The characterization of "rendering the system vulnerable" is a little
dramatic. Since net-snmp never reads from this socket, the worst thing
that can happen is that packets can build up in the kernel. Since the
address that it's bound to is the one used as the source address for traps,
you can't use 127.0.0.1; however, starting with net-snmp 5.8 you will be
able to specify a source address in the trap2sink configuration. This will
still leave the socket available to "receive" packets sent to that address.
Would you be less alarmed if you saw
udp4 0 0 10.8.101.20.18748 *.*
?
It'd probably be a reasonable change to have net-snmp attempt to set
SO_RCVBUF to 0, to prevent packets from being able to build up in the
kernel. That wouldn't change what you see in netstat, though.
Bill
On Mon, Apr 2, 2018 at 7:52 AM, Ananth Laxminarasimhan (alaxmina) <
alaxm...@cisco.com> wrote:
> Hi,
>
> When I use the trapsess or trap2sink as follows to configure the agent to
> send traps to a target, I see that a local listen port is also opened.
>
>
>
> trapsess -v2c -cpublic 10.8.76.101
>
> or
>
> trap2sink 10.8.76.101 public
>
>
>
> When I run a netstat command to get the list of all listen ports that are *
> *NOT** opened with the localhost IP i.e. netstat -an | grep -iE
> 'udp.*\*\.' | grep -iEv '127.0.0.1',
>
> I see the following output:
>
> udp4 0 0 10.8.101.20.161 *.*
>
> udp4 0 0 *.18748 *.*
>
>
>
> Running the command, lsof | grep 18748 shows the following:
>
> snmpd 58163 root 12u IPv4 0xfffff80033366b10
> 0t0 UDP *:18748
>
>
>
> If I remove the trapsess/trap2sink directive, then this listen port is no
> longer opened.
>
>
>
> Why is this listen port opened on the local host when the trap target is a
> remote machine? Would a remote machine connect to this port?
>
> Since, it shows the port as “*.18478”, it has, most probably, been opened
> with INADDR_ANY.
>
> How can I change to listen on either <LOCAL_IP_ADDR>:<port> or
> <127.0.0.1>:<port>?
>
> Would I need to change the code or can this be accomplished by an extra
> param(?) to the trap2sink/trapsess directive?
>
>
>
> Thanks,
>
> Ananth
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Net-snmp-users mailing list
> Net-snmp-users@lists.sourceforge.net
> Please see the following page to unsubscribe or change other options:
> https://lists.sourceforge.net/lists/listinfo/net-snmp-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
