[Firehol-support] Outgoing snmp requests blocked by firehol
Alain Tésio
alain at floc2.net
Mon Aug 24 22:51:37 BST 2009
Thanks for the reply,
I found the problem, the remote machine has several IPs and it replies
using another interface,
so iptables could not relate the outgoing and incoming packets.
Alain
Carlos Rodrigues wrote:
> At the first glance I would say that the connection tracking module
> isn't being loaded for some reason. You can check by starting firehol
> and then doing and "lsmod" and looking for any "conntrack" modules.
>
> Regards,
>
> On Tue, Aug 18, 2009 at 11:34 PM, Alain Tésio<alain at floc2.net> wrote:
>
>> Hi,
>>
>> I have snmp servers running on machines A and B.
>>
>> When I start firehol on the machine B, snmp requests from B to A fail
>> with a timeout.
>> When firehol is stopped, it works fine.
>>
>> I can see such a log on the machine B:
>>
>> Aug 18 08:33:24 sd-18517 kernel: [4671769.087536] ''IN-inet':'IN=eth0
>> OUT= MAC=00:15:17:9c:be:a8:00:24:97:da:5f:bf:08:00 SRC=IP_A DST=IP_B
>> LEN=128 TOS=0x00 PREC=0x00 TTL=56 ID=0 DF PROTO=UDP SPT=161 DPT=40361
>> LEN=108
>>
>> In the firehol configuration, I have written "server snmp accept".
>> And anyway this is about outgoing requests, and I have "client accept all"
>> so I don't understand what is the problem.
>>
>> It looks like it has problems to recognize that the reply is related to
>> the outgoing query.
>>
>> Below is my firehol.conf file.
>>
>> The machine B is running debian lenny, Kernel is 2.6.26, X86 / 64bits.
>> Nothing else installed related to network filtering.
>>
>> Thanks for any hint,
>>
>> Alain
>>
>>
>>
>> version 5
>>
>> home_ips="88.191.109.18 88.191.111.18"
>>
>> interface eth+ inet
>>
>> server snmp accept
>>
>> server http accept
>> server https accept
>> server ftp accept
>> server dns accept
>> server rndc accept
>> server smtp accept
>> server pop3 accept
>> server ssh accept
>> server ping accept
>>
>> server netbios_ns drop
>> server netbios_dgm drop
>> server dhcp drop
>>
>> server ident reject with tcp-reset # be nice and don't let other hosts wait for the timeout
>>
>> client all accept
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>> trial. Simplify your report design, integration and deployment - and focus on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/firehol-support
>>
>>
>
>
>
>
More information about the Firehol-support
mailing list