Juan is correct. However my two cents - don't rely on hosts.allow and hosts.deny for anything. Just use iptables rules to do this type of thing.
Also, most don't consider samba to be a very secure service (last CVE was only a few weeks ago) so be very careful with this service. On Apr 26, 2012 5:37 AM, "Juan Sierra Pons" <j...@elsotanillo.net> wrote: > 2012/4/26 Tuxoholic <tuxoho...@hotmail.de>: > > hi list > > > > Can somebody explain why smbd and nmbd are not affected by the following > > strict ruleset in /etc/hosts* ? > > > > /etc/hosts > > 127.0.0.1 MYHOSTNAME localhost.localdomain localhost > > 127.0.1.1 MYHOSTNAME > > 192.168.2.10 MYSERVER > > > > cat /etc/hosts.allow > > #ALL: localhost 127.0.1.1 192.168.2.0/24 > > ALL: localhost 127.0.1.1 192.168.2.0/32 > > > > /etc/hosts.deny > > ALL: ALL > > > > With this ruleset in place nmbd broadcasts still pull through and cifs > mounts > > are still possible, whereas ssh/rsh access is no longer possible. > > > > To get rid of nmbd/smbd access I have to tweak smb.conf additionally: > > > > /etc/samba/smb.conf > > > > [global] > > bind interfaces only = Yes > > interfaces = 127.0.0.0/8, eth0 > > ;; hosts allow = 192.168.2.0/24, 127. > > hosts allow = 192.168.2.0/32, 127. > > hosts deny = ALL > > > > With this smb.conf tweaking it works fine, but why could smbd/nmbd run > past > > /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? > > > > To my limited CIDR understandig a /32 mask should restrict access to > > 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. > > > > Once this denies all services I'd set it to /24 to have access to the > whole > > "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 > > > > > > -- > > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: > http://lists.debian.org/blu0-smtp149485f83cd3709473ea7d5d8...@phx.gbl > > > Hi, > > My two cents: > > I think the problem here is between tcpwrapper linux implementation > and the the samba package. > Are you running samba as a daemon or from then inetd? > > I think you are running it as a daemon and I believe (check on the > internet) samba must be compiled in a tcpwrapper friendly way (I don't > know if this is the default) > > Running samba from inetd must work OK as inetd is tcpwrapper friendly. > > If this doesn't help you you can try iptables (but your workaround is OK > too) > > Best regards. > > > -------------------------------------------------------------------------------------- > Juan Sierra Pons j...@elsotanillo.net > Linux User Registered: #257202 http://www.elsotanillo.net > GPG key = 0xA110F4FE > Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE > > -------------------------------------------------------------------------------------- > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/cabsy9tfvznzhrho8vfqywpwtjtdfioqpmmzrm_+e1utxlu...@mail.gmail.com > >
