[cups.general] snmp address ranges

[Michael R Sweet]

Stephen Isard wrote:
> ...
> It turns out to be my firewall.  I had opened ports 161:162 for snmp,
> but it appears that you need to accept packets FROM those ports, to
> whatever high numbered port the broadcast went out from.  If I put in
> an iptables rule accepting all packets from 161:162 to high numbered
> ports, the cups snmp backend finds the printers.
> 
> However, that doesn't seem an ideal setup from a security point of
> view, because bad guys can easily send whatever they like from ports
> 161:162. Is there a way to configure iptables to allow cups snmp
> browsing without compromising security to that extent?

I'm not an iptables expert, but given that SNMP is UDP-based and
basically stateless, I doubt it.

> Something I don't fully understand is why the cups snmp backend
> worked when I gave it the ip address of the printer as an argument.
> I think it must be because I have an iptables rule that accepts
> packets with the condition "--state ESTABLISHED,RELATED".  Apparently
> when the backend is called with a single address, the replies to the
> sending port are treated as ESTABLISHED,RELATED, but when the backend
> sends a broadcast, they are not.  Might there be a way to identify
> replies to the broadcast port so that they can be accepted? 

You might be able to list the broadcast address in your firewall
rule, but I don't know enough about iptables to really help you.

-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer