snmp scans

[Gerhard Mezger <gerhard.mezger () bluewin ch>]

in the last time we saw several snmp-scans towards part of our network
with source addresses out of the range of a foreign dial-up service
provider. It looks like these scans were run from an automatic tool,
especially because the source port is always the same (1026).

It seems that all requests get dropped at the external interface of the
firewall. 

Today we noticed a strange entry in our logfile: The network was scanned
from the same address/source-port as before (in declining order), the
last dropped snmp message of this scan however was destined to the
limited broadcast address: 255.255.255.255.

It is my understanding that routers are not allowed to forward the
limited broadcast address. Given this, I do not understand how this
packet appears on the external segment of our firewall which is only
shared by the firewall and a router providing access to the Internet.

We checked the config, escpecially the ACLs of this router and
everything looks fine.
Has anybody seen this before or an idea how this could happen?

thanks