
14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:13.592798 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:13.593156 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:13.621180 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:14.607662 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:14.608002 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:14.629095 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:15.611646 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:15.611993 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:15.630231 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
14:47:16.623665 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity
GetNextRequest(17) [|snmp]
14:47:16.624025 w.x.z.157.64943 > a.b.c.d.64861: udp 107
14:47:16.647831 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861
unreachable [tos 0xc0]
[2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66)
via DCD dmz port (w.x.z.157)
14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:07.689494 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:07.689727 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:07.707398 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:08.702497 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:08.702724 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:08.721155 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:09.712075 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:09.712311 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:09.733080 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
14:50:10.719750 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:50:10.719978 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity
GetResponse(3)[|snmp]
14:50:10.738522 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919
unreachable [tos 0xc0]
[3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66)
via DCD external port (w.x.z.157)
14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:51:48.470087 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:51:49.480079 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:51:50.490081 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
14:51:51.500083 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity
GetNextRequest(3)[|snmp]
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
