2012/4/26 Tuxoholic <tuxoho...@hotmail.de>: > hi list > > Can somebody explain why smbd and nmbd are not affected by the following > strict ruleset in /etc/hosts* ? > > /etc/hosts > 127.0.0.1 MYHOSTNAME localhost.localdomain localhost > 127.0.1.1 MYHOSTNAME > 192.168.2.10 MYSERVER > > cat /etc/hosts.allow > #ALL: localhost 127.0.1.1 192.168.2.0/24 > ALL: localhost 127.0.1.1 192.168.2.0/32 > > /etc/hosts.deny > ALL: ALL > > With this ruleset in place nmbd broadcasts still pull through and cifs mounts > are still possible, whereas ssh/rsh access is no longer possible. > > To get rid of nmbd/smbd access I have to tweak smb.conf additionally: > > /etc/samba/smb.conf > > [global] > bind interfaces only = Yes > interfaces = 127.0.0.0/8, eth0 > ;; hosts allow = 192.168.2.0/24, 127. > hosts allow = 192.168.2.0/32, 127. > hosts deny = ALL > > With this smb.conf tweaking it works fine, but why could smbd/nmbd run past > /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? > > To my limited CIDR understandig a /32 mask should restrict access to > 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. > > Once this denies all services I'd set it to /24 to have access to the whole > "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/blu0-smtp149485f83cd3709473ea7d5d8...@phx.gbl > Hi,
My two cents: I think the problem here is between tcpwrapper linux implementation and the the samba package. Are you running samba as a daemon or from then inetd? I think you are running it as a daemon and I believe (check on the internet) samba must be compiled in a tcpwrapper friendly way (I don't know if this is the default) Running samba from inetd must work OK as inetd is tcpwrapper friendly. If this doesn't help you you can try iptables (but your workaround is OK too) Best regards. -------------------------------------------------------------------------------------- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -------------------------------------------------------------------------------------- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CABS=y9tfvznzhrho8vfqywpwtjtdfioqpmmzrm_+e1utxlu...@mail.gmail.com
