'Re: Question about using nat to redirect SNMP traps'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Question about using nat to redirect SNMP traps
From:       Jim Sandoz <sandoz () lucent ! com>
Date:       2006-06-29 20:21:02
Message-ID: 44A4362E.7060000 () lucent ! com
[Download RAW message or body]


mike,

this is your problem:
http://www.phildev.net/ipf/long.html#prob8

ipf will not "bounce" a connection (packet comes in on an
interface, gets rewritten via rdr/map, and goes out the same
interface).

routing principles in general, and unix kernel routing
specificially, do not natively support this behaviour.

as i wrote in the FAQ entry,
"The golden RDR rule: rdr works *only* when the packet
traverses the firewall (i.e. in one interface and out
on another interface)."

so, you need to use a separate userland utility to do this.

n.b.
note that rewriting SNMP packet headers will likely break
SNMP, as SNMP is definitely not a NAT-friendly protocol.
this is not the fault of ipf:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#Q23
Q. Why doesn't Cisco IOS NAT support SNMP traffic?
     A. The SNMP packet format depends on the particular MIB
        being used and is not self-describing. There is no
        single format for SNMP requests and responses that
        can be processed in a general fashion.
see also
http://www.faqs.org/rfcs/rfc2962.html

can you just run SNMPd in a separate zone on the original box?
or does the client not want to do this, or are you not on Sol10?

can you reconfig the source to send snmp pkts to the .127 box &&
can you install ipf on the .127 box?  then you can rewrite the
destination port as needed on the inbound interface.  that is,
run snmpd on $port_unpriv and do a rdr to localhost:$port_unpriv.
this allows you to run snmpd as non-root per your client.

jim


Mike Epplin wrote:

> They are 2 separate boxes on the same subnet.
> 
> -----Original Message-----
> From: owner-ipfilter@coombs.anu.edu.au
> [mailto:owner-ipfilter@coombs.anu.edu.au] On Behalf Of Jim Sandoz
> Sent: Thursday, June 29, 2006 11:36 AM
> To: ipfilter@coombs.anu.edu.au
> Subject: Re: Question about using nat to redirect SNMP traps
> 
> 
> mike,
> sorry, i need a little more clarity here.
> 
> are 10.170.24.126 and 10.170.24.127 separate boxes on the
> same subnet, or are these just two IP's assigned to the same
> physical interface on the same box?
> 
> jim

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic