With the patch included in net-snmpd-5.4.1-r1 and USE=tcpd, hosts.allow requires the local hosts's public IP address to be listed for the snmpd daemon. Previous to 5.4.1-r1 I had the following in my hosts.allow, hosts.deny: hosts.allow: snmpd : monitoring_hosts_ip hosts.deny: ALL : ALL EXCEPT localhost with 5.4.1-r1 it logs "connection refused" unless I change hosts.allow to: snmpd : monitoring_hosts_ip localhosts_public_ip If the clientaddr is omitted, the original hosts.* files work as before. Reproducible: Always Steps to Reproduce:
So tell upstream, they've accepted the patch. https://sourceforge.net/tracker/?func=detail&atid=312694&aid=1775124&group_id=12694
I did. I thought I should inform people here as well since it doesn't seem to have been included in the official source yet and the ebuild explicitly calls the patch.
Brian, could you try net-snmp-5.4.1-r2.ebuild. It fixes some problems with clineaddr patch. If the problem persists I'll take a look at the problem. Thank you.
(In reply to comment #3) > Brian, could you try net-snmp-5.4.1-r2.ebuild. It fixes some problems with > clineaddr patch. If the problem persists I'll take a look at the problem. Thank > you. > -r2 has already been replaced with -r3, but the problem still exists. For now I've just added this to hosts.deny: ALL EXCEPT snmpd : ALL EXCEPT localhost Thanks, Brian
Seems that usage of IP addresses instead of hostnames workarounds the problem.
(In reply to comment #5) > Seems that usage of IP addresses instead of hostnames workarounds the problem. > Where? I'm a little confused by what you mean here, so I'll try to clarify the problem: My original example was meant to imply the usage of IP addresses in the hosts.allow. The problem is that for every host you must include its local IP address(es) that is/are serving snmpd requests to remote hosts. Now consider that you have >50 hosts and so need to maintain >50 hosts.allow. That's a pain to deal with and prior to this release was unnecessary. Since I don't want to have to manage all of those hosts.allow separately I left hosts.allow and changed hosts.deny to the following: hosts.allow: snmpd : the_monitoring_hosts_ip hosts.deny: ALL EXCEPT snmpd : ALL EXCEPT localhost meaning that the default should be to deny traffic to anything but the localhost, except for snmpd, which needs an exception due to the patch. After that the hosts.allow seems to be honored as expected. Make sense? This is an acceptable workaround from my point of view, it just changed from one version to the next and I thought someone else should be aware of it. If you want to close it feel free, otherwise I'm happy to try more tweaks. Thanks, Brian
Created attachment 167654 [details, diff] fix for the bug OK, here is a fix I have just proposed to the upstream.
Krzysztof Olędzki: please link to the thread where you proposed the new patch. netmon: your bug again, i'll check later if you're busy.
http://42.pl/u/15MV (sorry for the two typos I have made) http://sourceforge.net/tracker/?group_id=12694&atid=312694
Seems to be related to #250429