On 7/28/20 12:07 PM, Walter Hofstädtler wrote: > Matt, > >>> Did you change the back end before restarting SW? > How to change the backend? Please elaborate. > >>> What is the value of 'RESTART=' in shorewall.conf? > RESTART=restart > > Minutes ago I did this test: > > 1. Switched to iptables-legacy: > $ update-alternatives --config iptables > 1 enter > > 2. rebootet the server > > Unfortunately this did not solve the issue, all snmp packets dropped. >
I don't believe that this is a Shorewall issue at all. Shorewall simply loads nf_nat_smmp_basic (which in turn loads nf_conntrack_snmp). This may be overridden by: a) Listing nf_nat_smmp_basic in the DONT_LOAD setting in shorewall.conf. b) Listing the helpers that you do want loaded in the HELPERS setting. c) Set AUTOHELPERS to no. You may also need to blacklist nf_conntrack_snmp (See https://wiki.debian.org/KernelModuleBlacklisting). -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
