Fwd: Issues with pf and snmp

Peter Maxwell peter at allicient.co.uk
Fri Apr 16 05:13:47 UTC 2010

On 16 April 2010 05:11, DAve <dave.list at pixelhammer.com> wrote:

> DAve wrote:
> > Peter Maxwell wrote:
> >> Can't see anything obvious but have you tried these things in the event
> >> something strange is going on:
> >>
> >> - removing the scrub rule;
> >>
> >> - removing the antispoof rule;
> >>
> >> - add 'log' to the the pass rules and then check to see if there are any
> >> other snmp udp packets getting passed/dropped in the wrong place.
> >
> > A good idea. I will try to get that done this evening, though I am
> > running 100% until Monday.
> >

Nope, no scrubbing no antispoof, same result exactly. I did check
> snmpget and it seemed to work. I will check which oid is next in line
> and see if I can get that value next.

If snmpget is working, pf is passing packets and there is something
unexpected happening.  I'd start opening up your ruleset until it works or
you reach a 'pass all' ruleset (with the former you've found the problem, in
the later you know for certain pf is the problem).

- add an equivalent 'pass out' rule for the <monitoring> network;

- change the pass rule to be 'from <monitoring> to any';

- comment out the three unnecessary block rules (3 through 5);

- remove *all* instances of the 'quick' keyword;

- move the snmp rules to immediately underneath the first block rules;

- remove all the pass rules and replace with pass in from any to $ext_if &
pass out from $ext_if to any.

If you've reached this far and it still doesn't work then, erm, we'll deal
with that if it happens.

> It appears some restriction on the snmpwalk, possibly a limit on how
> many results are being returned? (Shooting in the dark now).

No, that would be on the application layer, the tcpdump output showed an
inbound udp packet getting blocked.  The only difference I can imagine
between snmpget and snmpwalk would be the size of the packets, number of
packets, or source port numbers.

I'd try doing a tcpdump on the dc0 interface of the snmpwalk session when pf
isn't loaded then load pf and collect a tcpdump from both the dc0 and pflog0
interfaces.  There should be enough information in those three datasets to
discover what on earth is going on.

> I use Cacti everywhere within our networks, no snmpwalk is a show
> stopper for me here...
> DAve
> --
> "Posterity, you will know how much it cost the present generation to
> preserve your freedom.  I hope you will make good use of it.  If you
> do not, I shall repent in heaven that ever I took half the pains to
> preserve it." John Adams
> http://appleseedinfo.org
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list