Thursday, September 11, 2008

SNMP trap sending added to IPFilter


Late last night, or early this morning, or was it yesterday morning, I finished adding sending of SNMP traps, in response to logging events, to ipmon. ipmon is the daemon that performs logging for IP Filter.



This feature is only present in IPFilter 5.0 and won't be back ported to the 4.1 series. The configuration allows for matching on the same data to send both v1 and v2 traps - if that's what is desired. The configuration options for enabling sending of traps looks like this:



match { logtag = 10000 }
do { send-trap v1 community public 192.168.1.239 };
#
match { logtag = 10000 }
do { send-trap v2 community read 192.168.1.239 };
#


Of course it goes without saying that to enable this to work you will need to allow SNMP traps to be sent out of the firewall. There are a couple of issues that need to be discussed and resolved:



  • what address (given a firewall can have many) should be included in the trap message and how should it be configured - or just left as 0?

  • what should "uptime" be reported as? The time since IPFilter was last enabled, the current time or something else?

  • There's a request_id in SNMPv2 and some error numbers in both v1 and v2. Does it make sense for these to all be 0 or something else - and if so what?



So the hard work (creating the trap messages!) is done, now there's just some gaps to fill in.

1 comment:

Marcus said...

Hello Darren,
nice feature. Where can I download this ipfilter version with the snmp staff in it?
Regards
Marcus