Template:FAQ:Agent 29

From Net-SNMP Wiki
Jump to: navigation, search

This is actually nothing to do with the access control mechanism (though that's an understandable mistake). This is the result of the TCP wrapper mechanism using the files 'hosts.allow' and 'hosts.deny' to control access to the service. Some distributions may come with this enabled automatically - otherwise you need to explicitly activate this by running 

               configure --with-libwrap

and recompiling the agent.

If TCP wrappers are enabled, and both hosts.allow and hosts.deny are empty, then all requests will be rejected (with "Connection refused"). The simplest way to avoid this problem and allow incoming requests is to add the line 

               snmpd: ALL

to the file /etc/hosts.allow. Be aware that doing this removes one level of protection and allows anyone to try and query your agent. The agent's own access control mechanisms can still be used to restrict what - if anything - they can see.

If you do wish to use the TCP wrappers to restrict access, it's sensible to have an explicit entry: 

               snmpd: ALL

in the file /etc/hosts.deny, which makes it crystal clear that access to the SNMP agent has been denied. This mechanism can also be used to restrict access to specific management hosts, using a hosts.deny entry such as: 

               snmpd: ALL EXCEPT 127.

which will allow connections from localhost, and nothing else.

Note that personal firewalls, such as the Linux iptables mechanism, may have a similar effect (though typically this won't be logged). See the earlier entry Requests always seem to timeout, and don't give me anything back. Why?

Retrieved from "http://www.net-snmp.org/wiki/index.php?title=Template:FAQ:Agent_29&oldid=3892"