Re: (PM) ingress notify filter

Robert Boyle (robert@tellurian.net)
Thu, 08 Apr 1999 05:14:20 -0400

At 10:54 AM 4/8/1999 +0200, you wrote:
>In view of a recent abortive snmp community string attack done against one of
>our pm2's the other night, I was wondering if it's possible to set up a notify
>filter that can alert me to anyone trying this again. I tried to find info on
>this but haven't had much luck.
>
>Could someone please give me some pointers on how to achieve this?

You could setup something like this:

where 192.168.1.45 is your snmp gathering box (MRTG, etc...)
where 192.168.20.8 is your PM

add filter blocksnmp.in
set filter blocksnmp.in 1 permit 192.168.1.45/32 192.168.20.8/32 udp dest
eq 161
set filter blocksnmp.in 2 deny 0.0.0.0/0 192.168.20.8/32 udp dest eq 161 log
set filter blocksnmp.in 3 permit

set ether0 ifilter blocksnmp.in

Make sure to set your loghost and this rule will log any failed (and
blocked) inbound snmp packets to the ethernet interface. If you want to
protect your PM from your dialup users connected to this box, you will need
to apply this filter via RADIUS or Choicenet to their connections too.

-Robert

btw- If you don't need snmp then

set snmp dis
sa al
reb

Tellurian Networks (Formerly Garden Networks)
Internet access for the earth since 1995
Access, Co-location, Development & Consulting
http://www.tellurian.net (888)TELLURIAN Ext.103
Finger robert@tellurian.net for PGP public key
Emerson looked at Thoreau through the jailhouse bars.
Why are you in there? he asked.
Why are you out there? he answered.

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>