[ previous ] [ next ] [ threads ]
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] SNMP traffic over IPSEC
 Date:  Wed, 1 Mar 2006 17:59:04 -0500
Thank you . . . . problem is solved . . . . . I added a rule to/from the 
affected subnets to allow all traffic including fragmented packets . . . . 
they tell me they are now getting the SNMP traps . . .

My initial intuitive jump was to try and allow fragments, but I didn't think 
the rules came into play for traffic heading for IPSEC . . . .learn 
something new everyday . . . . . does this mean I can create rules to block 
ports and/or specific IPs for IPSEC traffic?

David Z

----- Original Message ----- 
From: "Chris Buechler" <cbuechler at gmail dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, February 28, 2006 7:17 PM
Subject: Re: [m0n0wall] SNMP traffic over IPSEC

On 2/28/06, dasz <daszylstra at comcast dot net> wrote:
> Every other function does seem to work - they have about 100+ nodes at 
> each
> location and they can ping, telnet, ftp, http, do firmware/software
> upgrades, etc just fine to all nodes; it only seems to be the SNMP traffic
> heading back to their central office that fails -- when I look at the Mono
> firewall log it shows the SNMP traffic being blocked with a source and
> destination that is definitely in the IPSEC IP range, so for some reason
> Mono is ignoring the destination IP and trying to pass it through the
> firewall . . . . .

This makes it sound like the default rule is still set to deny
fragments, and the SNMP is getting fragmented for some reason.  that's
my first guess at least.


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch