On Thu, 14 Aug 2008, Shane Voss shane-at-blether.org.uk wrote:
...
> You may be able to use  "recent" - something like this:
>
> # Record the port being used when cups sends a broadcast
> iptables -A OUTPUT -m recent --name cups-snmp --dport 161 --pkt-type
> broadcast --set --rdest -j ACCEPT
>
> # Accept incoming packets presumed "in reply" from port 161
> # but only for the number of seconds configured in cups-snmp.conf
> iptables -A INPUT -m recent --rcheck --seconds 10 --sport 161 ... -j AC
CEPT
>
> (I haven't tested any of this!)

Thanks, Shane.  I've just tried, but no joy.  My iptables man page says t
hat
"-m recent --set" will add the *source* address to the list, which isn't
what we need.  The man page makes no mention of rdest.

Googling around, I've found a thread from 2004 in which people were
discussing what looks like the same problem with regard to samba.  The
broadcast and reply setup is apparently the same.  I couldn't find a
resolution, however.