I'm running SL5.2 with cups-1.2.4-11.18.el5_2.1.x86_64.

This version of cups has a module which finds network printers using snmp

(simple network management protocol), so that when you go to the printer
administration panel on the cups web interface, you are automatically
offered a list of possible printers on your local network that you can ad
d
to your system by just clicking an "add printer" button.  Very neat.

However, I am wondering about the security implications of the holes that

you apparently have to make in your firewall to let the printer discovery

module operate.  I'm somewhat out of my depth here, so if my description 
of
what is going on is misleading or plain wrong, I hope someone more
knowledgeable will step in.

The way it appears to work is that cups broadcasts FROM some high (>1024)

numbered port (a different one each time) TO port 161 (the snmp port as
listed in /etc/services) of all devices on the local network.  It then
listens for replies FROM port 161 of devices on the network TO the high
numbered port that  it sent the broadcast from.  Since the original
broadcast was a broadcast, and not a connection to a specific machine, th
e
replies are not treated as ESTABLISHED or RELATED for purposes of iptable
s.
 It thus seems that for the replies to be received, you have to let throu
gh
udp packets from port 161 of any machine on the network to any high numbe
red
port on your machine, at any time, with no way of allowing only packets
addressed to a port that recently sent a broadcast.  Since bad guys can s
end
whatever they like from port 161, this looks like a potential security ri
sk.  

Question 1: How bad a risk is it in an environment like a large universit
y
department where you have to assume that intruders will occasionally mana
ge
to break into the local network?

Question 2:  Is there actually some way that I don't know about of
identifying replies to a recent snmp broadcast with iptables rules?

Thanks for your attention.