How to let IPFilter to pass in traffic from certain source port

I need to set an IP Filter rule to allow traffic from any source address but at certain port, say 162, the SNMP trap port.  The port we normally put in the rule file is the port at target address.
gs_kanataAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RowleyCommented:
Assuming you are talking about ipf in Solaris, you could have:

pass in proto udp from any to any port = 162

to allow all snmp trap traffic in on all interfaces from anywhere. This rule would apply then further rules would subsequently be applied to packets. To stop processing packets if a match is found you might want to add the quick short-cut option:

pass in quick proto udp from any to any port = 162

which would prevent ipf from applying any further rules to the packet. More here.
0
nociSoftware EngineerCommented:
If this is Linux ipfilter/netfilter then:

iptables -I INPUT -p udp --sport 162 --dport 162 -j ACCEPT         # for input to the system
iptables -I FORWARD -p udp  --sport 162 --dport 162 -j ACCEPT         # for passthrough to other systems (might need NAT support too)

0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

gs_kanataAuthor Commented:
It is the Solaris, not the Linux, and I only care about source port, not destination port.
0
nociSoftware EngineerCommented:
Naming that you only want to receiv SNMP traps means that the destination IS UDP/162


pass in [quick] proto udp from any port = 162 to any [ port = 162 ]

Leave quick out if you want more test on a packet, quick marks the packet as processed.
leave the port = 162 on dest if you mean to accept any message...

Note that a source port might get mangled from 162 to something different is a remote host is behind a NAT-router.
So the first solution mentioned in this question is addressing the receiving of SNMP traps... (this more or less does the reverse...)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gs_kanataAuthor Commented:
noci, thanks for the detailed explanation!

I did further look at my case, and realize that my issue may not be the source port. I have 2 Solaris machines in a cluster talking to each other. They both have the same IPFilter rule file. When invoking a command on one machine, it acts like a SNMP client to send trap to another machine at port 162. Then another machine, acting like a SNMP sever, responding back to client at a dynamic high end port. So maybe the following rule will do it:

pass in [quick] proto udp from any to any port = 162 keep state

 
0
gs_kanataAuthor Commented:
BTW, how could I get the same rule# for pass in and pass out rules:

@1 pass out quick from any to any keep state
@1 pass in quick on qe0 from any to any
0
RowleyCommented:
pass in-out quick from any to any keep state
pass in-out quick on qe0 from any to any

is that what you mean?
0
gs_kanataAuthor Commented:
No, it is not in-out. "qe0" maybe just an example for interface name. However, I don't understand why two rule has the same # when loading into kernel.
0
gs_kanataAuthor Commented:
Another strange issue. I have the following rule:

pass out quick from any to any keep state

As mentioned above, when the command is invoked at the 1st time to trigger call to bind remote 162 port and get responded packet to bind local dynamic port, the above "pass out" rule does not match. I have OOW packet to be blocked.

Apr  7 17:23:49 HA1 ipmon[3356]: [ID 702911 local0.warning] 17:23:48.920130 e1000g1 @0:100 b 47.129.242,36,162 -> 47.129.242.38,32932 PR tcp len 20 40 -A IN OOW

However, if I issue the command again later, then it match the pass out rule. So this OOW is mysterious.
0
RowleyCommented:
Ahh I understand what you're asking now. The numbering is separate for ingress and egress filters, hence they both have @1. If, for example, you were to add:

pass in quick proto tcp from any to any port = smtp

Reload your rule set then run the ipfstat command again:

$ ipfstat -ion
@1 pass out quick from any to any keep state
@1 pass in quick on e1000g0 from any to any
@2 pass in quick proto tcp from any to any port = smtp

You can see that there is an @2 for ingress rules.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.