SNMP fails due to unmatched packets being dropped

David Jarvie djarvie at kde.org
Wed Aug 25 16:02:00 BST 2021 

I've configured Firehol to accept SNMP both as server and client, which is 
required in order for my scanner to work. However, the scanner is not detected 
unless I disable the firewall by stopping Firehol.

With Firehol enabled, the system log shows multiple instances of the following 
messages, showing that SNMP packets (using port 161) are being dropped:

Aug 25 00:56:58 xxxx kernel: drop UNMATCHED IN-ethernet:IN=enp2s0 OUT= 
MAC=fc:aa:14:60:b5:85:30:cd:a7:c6:0a:29:08:00 SRC=192.168.178.90 
DST=192.168.178.100 LEN=75 TOS=0x00 PREC=0x00 TTL=64 ID=10036 PROTO=UDP 
SPT=161 DPT=22161 LEN=55 

Aug 25 00:56:59 xxxx kernel: drop UNMATCHED IN-ethernet:IN=enp2s0 OUT= MAC= 
SRC=192.168.178.100 DST=192.168.178.255 LEN=44 TOS=0x00 PREC=0x00 TTL=64 
ID=60805 DF PROTO=UDP SPT=8612 DPT=8612 LEN=24 

The entries in firehol.conf are:

interface4 enp2s0 ethernet
	client snmp accept
	server snmp accept

This produces the following iptables entries (as shown by firehol debug):

Client:
-A out_ethernet -p udp --sport 32768:60999 --dport 161 -m conntrack --ctstate 
NEW,ESTABLISHED -j ACCEPT
-A in_ethernet -p udp --sport 161 --dport 32768:60999 -m conntrack --ctstate 
ESTABLISHED -j ACCEPT
Server:
-A in_ethernet -p udp --sport 1024:65535 --dport 161 -m conntrack --ctstate 
NEW,ESTABLISHED -j ACCEPT
-A out_ethernet -p udp --sport 161 --dport 1024:65535 -m conntrack --ctstate 
ESTABLISHED -j ACCEPT


By modifying the iptables entries manually, I got the scanner to work. The 
modifications required were:

a) Remove the conntrack parameters (-m conntrack --ctstate XXXX).

b) Change the in_ethernet port range set by the 'client snmp accept' statement 
from 32768:60999 to 1024:65535.

The entries need to be as follows:

Client:
-A out_ethernet -p udp -m udp --sport 32768:60999 --dport 161 -j ACCEPT
-A in_ethernet -p udp -m udp --sport 161 --dport 1024:65535 -j ACCEPT
Server:
-A in_ethernet -p udp -m udp --sport 1024:65535 --dport 161 -j ACCEPT
-A out_ethernet -p udp -m udp --sport 161 --dport 1024:65535 -j ACCEPT


I can't find out how to prevent Firehol generating conntrack parameters for a 
particular protocol, or to change the destination port range for a client 
statement. Any help on how to make these changes would be appreciated.

--
David Jarvie.

More information about the Firehol-support mailing list