snmp address ranges

Stephen Isard suovmbg02 at sneakemail.com
Wed Aug 13 13:09:08 PDT 2008


> >> Your printers are not configured properly (wrong netmask?) or have
> >> a buggy IP stack that can't deal with "classless" networks
> >> (networks that have netmasks other than 255.0.0.0, 255.255.0.0, or
> >> 255.255.255.0).

It turns out to be my firewall.  I had opened ports 161:162 for snmp, but it appears that you need to accept packets FROM those ports, to whatever high numbered port the broadcast went out from.  If I put in an iptables rule accepting all packets from 161:162 to high numbered ports, the cups snmp backend finds the printers.

However, that doesn't seem an ideal setup from a security point of view, because bad guys can easily send whatever they like from ports 161:162.
Is there a way to configure iptables to allow cups snmp browsing without compromising security to that extent?

Something I don't fully understand is why the cups snmp backend worked when I gave it the ip address of the printer as an argument.  I think it must be because I have an iptables rule that accepts packets with the condition "--state ESTABLISHED,RELATED".  Apparently when the backend is called with a single address, the replies to the sending port are treated as ESTABLISHED,RELATED, but when the backend sends a broadcast, they are not.  Might there be a way to identify replies to the broadcast port so that they can be accepted?




More information about the cups mailing list