Filtering OIDs

The SNMP Proxy Forwarder configuration described in this example is designed to hide portions of the MIB, as implemented by the agents on one side of SNMP Proxy, from SNMP managers at the other side of SNMP Proxy.

The filtering is done by configuring the oidfilter.py plugin module to pass command and notification PDUs through it thus letting the plugin to interfere and clean up unwanted OIDs in response.

You could test this configuration by running:

# this should fail
$ snmpget -v1 -c public 127.0.0.1:1161 sysDescr.0

# this should succeed
$ snmpget -v1 -c public 127.0.0.1:1161 sysLocation.0

For more information please refer to the oidfilter plugin documentation.

Server configuration

Server is configured to:

  • listen on UDP socket at localhost
  • respond to queries performed over SNMPv2c
  • for GET/SET/GETNEXT PDUs, take blocked OIDs out of request PDU (but remember them)
  • forward all queries to snmpfwd client through an unencrypted trunk connection running in client mode
  • reconstruct original OIDs in response PDU using blocked OIDs from GET/GETNEXT/SET request PDU and allowed OIDs from response PDU
#
# SNMP forwarder: Agent part configuration
#

config-version: 2
program-name: snmpfwd-server

snmp-credentials-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address: 127.0.0.1:1161

  snmp-engine-id: 0x0102030405070809

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 2
  snmp-security-level: 1

  snmp-credentials-id: snmp-credentials
}

context-group {
  snmp-context-engine-id-pattern: .*?
  snmp-context-name-pattern: .*?

  snmp-context-id: any-context
}

content-group {
  snmp-pdu-type-pattern: (GET|SET|GETNEXT|GETBULK)
  snmp-pdu-oid-prefix-pattern-list: .*?

  snmp-content-id: any-content
}

peers-group {
  snmp-transport-domain: 1.3.6.1.6.1.1.100
  snmp-bind-address-pattern-list: .*?
  snmp-peer-address-pattern-list: .*?

  snmp-peer-id: 100
}

plugin-modules-path-list: ./plugins ${plugin-dir}

plugin-group {
  plugin-module: oidfilter
  plugin-options: config=${config-dir}/plugins/oidfilter.conf log-denials=true

  plugin-id: permit-system-branch
}

trunking-group {
  trunk-bind-address: 127.0.0.1
  trunk-peer-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: client

  trunk-id: trunk-1
}

routing-map {
  matching-snmp-context-id-list: any-context
  matching-snmp-content-id-list: any-content

  matching-snmp-credentials-id-list: snmp-credentials
  matching-snmp-peer-id-list: 100

  using-plugin-id-list: permit-system-branch
  using-trunk-id-list: trunk-1
}

Download server configuration file.

Plugin configuration

The oidfilter plugin is configured at the server side to pass just a few specific OIDs and branches blocking the rest of the MIB tree that backend SNMP agent serve.

#
# SNMP Proxy Forwarder: oidfilter plugin configuration
#

# allow sysDescr.0
1.3.6.1.2.1.1.1 1.3.6.1.2.1.1.1.0 1.3.6.1.2.1.1.1.0

# allow a few objects at the system branch
1.3.6.1.2.1.1.3 1.3.6.1.2.1.1.3.0 1.3.6.1.2.1.1.3.0

# allow whole sysORUpTime branch
1.3.6.1.2.1.1.9.1.4 1.3.6.1.2.1.1.9.1.4.1 1.3.6.1.2.1.1.9.1.4.8

# allow if#2 of ipTable
1.3.6.1.2.1.2.2.1.1.1 1.3.6.1.2.1.2.2.1.1.2 1.3.6.1.2.1.2.2.1.1.2
1.3.6.1.2.1.2.2.1.2.1 1.3.6.1.2.1.2.2.1.2.2 1.3.6.1.2.1.2.2.1.2.2

# allow some tcpConnTable branches for local routes
1.3.6.1.2.1.6.13.1.1.127.0.0.0.65535 1.3.6.1.2.1.6.13.1.1.127.0.0.1.0 1.3.6.1.2.1.6.13.1.1.127.0.0.1.65535
1.3.6.1.2.1.6.13.1.2.127.0.0.0.65535 1.3.6.1.2.1.6.13.1.2.127.0.0.1.0 1.3.6.1.2.1.6.13.1.2.127.0.0.1.65535

Download plugin configuration file.

Client configuration

Client is configured to:

  • listen on server-mode unencrypted trunk connection
  • process all incoming SNMP messages in the same way
  • place inbound PDUs into SNMP v2c messages and forward them to public SNMP agent running at demo.snmplabs.com
#
# SNMP forwarder: Manager part configuration
#

config-version: 2
program-name: snmpfwd-client

peers-group {
  snmp-engine-id: 0x0102030405070809

  snmp-transport-domain: 1.3.6.1.6.1.1.1
  snmp-bind-address: 0.0.0.0:0

  # time out SNMP request in 1 second
  snmp-peer-timeout: 100
  snmp-peer-retries: 0

  snmp-community-name: public
  snmp-security-name: public
  snmp-security-model: 2
  snmp-security-level: 1

  snmp-peer-address: 104.236.166.95:161
  snmp-peer-id: snmplabs
}

trunking-group {
  trunk-bind-address: 127.0.0.1:30301
  trunk-ping-period: 60
  trunk-connection-mode: server

  trunk-id: <discover>
}

original-snmp-peer-info-group {
  orig-snmp-bind-address-pattern: .*?
  orig-snmp-context-name-pattern: .*?

  orig-snmp-pdu-type-pattern: .*?
  orig-snmp-oid-prefix-pattern: .*?

  orig-snmp-engine-id-pattern: .*?
  orig-snmp-context-engine-id-pattern: .*?

  orig-snmp-transport-domain-pattern: .*?
  orig-snmp-peer-address-pattern: .*?

  orig-snmp-security-level-pattern: .*?

  orig-snmp-security-name-pattern: .*?
  orig-snmp-security-model-pattern: .*?

  orig-snmp-peer-id: manager-1
}

server-classification-group {
  server-snmp-credentials-id-pattern: .*?
  server-snmp-context-id-pattern: .*?
  server-snmp-content-id-pattern: .*?
  server-snmp-peer-id-pattern: .*?

  server-classification-id: any-classification
}

routing-map {
  matching-trunk-id-list: trunk-1
  matching-orig-snmp-peer-id-list: manager-1
  matching-server-classification-id-list: any-classification

  using-snmp-peer-id-list: snmplabs
}

Download client configuration file.