From owner-freebsd-security  Thu Dec  7 14:33:53 2000
From owner-freebsd-security@FreeBSD.ORG  Thu Dec  7 14:33:50 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108])
	by hub.freebsd.org (Postfix) with ESMTP id C68C237B400
	for <freebsd-security@FreeBSD.ORG>; Thu,  7 Dec 2000 14:33:49 -0800 (PST)
Received: (from danderse@localhost)
	by faith.cs.utah.edu (8.9.3/8.9.3) id PAA10695;
	Thu, 7 Dec 2000 15:33:38 -0700 (MST)
Message-Id: <200012072233.PAA10695@faith.cs.utah.edu>
Subject: Re: mrtg through firewall
To: petef@databits.net (Pete Fritchman)
Date: Thu, 7 Dec 2000 15:33:38 -0700 (MST)
Cc: dga@pobox.com (David G. Andersen),
	root@battery.yi.org (Brad Mace), freebsd-security@FreeBSD.ORG
In-Reply-To: <20001207163518.A3794@databits.net> from "Pete Fritchman" at Dec 07, 2000 04:35:18 PM
From: "David G. Andersen" <dga@pobox.com>
X-Mailer: ELM [version 2.5 PL2]
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: danderse@cs.utah.edu
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Um.  How does this differ from "allow UDP from the snmp back to any of
your high UDP ports?"

That's exactly what I said.  MRTG will open a random high UDP port and
send data out to the remote SNMP port, from which it will get replies...

  -Dave

Lo and behold, Pete Fritchman once said:
> 
> No, you don't.  You can allow any UDP with the source port of snmp to talk to 
> your mrtg box.
> 
> -pete
> 
> ++ 06/12/00 22:05 -0700 - David G. Andersen:
> >Not really.  You're going to basically have to allow UDP from the snmp
> >port back to any of your high UDP ports, but you can at least limit it to
> >that.  You'll still be able to block most of the reserved UDP ports.
> >
> >Similar problems exist with many DNS resolvers, so it likely won't be a
> >big change for your firewall rules.
> >
> >  -Dave
> >
> >Lo and behold, Brad Mace once said:
> >> 
> >> I've been trying to setup my firewall rules to allow mrtg to run.  It
> >> seems to use different udp ports each time.  Is there a way i can allow it
> >> without allowing all udp packets?
> >> 
> >> 
> >> 
> >> To Unsubscribe: send mail to majordomo@FreeBSD.org
> >> with "unsubscribe freebsd-security" in the body of the message
> >> 
> >
> >
> >-- 
> >work: dga@lcs.mit.edu                          me:  dga@pobox.com
> >      MIT Laboratory for Computer Science           http://www.angio.net/
> >
> >
> >To Unsubscribe: send mail to majordomo@FreeBSD.org
> >with "unsubscribe freebsd-security" in the body of the message
> --
> Pete Fritchman <petef@databits.net>
> Databits Network Services, Inc
> http://www.databits.net
> finger: petef@analog.databits.net
> 
> 
> 


-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message