CUPS SNMP should not scan the entire local subnet by default
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cups (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: cupsys
There is a bug in Launchpad somewhere where users where complaining that the SNMP backend in CUPS was disabled. The bug was resolved in Intrepid, and it does indeed work now.
Unfortunately, it works a bit too well for many enterprise users.
In Intrepid, CUPS will by default, scan the entire local subnet of the host for printers responding to SNMP. In the enterprise, this sets off many alarms on various NIDS and firewalls.
I think maybe a happy medium would be to leave the SNMP backend enabled, so that users can easily set it up, but limit the SNMP polling to just the localhost.
This can be done by changing /etc/cups/snmp.conf to read
Address 127.0.0.1
instead of
Address @LOCAL
This particular problem caught me, so I wrote a blog post about it. I have received quite a few comments from other enterprise users thanking me for the tip. My blog is very low traffic, the fact that it has any comments at all shows it's affecting quite a few people. http://
Hardy has reached end of life, and this package is not present in later releases. Closing all related bugs.