Date: Sun, 18 Apr 2010 21:27:57 -0400 From: jhell <jhell@dataix.net> To: DAve <dave.list@pixelhammer.com> Cc: freebsd-pf@freebsd.org Subject: Re: Issues with pf and snmp Message-ID: <4BCBB19D.7090206@dataix.net> In-Reply-To: <4BBF59E2.80303@pixelhammer.com> References: <4BBF59E2.80303@pixelhammer.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/09/2010 12:46, DAve wrote:
> Good afternoon.
>
> I've been working to enable pf on all our servers in preparation for
> moving them outside the PIXs we currently use. The first server I
> tackled was our ftp server, it currently is only used to support VOIP
> phones via ftp, http, and tftp. I used ipfilter extensively but that was
> 10? years ago.
>
> Everything is working at this point except snmp. Cacti connects to the
> server to query snmp and gets part of a result, then snmp stops and
> takes 80% of the CPU. Cacti is on the <monitoring> network. I am at a
> loss to understand what is wrong with my ruleset.
>
> ### Macros ###
> # define common values, so they can be referenced and changed easily.
> ext_if="dc0" # replace with actual external interface name i.e., dc0
> int_if="dc1"
> loop_if="lo0"
>
> ### Tables ###
> table <martians> persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16,
> 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
> table <monitoring> persist { 192.168.32.0/24, 10.0.241.0/24 }
> table <sshguard> persist
>
> ### Normalization ###
> # reassemble fragments and resolve or reduce traffic ambiguities.
> scrub all random-id
>
> ### Default Filtering ###
> block in log all
> block out log all
>
> # Lets make certain localhost and the private network is unrestricted
> set skip on $loop_if
> set skip on $int_if
>
> # Now lets start hammering anything obvious
> block drop in quick on $ext_if from <martians> to any
> block drop out quick on $ext_if from any to <martians>
> block in quick on $ext_if inet proto tcp from <sshguard> to any port 22
> label "ssh bruteforce"
> antispoof for $ext_if
>
> # Lets pass ssh, time and dns, we always need those. Also connections
> from the office and monitoring
> pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep
> state
> pass out quick on $ext_if inet proto udp from $ext_if to any port 53
> keep state
> pass out quick on $ext_if inet proto udp from $ext_if to any port 123
> keep state
> pass in quick on $ext_if inet proto { tcp, udp, icmp } from <monitoring>
> to $ext_if keep state
>
> ### Server Specific rules ###
> # We gotta support those FTP users, that's why we are here and not a
> kiosk in a mall
> pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep
> state
> pass in quick on $ext_if inet proto tcp from any to $ext_if port
> 65000:65500 keep state
> # Yep, Cisco phones still using tftp, we do not understand what internet
> they use at Cisco.
> pass in quick on $ext_if inet proto udp from any to $ext_if port 69
> # We use www to serve config files as well
> pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep
> state
>
> I would think the line allowing tcp,udp,icmp would allow snmp to work
> from the monitoring server, but snmp is certainly not behaving. here is
> the relevant pflog entry.
>
> 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 >
> 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp]
>
> Thanks for any help.
>
> DAve
>
Hi DAve,
Could you try adding a rule specifically for SNMP traffic?
Ports 161,162,1993(cisco-tcp)
Also could you possibly try adding "no-df" to your scrub all rule with
the random-id and report back if it helped ?
Relevant man page section from pf.conf(5) on the "no-df" scrub option:
http://tinyurl.com/y242jpa
Regards,
--
jhell
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4BCBB19D.7090206>