samba - Jun 2004 - listenning on interfaces

Hello,

I am new to samba and i would to well secure it.

In smb.conf, I entered the following lines :

hosts allow = 192.168.0.2 127.0.0.1
hosts deny = 0.0.0.0/0
bind interfaces only = yes
interfaces = eth0 lo

I thought that it would only listens on the local machine and my internal Lan
(which is on eth0 192.168.0.1) but nmbd seems to always listen on UDP/137 and
UDP/138 (netbios-ns and netbios-dgm) on 0.0.0.0/0. Here is the output of netstat
:

[root@ServeurLinux user]# netstat -taup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address                     Foreign Address     State 
PID/Program name
tcp     0             0         192.168.0.1:netbios-ssn         *:*             
LISTEN     3800/smbd
tcp     0             0         ServeurLinu:netbios-ssn         *:*             
LISTEN     3800/smbd
tcp     0             0        ServeurLinux:ipp                    *:*          
LISTEN     3707/cupsd
tcp     0             0         192.168.0.:microsoft-ds         *:*             
LISTEN     3800/smbd
tcp     0             0         ServeurLin:microsoft-ds         *:*             
LISTEN     3800/smbd
udp     0             0        192.168.0.1:netbios-ns         *:*               
3804/nmbd
udp     0             0        *:netbios-ns                         *:*         
3804/nmbd
udp     0             0         192.168.0.1:netbios-dgm     *:*                 
3804/nmbd
udp     0             0         *:netbios-dgm                         *:*       
3804/nmbd


What is netbios-ns and netbios-dgm? I would prefer that nmbd doesn't listen
on *:netbios-ns and *:netbios-dgm because I will connect my server to the
internet through eth1 10.0.0.1. How can I do it?

Thanks for any help.

Jean Lee.

maybe iptables? but dont forget to open some ports for the clients:

111.tcp
137.udp
138.udp
139.tcp
22.tcp
2222.udp
445.tcp
631.tcp
67.udp
80.tcp
and maybe 88.tcp for ads

for example on a share connect. the xp clients look for a webserver on 80 to
show the folder/drive content, the same for port 2222. if you drop the
packets, the home drive is slow, because the client timed out and get no
answer for special kind of service/feature.

cheers tom

On 15.06.2004 10:11 Uhr, "Jean LEE" <jean_lee_3@hotmail.com>
wrote:
> Hello,
> 
> I am new to samba and i would to well secure it.
> 
> In smb.conf, I entered the following lines :
> 
> hosts allow = 192.168.0.2 127.0.0.1
> hosts deny = 0.0.0.0/0
> bind interfaces only = yes
> interfaces = eth0 lo
> 
> I thought that it would only listens on the local machine and my internal
Lan
> (which is on eth0 192.168.0.1) but nmbd seems to always listen on UDP/137
and
> UDP/138 (netbios-ns and netbios-dgm) on 0.0.0.0/0. Here is the output of
> netstat :
> 
> [root@ServeurLinux user]# netstat -taup
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address                     Foreign Address
> State     PID/Program name
> tcp     0             0         192.168.0.1:netbios-ssn         *:*
> LISTEN     3800/smbd
> tcp     0             0         ServeurLinu:netbios-ssn         *:*
> LISTEN     3800/smbd
> tcp     0             0        ServeurLinux:ipp                    *:*
> LISTEN     3707/cupsd
> tcp     0             0         192.168.0.:microsoft-ds         *:*
> LISTEN     3800/smbd
> tcp     0             0         ServeurLin:microsoft-ds         *:*
> LISTEN     3800/smbd
> udp     0             0        192.168.0.1:netbios-ns         *:*
> 3804/nmbd
> udp     0             0        *:netbios-ns                         *:*
> 3804/nmbd
> udp     0             0         192.168.0.1:netbios-dgm     *:*
> 3804/nmbd
> udp     0             0         *:netbios-dgm                         *:*
> 3804/nmbd
> 
> 
> What is netbios-ns and netbios-dgm? I would prefer that nmbd doesn't
listen on
> *:netbios-ns and *:netbios-dgm because I will connect my server to the
> internet through eth1 10.0.0.1. How can I do it?
> 
> Thanks for any help.
> 
> Jean Lee.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 
Dipl. Betriebswirt(BA) f. Inf. Thomas Werner
Webmaster / Network Administrator
ESMT European School of Management and Technology GmbH
Schlossplatz 1
D-10178 Berlin 
Germany 

Tel: +49 (0)30 21231 - 1085
Fax: +49 (0)30 21231 - 9
E-mail: werner@esmt.org
Web: http://www.esmt.org