Fwd: Issues with pf and snmp

Peter Maxwell peter at allicient.co.uk
Sat Apr 10 00:18:19 UTC 2010 

Hit reply in haste and forgot to send to list...


---------- Forwarded message ----------
From: Peter Maxwell <peter at allicient.co.uk>
Date: 10 April 2010 01:16
Subject: Re: Issues with pf and snmp
To: DAve <dave.list at pixelhammer.com>




On 9 April 2010 20:55, DAve <dave.list at pixelhammer.com> wrote:

> Peter Maxwell wrote:
> >
> > Hi DAve,
> >
> > This may be a daft question, but is the destination IP in your tcpdump
> > of 10.0.241.41 (one of) the IP address(es) assigned to dc0?
>
> Yes it is.
>

Darn, I thought that one would be too easy ;-)



>
> >
> > The next question isn't actually related to your problem; when you say
> > "I've been working to enable pf on all our servers in preparation for
> > moving them outside the PIXs we currently use", does that mean the
> > servers that have services running on them will also do their own packet
> > filtering?  If so, then your existing setup with a PIX sounds better.
> >  Your packet filters should - whenever possible - be on a separate box
> > from the hosts running any services.  The reason being if one of your
> > daemon processes are compromised then so is your fw ;-)
>
> Yea, well, I get to voice my opinions and then wait for the decision. If
> we do *not* move outside the PIX, I will still leave PF on each box for
> the layered security. So I still need to get snmp to work.
>
> I poked around the manuals for quite a while this morning and found
> nothing that I saw as an answer. Searching the net for anything with pf
> and snmp provided links to monitoring pf, not filtering snmp.
>
> I am not certain the problem is not of my own creation, but I may have
> to look at snmp as the issue if I cannot find anything incorrect in my
> pf rules. Though, cacti has been querying this server for over two years
> without a problem until I turned up pf.
>

Can't see anything obvious but have you tried these things in the event
something strange is going on:

- removing the scrub rule;

- removing the antispoof rule;

- add 'log' to the the pass rules and then check to see if there are any
other snmp udp packets getting passed/dropped in the wrong place.




>
> Still digging...
>
> DAve
> >
> > Best wishes,
> >
> > Peter
> >
> >
> >
> >
> >
> > "
> > On 9 April 2010 17:46, DAve <dave.list at pixelhammer.com
> > <mailto:dave.list at pixelhammer.com>> wrote:
> >
> >     Good afternoon.
> >
> >     I've been working to enable pf on all our servers in preparation for
> >     moving them outside the PIXs we currently use. The first server I
> >     tackled was our ftp server, it currently is only used to support VOIP
> >     phones via ftp, http, and tftp. I used ipfilter extensively but that
> was
> >     10? years ago.
> >
> >     Everything is working at this point except snmp. Cacti connects to
> the
> >     server to query snmp and gets part of a result, then snmp stops and
> >     takes 80% of the CPU. Cacti is on the <monitoring> network. I am at a
> >     loss to understand what is wrong with my ruleset.
> >
> >     ### Macros ###
> >     # define common values, so they can be referenced and changed easily.
> >     ext_if="dc0"    # replace with actual external interface name i.e.,
> dc0
> >     int_if="dc1"
> >     loop_if="lo0"
> >
> >     ### Tables ###
> >     table <martians> persist { 127.0.0.0/8 <http://127.0.0.0/8>,
> >     172.16.0.0/12 <http://172.16.0.0/12>, 169.254.0.0/16
> >     <http://169.254.0.0/16>,
> >     192.0.2.0/24 <http://192.0.2.0/24>, 0.0.0.0/8 <http://0.0.0.0/8>,
> >     240.0.0.0/4 <http://240.0.0.0/4> }
> >     table <monitoring> persist { 192.168.32.0/24
> >     <http://192.168.32.0/24>, 10.0.241.0/24 <http://10.0.241.0/24> }
> >     table <sshguard> persist
> >
> >     ### Normalization ###
> >     # reassemble fragments and resolve or reduce traffic ambiguities.
> >     scrub all random-id
> >
> >     ### Default Filtering ###
> >     block in log all
> >     block out log all
> >
> >     # Lets make certain localhost and the private network is unrestricted
> >     set skip on $loop_if
> >     set skip on $int_if
> >
> >     # Now lets start hammering anything obvious
> >     block drop in quick on $ext_if from <martians> to any
> >     block drop out quick on $ext_if from any to <martians>
> >     block in quick on $ext_if inet proto tcp from <sshguard> to any port
> 22
> >     label "ssh bruteforce"
> >     antispoof for $ext_if
> >
> >     # Lets pass ssh, time and dns, we always need those. Also connections
> >     from the office and monitoring
> >     pass in quick on $ext_if inet proto tcp from any to $ext_if port 22
> keep
> >     state
> >     pass out quick on $ext_if inet proto udp from $ext_if to any port 53
> >     keep state
> >     pass out quick on $ext_if inet proto udp from $ext_if to any port 123
> >     keep state
> >     pass in quick on $ext_if inet proto { tcp, udp, icmp } from
> <monitoring>
> >     to $ext_if keep state
> >
> >     ### Server Specific rules ###
> >     # We gotta support those FTP users, that's why we are here and not a
> >     kiosk in a mall
> >     pass in quick on $ext_if inet proto tcp from any to $ext_if port 21
> keep
> >     state
> >     pass in quick on $ext_if inet proto tcp from any to $ext_if port
> >     65000:65500 keep state
> >     # Yep, Cisco phones still using tftp, we do not understand what
> internet
> >     they use at Cisco.
> >     pass in quick on $ext_if inet proto udp from any to $ext_if port 69
> >     # We use www to serve config files as well
> >     pass in quick on $ext_if inet proto tcp from any to $ext_if port 80
> keep
> >     state
> >
> >     I would think the line allowing tcp,udp,icmp would allow snmp to work
> >     from the monitoring server, but snmp is certainly not behaving. here
> is
> >     the relevant pflog entry.
> >
> >     480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 >
> >     10.0.241.41.161:  C=SECRET GetNextRequest(21)  .0.1[|snmp]
> >
> >     Thanks for any help.
> >
> >     DAve
>
>
> --
> "Posterity, you will know how much it cost the present generation to
> preserve your freedom.  I hope you will make good use of it.  If you
> do not, I shall repent in heaven that ever I took half the pains to
> preserve it." John Adams
>
> http://appleseedinfo.org
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list