[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: SNMP Proxy agent
From:       "Simon J. Gerraty" <sjg () zen ! void ! oz ! au>
Date:       1994-12-31 19:19:25
[Download RAW message or body]

>   I'm using a Cisco router for ip screening and the FWTK on a Bastion host.
> I'd like to be able to at least pass SNMP traps from the Cisco back to an 
> NMS on the private net.

I wanted exactly the same thing - the ability to pass SNMP traps
through the firewall  while not allowing _any_ UDP traffic to do so.

I use a TCP tunnel for this.  On the external bastion host, you
configure inetd to run say: "udpt tcp!inside!2162" in response to SNMP
traps.  inetd on inside is configured such that a TCP call to port 2162
will run "udpt udp!nmhost!162"

So, udpt on "outside" receives UPD packets and sends them via TCP to
udpt on "inside" which then sends them as UDP packets to the NM host.

The machine "inside" can be any machine inside the firewall.

Alternatively, if you are happy to let UDP packets from the bastion
host through the firewall but not randome UDP traffic, a simple UPD
bouncer will let you send all your traps to the bastion and have it
simply echo them through the firewall to the NM host.

I suspect that the TCP tunnel though allows tighter control through
the choke router.

--sjg

[prev in list] [next in list] [prev in thread] [next in thread]