On 19 March 2011 02:11, Bill Fenner <fen...@gmail.com> wrote:
>> Is it possible to configure Net-SNMP 5.4.2.1 to filter IP address(es) when
>> using SNMPv3 the way com2sec directive does it for SNMPv1/2c ?
>
> No. I think the assumption is that you need to be able to limit v1/2c
> because of the weakness of the community string, and there is no need to
> limit access using v3 because of its strength.
> I don't think it's an unreasonable feature request, though.
Two comments:
- the IP filtering of community-based SNMP is actually a
by-product of the non-standard way that we handle community-to-group
mapping. The official mechanism (SNMP-COMMNITY-MIB) doesn't include
this element, which is one of the reason's we've never really
supported this MIB.
We didn't need to define our own v3user-to-group mapping, as we
used the SNMPv3 mechanism right from the start. Which is why there's
no equivalent source-based filtering for such requests.
- there *is* a source-filter mechanism available via the TCP
wrappers functionality. So you can restrict access to solely from
known addresses (or block known problem hosts), via
/etc/hosts.{allow,deny}. And of course, local firewalls can do
something similar. But all of this works on an all-or-nothing basis.
It's not possible to restrict certain SNMPv3 users to come from
selected addresses, and allow other SNMPv3 users more widely.
Dave
------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
