[ previous ] [ next ] [ threads ]
 
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] SNMP traffic over IPSEC
 Date:  Wed, 1 Mar 2006 17:59:04 -0500 
Thank you . . . . problem is solved . . . . . I added a rule to/from the 
affected subnets to allow all traffic including fragmented packets . . . . 
they tell me they are now getting the SNMP traps . . .

My initial intuitive jump was to try and allow fragments, but I didn't think 
the rules came into play for traffic heading for IPSEC . . . .learn 
something new everyday . . . . . does this mean I can create rules to block 
ports and/or specific IPs for IPSEC traffic?

David Z

----- Original Message ----- 
From: "Chris Buechler" <cbuechler at gmail dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, February 28, 2006 7:17 PM
Subject: Re: [m0n0wall] SNMP traffic over IPSEC


On 2/28/06, dasz <daszylstra at comcast dot net> wrote:
>
> Every other function does seem to work - they have about 100+ nodes at 
> each
> location and they can ping, telnet, ftp, http, do firmware/software
> upgrades, etc just fine to all nodes; it only seems to be the SNMP traffic
> heading back to their central office that fails -- when I look at the Mono
> firewall log it shows the SNMP traffic being blocked with a source and
> destination that is definitely in the IPSEC IP range, so for some reason
> Mono is ignoring the destination IP and trying to pass it through the
> firewall . . . . .
>

This makes it sound like the default rule is still set to deny
fragments, and the SNMP is getting fragmented for some reason.  that's
my first guess at least.

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch