samba - Jan 2015 - Samba4 and 0.0.0.0:137 and 0.0.0.0:138 opened, why ? How do close it ?

Thanks for this answer.
As I understood, for example if parameter
bind interfaces only = yes is and
interfaces = lan0 (192.168.0.254) is

and if broadcast packet goes from 95.95.95.14 such packet will be dropped
(in other words) ?
Am I right ?

And other thing.
Why is 192.168.0.255 (network broadcast) opened for ?
May be exact such address (network broadcast) is inbtended for receiving
broadcasts ?
Within exact subnet but 0.0.0.0 is for all subnets ?

And is it possible to set off 0.0.0.0 via smb.conf ?


2015-01-11 17:24 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hello,
>
> Am 11.01.2015 um 14:55 schrieb CpServiceSPb .:
> > Here are 3 faces at Ubuntu: lo, lan and wan.
> > There are lines:
> > bind interfaces only = yes
> > interfaces = lo lan0
> > in smb.conf
> >
> > But netstat -tulpn shows 0.0.0.0 binded address:
> > tcp         0      0 192.168.0.254:139         0.0.0.0:*
> > LISTEN      smbd
> > udp        0      0 192.168.0.255:137         0.0.0.0:*
> > nmbd
> > udp        0      0 192.168.0.254:137         0.0.0.0:*
> > nmbd
> > *udp       0      0 0.0.0.0:137 <http://0.0.0.0:137>
> > 0.0.0.0:*                                  nmbd*
> > udp        0      0 192.168.0.255:138         0.0.0.0:*
> > nmbd
> > udp        0      0 192.168.0.254:138         0.0.0.0:*
> > nmbd
> > *udp       0      0 0.0.0.0:138 <http://0.0.0.0:138>
> > 0.0.0.0:*                                  nmbd*
> >
> > I don'n like *udp       0      0 0.0.0.0:port *at all !
> >
> > Why is it so ?
>
>
> The smb.conf man page answers this question  ('bind interfaces
only'):
>
> ... nmbd also binds to the "all addresses" interface (0.0.0.0) on
ports
> 137 and 138 for the purposes of reading broadcast messages. If this
> option is not set then nmbd will service name requests on all of these
> sockets. If bind interfaces only is set then nmbd will check the source
> address of any packets coming in on the broadcast sockets and discard
> any that don't match the broadcast addresses of the interfaces in the
> interfaces parameter list. ...
>
>
>
>
> Regards,
> Marc
>

I have founded that 0.0.0.0:port could be "closed" by setting up
socket
address = wishing IP addresses,
for example socket address = 127.0.0.1 192.168.0.254

2015-01-11 17:46 GMT+03:00 CpServiceSPb . <cpservicespb at gmail.com>:
> Thanks for this answer.
> As I understood, for example if parameter
> bind interfaces only = yes is and
> interfaces = lan0 (192.168.0.254) is
>
> and if broadcast packet goes from 95.95.95.14 such packet will be dropped
> (in other words) ?
> Am I right ?
>
> And other thing.
> Why is 192.168.0.255 (network broadcast) opened for ?
> May be exact such address (network broadcast) is inbtended for receiving
> broadcasts ?
> Within exact subnet but 0.0.0.0 is for all subnets ?
>
> And is it possible to set off 0.0.0.0 via smb.conf ?
>
>
> 2015-01-11 17:24 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello,
>>
>> Am 11.01.2015 um 14:55 schrieb CpServiceSPb .:
>> > Here are 3 faces at Ubuntu: lo, lan and wan.
>> > There are lines:
>> > bind interfaces only = yes
>> > interfaces = lo lan0
>> > in smb.conf
>> >
>> > But netstat -tulpn shows 0.0.0.0 binded address:
>> > tcp         0      0 192.168.0.254:139         0.0.0.0:*
>> > LISTEN      smbd
>> > udp        0      0 192.168.0.255:137         0.0.0.0:*
>> > nmbd
>> > udp        0      0 192.168.0.254:137         0.0.0.0:*
>> > nmbd
>> > *udp       0      0 0.0.0.0:137 <http://0.0.0.0:137>
>> > 0.0.0.0:*                                  nmbd*
>> > udp        0      0 192.168.0.255:138         0.0.0.0:*
>> > nmbd
>> > udp        0      0 192.168.0.254:138         0.0.0.0:*
>> > nmbd
>> > *udp       0      0 0.0.0.0:138 <http://0.0.0.0:138>
>> > 0.0.0.0:*                                  nmbd*
>> >
>> > I don'n like *udp       0      0 0.0.0.0:port *at all !
>> >
>> > Why is it so ?
>>
>>
>> The smb.conf man page answers this question  ('bind interfaces
only'):
>>
>> ... nmbd also binds to the "all addresses" interface
(0.0.0.0) on ports
>> 137 and 138 for the purposes of reading broadcast messages. If this
>> option is not set then nmbd will service name requests on all of these
>> sockets. If bind interfaces only is set then nmbd will check the source
>> address of any packets coming in on the broadcast sockets and discard
>> any that don't match the broadcast addresses of the interfaces in
the
>> interfaces parameter list. ...
>>
>>
>>
>>
>> Regards,
>> Marc
>>
>
>

On 11/01/15 14:58, CpServiceSPb . wrote:
> I have founded that 0.0.0.0:port could be "closed" by setting up
socket
> address = wishing IP addresses,
> for example socket address = 127.0.0.1 192.168.0.254
>
> 2015-01-11 17:46 GMT+03:00 CpServiceSPb . <cpservicespb at
gmail.com>:
>
>> Thanks for this answer.
>> As I understood, for example if parameter
>> bind interfaces only = yes is and
>> interfaces = lan0 (192.168.0.254) is
>>
>> and if broadcast packet goes from 95.95.95.14 such packet will be
dropped
>> (in other words) ?
>> Am I right ?
>>
>> And other thing.
>> Why is 192.168.0.255 (network broadcast) opened for ?
>> May be exact such address (network broadcast) is inbtended for
receiving
>> broadcasts ?
>> Within exact subnet but 0.0.0.0 is for all subnets ?
>>
>> And is it possible to set off 0.0.0.0 via smb.conf ?
>>
>>
>> 2015-01-11 17:24 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
>>
>>> Hello,
>>>
>>> Am 11.01.2015 um 14:55 schrieb CpServiceSPb .:
>>>> Here are 3 faces at Ubuntu: lo, lan and wan.
>>>> There are lines:
>>>> bind interfaces only = yes
>>>> interfaces = lo lan0
>>>> in smb.conf
>>>>
>>>> But netstat -tulpn shows 0.0.0.0 binded address:
>>>> tcp         0      0 192.168.0.254:139         0.0.0.0:*
>>>> LISTEN      smbd
>>>> udp        0      0 192.168.0.255:137         0.0.0.0:*
>>>> nmbd
>>>> udp        0      0 192.168.0.254:137         0.0.0.0:*
>>>> nmbd
>>>> *udp       0      0 0.0.0.0:137 <http://0.0.0.0:137>
>>>> 0.0.0.0:*                                  nmbd*
>>>> udp        0      0 192.168.0.255:138         0.0.0.0:*
>>>> nmbd
>>>> udp        0      0 192.168.0.254:138         0.0.0.0:*
>>>> nmbd
>>>> *udp       0      0 0.0.0.0:138 <http://0.0.0.0:138>
>>>> 0.0.0.0:*                                  nmbd*
>>>>
>>>> I don'n like *udp       0      0 0.0.0.0:port *at all !
>>>>
>>>> Why is it so ?
>>>
>>> The smb.conf man page answers this question  ('bind interfaces
only'):
>>>
>>> ... nmbd also binds to the "all addresses" interface
(0.0.0.0) on ports
>>> 137 and 138 for the purposes of reading broadcast messages. If this
>>> option is not set then nmbd will service name requests on all of
these
>>> sockets. If bind interfaces only is set then nmbd will check the
source
>>> address of any packets coming in on the broadcast sockets and
discard
>>> any that don't match the broadcast addresses of the interfaces
in the
>>> interfaces parameter list. ...
>>>
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>
I am a bit confused here, you have set samba to only listen on the lo 
and lan0 interfaces and these have the ipaddresses of 127.0.0.1 & 
192.168.0.254. You do not like nmbd listening on 0.0.0.0 so you have 
turned it off, you do know that in this context, 0.0.0.0 means listen on 
all ip addresses on the machine that samba is set to use. So what you 
are really saying is ' I do not like nmbd listening on all this machines 
samba ip-addresses, so I will stop them listening on all these 
ip-addresses and only let them listen on 127.0.0.1 & 192.168.0.254, 
which are the only ipaddresses that samba will listen on anyway.

Rowland

Hmmm, I founded some at
https://lists.samba.org/archive/samba-technical/2012-July/085752.html
As I saw these patches was already implemented.

But is it possible to receive broadcast not to 0.0.0.0 but to x.y.z.255 ?
This is network broadcast either.

And opened 0.0.0.0 even with checking of source net is quite insecure from
net security point of view.
I think so.

May be is it necessary to add some smb.conf parameter that could allow to
set up x.y.z.255 instead of 0.0.0.0 ?

2015-01-11 17:58 GMT+03:00 CpServiceSPb . <cpservicespb at gmail.com>:
> I have founded that 0.0.0.0:port could be "closed" by setting up
socket
> address = wishing IP addresses,
> for example socket address = 127.0.0.1 192.168.0.254
>
> 2015-01-11 17:46 GMT+03:00 CpServiceSPb . <cpservicespb at
gmail.com>:
>
>> Thanks for this answer.
>> As I understood, for example if parameter
>> bind interfaces only = yes is and
>> interfaces = lan0 (192.168.0.254) is
>>
>> and if broadcast packet goes from 95.95.95.14 such packet will be
dropped
>> (in other words) ?
>> Am I right ?
>>
>> And other thing.
>> Why is 192.168.0.255 (network broadcast) opened for ?
>> May be exact such address (network broadcast) is inbtended for
receiving
>> broadcasts ?
>> Within exact subnet but 0.0.0.0 is for all subnets ?
>>
>> And is it possible to set off 0.0.0.0 via smb.conf ?
>>
>>
>> 2015-01-11 17:24 GMT+03:00 Marc Muehlfeld <mmuehlfeld at
samba.org>:
>>
>>> Hello,
>>>
>>> Am 11.01.2015 um 14:55 schrieb CpServiceSPb .:
>>> > Here are 3 faces at Ubuntu: lo, lan and wan.
>>> > There are lines:
>>> > bind interfaces only = yes
>>> > interfaces = lo lan0
>>> > in smb.conf
>>> >
>>> > But netstat -tulpn shows 0.0.0.0 binded address:
>>> > tcp         0      0 192.168.0.254:139         0.0.0.0:*
>>> > LISTEN      smbd
>>> > udp        0      0 192.168.0.255:137         0.0.0.0:*
>>> > nmbd
>>> > udp        0      0 192.168.0.254:137         0.0.0.0:*
>>> > nmbd
>>> > *udp       0      0 0.0.0.0:137 <http://0.0.0.0:137>
>>> > 0.0.0.0:*                                  nmbd*
>>> > udp        0      0 192.168.0.255:138         0.0.0.0:*
>>> > nmbd
>>> > udp        0      0 192.168.0.254:138         0.0.0.0:*
>>> > nmbd
>>> > *udp       0      0 0.0.0.0:138 <http://0.0.0.0:138>
>>> > 0.0.0.0:*                                  nmbd*
>>> >
>>> > I don'n like *udp       0      0 0.0.0.0:port *at all !
>>> >
>>> > Why is it so ?
>>>
>>>
>>> The smb.conf man page answers this question  ('bind interfaces
only'):
>>>
>>> ... nmbd also binds to the "all addresses" interface
(0.0.0.0) on ports
>>> 137 and 138 for the purposes of reading broadcast messages. If this
>>> option is not set then nmbd will service name requests on all of
these
>>> sockets. If bind interfaces only is set then nmbd will check the
source
>>> address of any packets coming in on the broadcast sockets and
discard
>>> any that don't match the broadcast addresses of the interfaces
in the
>>> interfaces parameter list. ...
>>>
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>
>>
>