On Tue, Oct 02, 2007 at 08:49:02AM -0700, Tom Eastep wrote: > I see no solution but this: > > ACCEPT net:<IP B> fw udp - 161
Just for the sake of completeness, it should be possible to construct a poor man's variation of conntrack using a recent match, to block replies that don't match queries. I doubt that it's worthwhile in this case, though. SNMP isn't even remotely secure in the first place. There should also be an SNAT solution (remapping the offending source address back to what it should be), but I don't think netfilter is currently capable of it. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
