Re: Denying v1 & v2c access to object/subtree?

On Thu, 2005-11-17 at 13:53 -0500, Hammer, Tim wrote:
> From my reading of FAQs and old messages, it seems that
> what I want to do is possible.

Probably, yes.
It would be easier to tell if you said *exactly* what
the requirements are.

But in fairly general terms:

- If you have *no* "r?community" or "com2sec"
directives listed in *any* snmpd.conf files,
then all SNMPv1/SNMPv2c requests will be denied
(discarded without even responding)


- If you have a directive such as

rocommunity public default system

then this will allow SNMPv1/SNMPv2c requests
for the system group, and reject requests
for anything else. (And the client *will*
receive a response)


If you want to allow access to everything but a
particular MIB subtree, then the "r?community"
directives aren't sufficient. You'll have to set
things up using the com2sec/group/view/access
directives instead (at least until 5.3)

Note that you should use one *or* the other.
Do *NOT* try to mix r?community and c/g/v/a
approaches.




> Based on this information and the descriptions of com2sec, group,
> view, and access in the man page and other resources I found, I
> figured I could put something like:
> view special excluded .1.3.6.1.4.1.253.8.53.5
> access public "" any noauth exact special special special

That should work, as long as you've also got the corresponding
"com2sec" and "group" entries (included in the example you quote).

Try the following - with certain names changed for clarity:

com2sec publicU default public
group publicG v1 publicU
group publicG v2c publicU

view special excluded .1.3.6.1.4.1.253.8.53.5
access publicG "" any noauth exact special special special

That should provide SNMPv1/SNMPv2c access to everything bar
the "special" subtree.


> Alternatively, I could do additional code work.
[snip]

The other approach you suggest doesn't really
feel appropriate. The SNMP library already handles
everything mentioned there - you'd do better getting
the access configuration set up correctly, rather than
hack the MIB module code.


Dave


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/...net-snmp-users