On Wed, 8 Sep 2004 16:53:31 +0200, Patrick <patrick at rave dot co dot za> wrote:
> > Is there a way to restrict SNMP to just one IP address?  Firewall rule
> > maybe?
> 
> One would assume that you could just firewall access off to the SNMP port :
> 
> [neogenix@amnesia] ~$ grep -i snmp /etc/services
> snmp            161/tcp
> snmp            161/udp
> snmptrap        162/tcp    snmp-trap
> snmptrap        162/udp    snmp-trap
> 
> So in theory you can just firewall off 161... Im not sure which snmpd
> is running on the m0n0wall box and if it has any trap related services
> running but i doubt it. So 161 would be your best bet :)
> 
> deny all connections from the lan / wan to 161
> 
> By default which interfaces does the SNMPd listen on ?
> 


161 UDP is the only SNMP port open, and I believe that is only on the
LAN interface (I know it's not on WAN, but might be on optional
interfaces, not sure).

I tried to put in a rule on my LAN interface for source IP not equal
to my monitoring system, source port *, destination IP the m0n0 LAN
IP, dest port 161, UDP, with logging enabled on the rule, but it's not
dropping SNMP packets as I would expect it to.  It is the first rule
on the interface.

Might be a protection built into m0n0wall to prevent you from locking
yourself out of the system (i.e. all traffic from LAN is always
allowed to LAN IP).  Not a clue on that, would appreciate some input
from someone "in the know" so I can document it in the users guide.

-Chris