I am new to this ML and am sorry if this question has been answered already. I have a firewall router running Linux having two Ethernet ports (i.e. access to two networks) for INTRANET and INTERNET. This firewall needs to run smbclient to access a share on a Win2K host in the INTRANET. Looking into the Linux kernel message log, I found smbclient is broadcasting NetBIOS name service queries to not only the INTRANET side but also the INTERNET side. I want to disable the queries to the INTERNET side because it could get forged responses and lead to a security bleach. I checked the "hosts allowed" field in smb.conf, but it seems to work only to limit accesses to a Samba server--not to limit anything with smbclient. I'll appreciate any suggestion. TIA. hiro -- Hiro Sugawara <hiro@arkusa.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 06 March 2003 01:51 pm, Hiro Sugawara wrote:> I am new to this ML and am sorry if this question has been answered > already. > > I have a firewall router running Linux having two Ethernet ports (i.e. > access to two networks) for INTRANET and INTERNET. This firewall needs > to run smbclient to access a share on a Win2K host in the INTRANET. > Looking into the Linux kernel message log, I found smbclient is > broadcasting NetBIOS name service queries to not only the INTRANET side > but also the INTERNET side. > > I want to disable the queries to the INTERNET side because it could get > forged responses and lead to a security bleach. I checked the "hosts > allowed" field in smb.conf, but it seems to work only to limit accesses > to a Samba server--not to limit anything with smbclient. > > I'll appreciate any suggestion. > > TIA. > hiro > -- > Hiro Sugawara <hiro@arkusa.com>Hi, use the parameter "interfaces" in smb.conf: - ------------------------------- man smb.conf: ... interfaces (G) This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable. ex: interfaces = eth0 192.168.2.10/24 192.168.3.10/255.255.255.0 .PP would configure three network interfaces corresponding to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks of the latter two interfaces would be set to 255.255.255.0. [...] Default: all active interfaces except 127.0.0.1 that are broadcast capable... - --------------------------------- You also can combine it with "bind interfaces only" Cheers - -- | Sylvestre TABURET - 1024D/030E1B7E | . MandrakeSoft - staburet@mandrakesoft.com | . Hewlett-Packard - sylvestre.taburet@hp.com | CCA07:7809, 20555 SH 249, Houston, TX, 77070 - USA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+Z6szBot2zwMOG34RAsORAJ0dtw2AbZXHPbJppnOLdCNd/8CI8QCfUdhd yD7eVydmEF05DkmJMgY03yg=m6fQ -----END PGP SIGNATURE-----
On Thu, 6 Mar 2003 14:10:27 -0600 Sylvestre TABURET <staburet@mandrakesoft.com> wrote:> use the parameter "interfaces" in smb.conf:> You also can combine it with "bind interfaces only"Thank you for the good advice. Yes, it worked! Now a new question: How does "bind interfaces only" work? Does it accept "yes" or "no," or IP addresses? Does it override "hosts allowed"? Actually, I never run smbd and nmbd on this host, so the server side protection is unnecessary, but I am curious. hiro -- Hiro Sugawara <hiro@arkusa.com>
On Thu, 6 Mar 2003, Hiro Sugawara wrote:> > On Thu, 6 Mar 2003 14:10:27 -0600 > Sylvestre TABURET <staburet@mandrakesoft.com> wrote: > > > > use the parameter "interfaces" in smb.conf: > > > You also can combine it with "bind interfaces only" > > > Thank you for the good advice. Yes, it worked! > > Now a new question: How does "bind interfaces only" work? Does it accept > "yes" or "no," or IP addresses? Does it override "hosts allowed"?Try: interfaces = eth0 lo bind interfaces only = Yes You only need hosts allow/deny if there is a risk/possiblity of foreign machines trying to access you server.> > Actually, I never run smbd and nmbd on this host, so the server side > protection is unnecessary, but I am curious.Oh. Well the interfaces/bind thing is meant for Samba servers and I can not see how you are doing that is you are not running smbd/nmbd. Nice one! PS: If you are using smbfs, that is NOT samba. - John T.> > hiro >-- John H Terpstra Email: jht@samba.org