Re: How to SNMP from DMZ using PF ?

[Richard Welty <rwelty@averillpark.net>]

On Thu, 04 Sep 2003 10:05:03 -0600 Joe Pezzillo <joe@thinksimilar.com> wrote:
> > also, be aware that if there's any kind of NAT involved, the SNMP
> > payloads will not be translated, so you'll need to be prepared to
> deal with it.
 
> I'll bet that's the problem, I'm using binat to expose the DMZ host on an
> external IP. However, I read in pf.conf(5) that "port numbers are never
> translated with a binat rule" and so I figured that meant it would work
> without modification, especially since I am already trying to pass udp
> 161
> from the DMZ machine to the router, and then any udp from the router to
> the
> DMZ machine (plus the external is already set to allow any udp out).

as a practical matter, i think you need to look to software solutions
outside of the pf/nat box. there is a theoretical possibility of writing an
SNMP payload translator for a pf/nat box, but i'm not convinced it's a good
idea, and it certainly doesn't exist now.

basically, you need some sort of SNMP translator that knows the relevant
MIBs and has a list of the translations that need to be handled; it would
insert in front of MRTG or Netsaint or whatever other SNMP tool you are
using. it might be possible to cob something usable up using the UCD snmp
libraries.

richard
-- 
Richard Welty                                         rwelty@averillpark.net
Averill Park Networking                                         518-573-7592
    Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security