I have a little home network with one Windows 98 PC and a pc running linux. My idea is that as soon as DSL is finally made available to my area (which I keep getting told will be real soon now) I want to route it through the linux box and up to the Windows PC, using IP masquerading, etc. At present I have samba enabled on the unix box which opens up several worthwhile conveniences to me: printing, backing up critical files, etc., that would not be possible without it. Of course, once this is up, there is the firewall issue to consider, which as PPP internet accessor I haven't had to worry about. But I am reading up on the matter. One source I am using is Linux Firewalls by Robert L. Ziegler (New Riders). One of the points in this book is that a firewall PC should never run samba because it opens up vulnerabilities to attack. The author doesn't go into much detail, nor does he offer any workarounds. He just says you shouldn't do it. Period. My question is how serious a problem this is. Is it as clear cut an issue as the author makes out or are there successful examples of samba being run on a firewall PC, and ways around the vulnerability. Or should I invest in another machine or get rid of samba?
Don't we meet in unusual places! (inside joke) Just a note, I'm reconfiguring my whole home network (in preparation for DSL as well). What you might consider doing is putting together an old 486/pentium xx to function strictly as your firewall. You could probably pick one up for near nothing these days. I'm working on putting together the bastion/choke configuration from Ziegler's book. More as a learning experience then a necessity. Steve Cohen wrote:> > I have a little home network with one Windows 98 PC and a pc running > linux. > My idea is that as soon as DSL is finally made available to my area > (which I keep getting told will be real soon now) I want to route it > through the linux box and up to the Windows PC, using IP masquerading, > etc. > > At present I have samba enabled on the unix box which opens up several > worthwhile conveniences to me: printing, backing up critical files, > etc., that would not be possible without it. > > Of course, once this is up, there is the firewall issue to consider, > which as PPP internet accessor I haven't had to worry about. But I am > reading up on the matter. One source I am using is Linux Firewalls by > Robert L. Ziegler (New Riders). > > One of the points in this book is that a firewall PC should never run > samba because it opens up vulnerabilities to attack. The author doesn't > go into much detail, nor does he offer any workarounds. He just says > you shouldn't do it. Period. > > My question is how serious a problem this is. Is it as clear cut an > issue as the author makes out or are there successful examples of samba > being run on a firewall PC, and ways around the vulnerability. Or > should I invest in another machine or get rid of samba?-- Until later: Geoffrey esoteric@denali.atlnet.com I'm afraid there will be more problems with W2K than there were with Y2K...
Hello, I run a similar configuration, but with a dial-up PPP link, and just use these rules in my firewall, then no one can get access to Samba, from outside... # SMB: Reject SMB traffic FROM and TO external machines. echo " - Silently rejecting TCP/UDP SMB traffic on the external internface." /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 137 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p udp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTBROAD 138 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP 139 /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 137 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 138 -d $EXTIP /sbin/ipchains -A input -j REJECT -i $EXTIF -p tcp -s $UNIVERSE 139 -d $EXTIP /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP -d $UNIVERSE 139 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 137 -d $UNIVERSE 137 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 138 -d $UNIVERSE 138 $LOGGING /sbin/ipchains -A output -j REJECT -i $EXTIF -p udp -s $EXTIP 139 -d $UNIVERSE 139 $LOGGING> Run portsentryWhere do I get this??????? Thanks.. Bye for Now, Ian \|||/ (o o) /----------------ooO-(_)-Ooo---------------\ | Ian Chilton | | | | E-Mail: ian@ichilton.co.uk | | Web Page: http://www.ianchilton.co.uk | \------------------------------------------/ All e-mail is forwarded to my mobile phone. (unless it includes an attachment) However, I only receive the first 150 characters. Please structure your message accordingly. "Unix is user friendly - it's just picky about it's friends." "Windows is a 32 bit patch to a 16 bit GUI based on a 8 bit operating system written for a 4 bit processor by a 2 bit company which can not stand 1 bit of competition."