Hi, I'm trying to get snmp v3 request working over IPv6 with active firewall on Rocky Linux 8.
Get request over IPv4 are working fine over 161/udp with active firewall (on the client side). But when I do a request to the same host over IPv6 no answer is received. After shutting down the firewall, on the client side, also request over IPv6 are working fine.
For testing purposes I've added a source port rule to my clients firewall: firewall-cmd --add-source-port=161/udp After adding this rule, the answers are received.
But I don't want to allow every 161/udp source port and can not add a rule for every host.
Do you know why UDP responses over IPv4 are received, but not over IPv6?
Kind regards, Thomas
On Fri, Apr 28, 2023 at 09:08:10AM -0000, Thomas Zimmermann wrote:
Hi, I'm trying to get snmp v3 request working over IPv6 with active firewall on Rocky Linux 8.
Get request over IPv4 are working fine over 161/udp with active firewall (on the client side). But when I do a request to the same host over IPv6 no answer is received. After shutting down the firewall, on the client side, also request over IPv6 are working fine.
For testing purposes I've added a source port rule to my clients firewall: firewall-cmd --add-source-port=161/udp After adding this rule, the answers are received.
But I don't want to allow every 161/udp source port and can not add a rule for every host.
Do you know why UDP responses over IPv4 are received, but not over IPv6?
I'm not super familiar with SNMPv3.
It may be that the kernel's connection tracking is not able to track IPv6 SNMP for some reason. You can enable --set-log-denied=all and look for INVALID drops in dmesg. Also check "conntrack -L" for udp port 161; look for UNREPLIED entries.
On 28.04.2023 21:58, Eric Garver wrote:
On Fri, Apr 28, 2023 at 09:08:10AM -0000, Thomas Zimmermann wrote:
Hi, I'm trying to get snmp v3 request working over IPv6 with active firewall on Rocky Linux 8.
Get request over IPv4 are working fine over 161/udp with active firewall (on the client side). But when I do a request to the same host over IPv6 no answer is received. After shutting down the firewall, on the client side, also request over IPv6 are working fine.
For testing purposes I've added a source port rule to my clients firewall: firewall-cmd --add-source-port=161/udp After adding this rule, the answers are received.
But I don't want to allow every 161/udp source port and can not add a rule for every host.
Do you know why UDP responses over IPv4 are received, but not over IPv6?
I'm not super familiar with SNMPv3.
It may be that the kernel's connection tracking is not able to track IPv6 SNMP for some reason. You can enable --set-log-denied=all and look for INVALID drops in dmesg. Also check "conntrack -L" for udp port 161; look for UNREPLIED entries.
SNMPv3 is using the same transport as SNMPv1 or SNMPv2, there should be no difference. I wonder if client sends queries to broadcast/multicast address. Packet capture of request/response would certainly be interesting.
Thanks for your replies. Unfortunally, today the issue is gone. I haven't touched the config in the last days. The only difference is, that the machines were rebootet over the weekend.
firewalld-users@lists.fedorahosted.org