Template:FAQ:Agent 29
This is actually nothing to do with the access control mechanism
(though that's an understandable mistake). This is the result of
the TCP wrapper mechanism using the files 'hosts.allow'
and 'hosts.deny'
to control access to the service. Some distributions may come with
this enabled automatically - otherwise you need to explicitly activate
this by running
configure --with-libwrap
and recompiling the agent.
If TCP wrappers are enabled, and both hosts.allow
and hosts.deny
are
empty, then all requests will be rejected (with "Connection refused").
The simplest way to avoid this problem and allow incoming requests is
to add the line
snmpd: ALL
to the file /etc/hosts.allow
.
Be aware that doing this removes one level of protection and allows
anyone to try and query your agent. The agent's own access control
mechanisms can still be used to restrict what - if anything - they can see.
If you do wish to use the TCP wrappers to restrict access, it's sensible to have an explicit entry:
snmpd: ALL
in the file /etc/hosts.deny
, which makes it crystal clear that access
to the SNMP agent has been denied. This mechanism can also be used to
restrict access to specific management hosts, using a hosts.deny
entry such as:
snmpd: ALL EXCEPT 127.
which will allow connections from localhost, and nothing else.
Note that personal firewalls, such as the Linux iptables mechanism, may have a similar effect (though typically this won't be logged). See the earlier entry Requests always seem to timeout, and don't give me anything back. Why?