> I was not certain what it is that you want to see -- see below. > > tcpdump output, run on the local DCD :
OK, this helps, but I'm still not sure what I'm looking at. Which interface did you run the tcpdump on? I'm guessing from the packet traffic we're looking at the upstream interface, and not the DMZ interface, but it's hard to be sure... Your first case: > [1] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) > > 14:47:11.577976 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] > 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > 14:47:11.598985 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] > 14:47:12.600050 a.b.c.d.64861 > w.x.y.66.161: C=privateCommunity GetNextRequest(17) [|snmp] > 14:47:12.600443 w.x.z.157.64943 > a.b.c.d.64861: udp 107 > 14:47:12.686292 a.b.c.d > w.x.z.157: icmp: a.b.c.d udp port 64861 unreachable [tos 0xc0] <repeats> This is just wacky...looks like the remote system sends an SNMP query, followed by your firewall sending a UDP query back to the remote system. Finally, the remote system replies with a "destination unreachable" packet, probalby meaning inbound UDP packets are firewalled (or connection tracked). My best guess at this point is that your outbound UDP traffic is being masqueraded, and the packet: 14:47:11.578411 w.x.z.157.64943 > a.b.c.d.64861: udp 107 is actually the SNMP response, being masqueraded by your firewall... NOTE: All UDP traffic (other than DNS) is masqueraded from the DMZ using the default Dachstein firewall rules, which could explain the above traffic. Even so, the difference between [1], above, and [2], below, has me confused...something had to change between these two samples (or perhaps an unnoted change in the test procedure?). Your second case: > [2] Internet host (a.b.c.d) query -> dmz host (w.x.y.66) via DCD dmz port (w.x.z.157) > > 14:50:05.672129 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:50:05.672360 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] > 14:50:05.692707 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] > 14:50:06.682834 a.b.c.d.64919 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:50:06.683065 w.x.y.66.161 > a.b.c.d.64919: C=privateCommunity GetResponse(3)[|snmp] > 14:50:06.702159 a.b.c.d > w.x.y.66: icmp: a.b.c.d udp port 64919 unreachable [tos 0xc0] <repeats> This looks a bit more normal...what changed between this trace and the first trace? Your description is identical. Here you're seeing the SNMP request, followed by an SNMP response, and finally the ICMP "destination unreachable" message back from the remote host. It sure looks like "a.b.c.d" is firewalling or otherwise dropping your response packets... Finally, we get to: > [3] DCD external port (w.x.y.65 - alias) query -> dmz host (w.x.y.66) via DCD external port (w.x.z.157) > > 14:51:46.455695 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] > 14:51:47.460138 w.x.y.65.4709 > w.x.y.66.161: C=privateCommunity GetNextRequest(3)[|snmp] <repeats> Here we've got nothing but the query packets...no response traffic at all. Without knowing which port you're running tcpdump on, and some more details about your test, I can't help much more... Try to forget everything you know about your network architecture, and look at line [3], above. To me, this is saying you're trying to access your internal DMZ host via SNMP from the firewall's external port. For one, this doesn't really even make sense...if the firewall's talking SNMP to the DMZ, the traffic will be going out the DMZ interface, with a source IP of the DMZ's primary address. I'm not even sure how you'd get snmpwalk or something to use the external IP over the default interface IP. Not knowing which interface the tcpdump came from is also kind of limiting. Any interesting results when looking at the packet counts in your ipchains rules? Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
