[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Restricting SNMP
 Date:  Wed, 8 Sep 2004 14:57:49 -0400
On Wed, 8 Sep 2004 16:53:31 +0200, Patrick <patrick at rave dot co dot za> wrote:
> > Is there a way to restrict SNMP to just one IP address?  Firewall rule
> > maybe?
> One would assume that you could just firewall access off to the SNMP port :
> [neogenix@amnesia] ~$ grep -i snmp /etc/services
> snmp            161/tcp
> snmp            161/udp
> snmptrap        162/tcp    snmp-trap
> snmptrap        162/udp    snmp-trap
> So in theory you can just firewall off 161... Im not sure which snmpd
> is running on the m0n0wall box and if it has any trap related services
> running but i doubt it. So 161 would be your best bet :)
> deny all connections from the lan / wan to 161
> By default which interfaces does the SNMPd listen on ?

161 UDP is the only SNMP port open, and I believe that is only on the
LAN interface (I know it's not on WAN, but might be on optional
interfaces, not sure).

I tried to put in a rule on my LAN interface for source IP not equal
to my monitoring system, source port *, destination IP the m0n0 LAN
IP, dest port 161, UDP, with logging enabled on the rule, but it's not
dropping SNMP packets as I would expect it to.  It is the first rule
on the interface.

Might be a protection built into m0n0wall to prevent you from locking
yourself out of the system (i.e. all traffic from LAN is always
allowed to LAN IP).  Not a clue on that, would appreciate some input
from someone "in the know" so I can document it in the users guide.