David Gowdy wrote: > I've implemented a gateway following the guidance and examples provided in > the Linux IP Masquerade HOWTO (an excellent guide BTW) by David Ranch. In > my case it is built using Woody with a 2.4 Kernel that I generated in order > to utilize Netfilter with IPtables. The external interface utilizes PPPoE. > It seems to work very well. However, I was recently running some > experiments to try and troubleshoot some performance problems and opted to > trace (tcpdump) packets flowing on the external interface. Under some > circumstances, that I have yet figure out, I find my gateway machine > originating SNMP packets. In that, these packets are absent from traces > performed on the source machine as part of the same experiment. The > destination addresses include 172.16.4.242 and 192.168.18.231. I've > enclosed a sample below. Because my network uses the reserved Class A > subnet address (10.x.x.x), these subnets are not of my making. Since they > are also from the space reserved for private LANs (i.e., not valid > assignments for the Internet) they are clearly erroneous. Fortunately, the > adjacent router (address of my PPP partner) rejects them (returning ICMP > Dest Unreachable messages). However, I'd like to stop sending them. I > think I could probably get my FW to drop them but this seems like kind of a > kludge. You should drop them as well as getting to the source. In my firewall setup (i use shorewall), i have fw->net and fw->all policies that default to REJECT. This way, i have to open the firewall for *every* connection that it makes in an outbound direction. > It would be better if they were never generated. > > Does anyone know where they are coming from and/or how to turn them off? Presumably, you're running snmpd on your firewall. You need to turn it off or limit the source addresses which it accepts. In my firewall, i have a line in /etc/snmpd/snmpd.conf that says: rocommunity public 192.168.0.0/24 which limits connections to snmpd to only those in the IP range shown. You can see what information this is giving out by running: snmpwalk -v 2c -c public 127.0.0.1 .1.3.6.1.2.1.25.3.2.1 on your firewall. -- Paul <http://paulgear.webhop.net> -- Did you know? Email is not private and can be viewed by your ISP, the recipient's ISP, and possibly other parties. You can make sure your emails are private by using GNU Privacy Guard <http://www.gnupg.org> and an email plug-in like Enigmail <http://enigmail.mozdev.org>.
Attachment:
signature.asc
Description: OpenPGP digital signature