[mrtg] Re: Firewal rule for MRTG

Don Harvie donharvie at yahoo.com.au
Mon Feb 17 04:12:14 MET 2003

AS, Raj Kumar wrote:
> Hi Group,
> If I want to monitor a router behind the firewall, what are all the services
> do I have to enable.
> Just SNMP will do??  Do I have to enable any specific ports??

Just SNMP will usually do. (UDP port 161).

Typically you would allow UDP 161 as a destination port. Source ports 
will be greater than 1024. Only allow SNMP in the direction required. I 
assume you'll be monitoring a router connecting to an untrusted network. 
so be careful as to what you allow back in.

If in doubt don't allow anything at first,  try cfgmaker / mrtg against 
the router and watch to see the drops in your f/w logs. Create the 
firewall rules only to pass  the snmp traffic that you see being dropped 
between your mrtg host & the router.

Make sure you router has strong community strings (not public / private) 
and preferrably Read-Only access that is restricted to the mrtg host IP 
address with local access lists as well (This is especially the case if 
your router is connected to the internet).

Don Harvie				  Ph +61 2 9882 5963
Snr Network & Firewall Engineer,	  Fax +61 2 9882 5993
Telstra Internetworking Solutions	  Mob +61 417 411 427
Level 3, 112 Talavera Rd		  Email Don_Harvie at EnterpriseServices.com.au
North Ryde NSW 2113		                donharvie at yahoo.com.au  (personal)

Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list