[cups.general] snmp address ranges
Michael R Sweet
msweet at apple.com
Wed Aug 13 14:01:48 PDT 2008
Stephen Isard wrote:
> ...
> It turns out to be my firewall. I had opened ports 161:162 for snmp,
> but it appears that you need to accept packets FROM those ports, to
> whatever high numbered port the broadcast went out from. If I put in
> an iptables rule accepting all packets from 161:162 to high numbered
> ports, the cups snmp backend finds the printers.
>
> However, that doesn't seem an ideal setup from a security point of
> view, because bad guys can easily send whatever they like from ports
> 161:162. Is there a way to configure iptables to allow cups snmp
> browsing without compromising security to that extent?
I'm not an iptables expert, but given that SNMP is UDP-based and
basically stateless, I doubt it.
> Something I don't fully understand is why the cups snmp backend
> worked when I gave it the ip address of the printer as an argument.
> I think it must be because I have an iptables rule that accepts
> packets with the condition "--state ESTABLISHED,RELATED". Apparently
> when the backend is called with a single address, the replies to the
> sending port are treated as ESTABLISHED,RELATED, but when the backend
> sends a broadcast, they are not. Might there be a way to identify
> replies to the broadcast port so that they can be accepted?
You might be able to list the broadcast address in your firewall
rule, but I don't know enough about iptables to really help you.
--
______________________________________________________________________
Michael R Sweet Senior Printing System Engineer
More information about the cups
mailing list