On Wed, 8 Sep 2004 16:53:31 +0200, Patrick <patrick at rave dot co dot za> wrote:
> > Is there a way to restrict SNMP to just one IP address? Firewall rule
> > maybe?
> One would assume that you could just firewall access off to the SNMP port :
> [neogenix@amnesia] ~$ grep -i snmp /etc/services
> snmp 161/tcp
> snmp 161/udp
> snmptrap 162/tcp snmp-trap
> snmptrap 162/udp snmp-trap
> So in theory you can just firewall off 161... Im not sure which snmpd
> is running on the m0n0wall box and if it has any trap related services
> running but i doubt it. So 161 would be your best bet :)
> deny all connections from the lan / wan to 161
> By default which interfaces does the SNMPd listen on ?
161 UDP is the only SNMP port open, and I believe that is only on the
LAN interface (I know it's not on WAN, but might be on optional
interfaces, not sure).
I tried to put in a rule on my LAN interface for source IP not equal
to my monitoring system, source port *, destination IP the m0n0 LAN
IP, dest port 161, UDP, with logging enabled on the rule, but it's not
dropping SNMP packets as I would expect it to. It is the first rule
on the interface.
Might be a protection built into m0n0wall to prevent you from locking
yourself out of the system (i.e. all traffic from LAN is always
allowed to LAN IP). Not a clue on that, would appreciate some input
from someone "in the know" so I can document it in the users guide.