[mrtg] Re: Firewal rule for MRTG
Don Harvie
donharvie at yahoo.com.au
Mon Feb 17 04:12:14 MET 2003
AS, Raj Kumar wrote:
> Hi Group,
>
> If I want to monitor a router behind the firewall, what are all the services
> do I have to enable.
> Just SNMP will do?? Do I have to enable any specific ports??
Just SNMP will usually do. (UDP port 161).
Typically you would allow UDP 161 as a destination port. Source ports
will be greater than 1024. Only allow SNMP in the direction required. I
assume you'll be monitoring a router connecting to an untrusted network.
so be careful as to what you allow back in.
If in doubt don't allow anything at first, try cfgmaker / mrtg against
the router and watch to see the drops in your f/w logs. Create the
firewall rules only to pass the snmp traffic that you see being dropped
between your mrtg host & the router.
Make sure you router has strong community strings (not public / private)
and preferrably Read-Only access that is restricted to the mrtg host IP
address with local access lists as well (This is especially the case if
your router is connected to the internet).
--
Thanks,
Don Harvie Ph +61 2 9882 5963
Snr Network & Firewall Engineer, Fax +61 2 9882 5993
Telstra Internetworking Solutions Mob +61 417 411 427
Level 3, 112 Talavera Rd Email Don_Harvie at EnterpriseServices.com.au
North Ryde NSW 2113 donharvie at yahoo.com.au (personal)
Australia
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list