SNMP interface

[Astronaut]

The SNMP agent is right now hard coded to listen on all interfaces. This raises issues when you try to keep management traffic separate from user traffic. The snmp.conf file contains the following line:

agentAddress udp:161,udp6:161,unix:/var/run/snmpd.sock

This makes it impossible to limit interfaces. SNMP usually allows a lot of dangerous stuff and shouldn't be exposed to users. Thus, the only way around this is to disable SNMP completely.

 

[Patrick M. Hausen]

What would you consider dangerous if there is only a read community?

 

[Astronaut]

What would you consider dangerous if there is only a read community?

I have not looked through the available data. However I have seen other "appliances" where stuff like passwords were available on SNMP. I have no desire to spend my time going through all of the information when I don't want regular users accessing it anyway.

It is a good principle for systems design and deployment to limit the attack surface by not exposing unnecessary services. The is part of the defense in depth principle. In addition, the GUI and SSH setup for TrueNAS allow us to select which interfaces they are available on. It makes no sense for the same not to apply for SNMP.