Subject: | |
From: | |
Reply To: | |
Date: | Thu, 14 Aug 2008 18:45:31 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Thu, 14 Aug 2008, Shane Voss shane-at-blether.org.uk wrote:
...
> You may be able to use "recent" - something like this:
>
> # Record the port being used when cups sends a broadcast
> iptables -A OUTPUT -m recent --name cups-snmp --dport 161 --pkt-type
> broadcast --set --rdest -j ACCEPT
>
> # Accept incoming packets presumed "in reply" from port 161
> # but only for the number of seconds configured in cups-snmp.conf
> iptables -A INPUT -m recent --rcheck --seconds 10 --sport 161 ... -j AC
CEPT
>
> (I haven't tested any of this!)
Thanks, Shane. I've just tried, but no joy. My iptables man page says t
hat
"-m recent --set" will add the *source* address to the list, which isn't
what we need. The man page makes no mention of rdest.
Googling around, I've found a thread from 2004 in which people were
discussing what looks like the same problem with regard to samba. The
broadcast and reply setup is apparently the same. I couldn't find a
resolution, however.
|
|
|