snmp iptables rules WAS snmp address ranges

[Stephen Isard]

...
> > If I put in
> > an iptables rule accepting all packets from 161:162 to high numbered
> > ports, the cups snmp backend finds the printers.
> >
> > However, that doesn't seem an ideal setup from a security point of
> > view, because bad guys can easily send whatever they like from ports
> > 161:162. Is there a way to configure iptables to allow cups snmp
> > browsing without compromising security to that extent?
>
> I'm not an iptables expert, but given that SNMP is UDP-based and
> basically stateless, I doubt it.
...
> > Might there be a way to identify
> > replies to the broadcast port so that they can be accepted?
>
> You might be able to list the broadcast address in your firewall
> rule, but I don't know enough about iptables to really help you.

Just in case someone else has the same question and comes across this thread in a search, here are a couple of iptables rules suggested by people on the netfilter list:

# Notice cups printer discovery broadcasts
-A OUTPUT -d abc.def.9.255 -p udp --dport 161 -m recent --name cups_snmp --rsource --set -j ACCEPT
# Permit printers to reply during short time window following broadcast
-A INPUT -p udp -s abc.def.9.255/23 --sport 161 --dport 1024:65535  -m recent --name cups_snmp --rdest --rcheck -j ACCEPT

The first one registers the fact that a cups snmp broadcast has gone out and the second permits packets from the snmp port of machines on the local network during a brief time window following the broadcast.  These rules aren't a perfect fit to the situation because packets are accepted to *any* high numbered port during the time window, not just to the port from which the broadcast went out.  However, they are an improvement over accepting such packets at any time at all.

To use the rules you will need to supply your own network address and mask in place of "abc.def...".  The duration of the time window can also be specified with a --seconds flag.