Date: Fri, 09 Apr 2010 12:46:26 -0400 From: DAve <dave.list@pixelhammer.com> To: freebsd-pf@freebsd.org Subject: Issues with pf and snmp Message-ID: <4BBF59E2.80303@pixelhammer.com>
next in thread | raw e-mail | index | archive | help
Good afternoon. I've been working to enable pf on all our servers in preparation for moving them outside the PIXs we currently use. The first server I tackled was our ftp server, it currently is only used to support VOIP phones via ftp, http, and tftp. I used ipfilter extensively but that was 10? years ago. Everything is working at this point except snmp. Cacti connects to the server to query snmp and gets part of a result, then snmp stops and takes 80% of the CPU. Cacti is on the <monitoring> network. I am at a loss to understand what is wrong with my ruleset. ### Macros ### # define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="dc1" loop_if="lo0" ### Tables ### table <martians> persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } table <monitoring> persist { 192.168.32.0/24, 10.0.241.0/24 } table <sshguard> persist ### Normalization ### # reassemble fragments and resolve or reduce traffic ambiguities. scrub all random-id ### Default Filtering ### block in log all block out log all # Lets make certain localhost and the private network is unrestricted set skip on $loop_if set skip on $int_if # Now lets start hammering anything obvious block drop in quick on $ext_if from <martians> to any block drop out quick on $ext_if from any to <martians> block in quick on $ext_if inet proto tcp from <sshguard> to any port 22 label "ssh bruteforce" antispoof for $ext_if # Lets pass ssh, time and dns, we always need those. Also connections from the office and monitoring pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state pass in quick on $ext_if inet proto { tcp, udp, icmp } from <monitoring> to $ext_if keep state ### Server Specific rules ### # We gotta support those FTP users, that's why we are here and not a kiosk in a mall pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 65000:65500 keep state # Yep, Cisco phones still using tftp, we do not understand what internet they use at Cisco. pass in quick on $ext_if inet proto udp from any to $ext_if port 69 # We use www to serve config files as well pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state I would think the line allowing tcp,udp,icmp would allow snmp to work from the monitoring server, but snmp is certainly not behaving. here is the relevant pflog entry. 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] Thanks for any help. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BBF59E2.80303>