From owner-freebsd-questions Wed Jul 3 11:38:55 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCE0537B400 for ; Wed, 3 Jul 2002 11:38:50 -0700 (PDT) Received: from gate21.fw.porsche.de (gate23.fw.porsche.de [193.174.9.99]) by mx1.FreeBSD.org (Postfix) with SMTP id C367143E42 for ; Wed, 3 Jul 2002 11:38:48 -0700 (PDT) (envelope-from perisa@porsche.de) Received: (qmail 14567 invoked from network); 3 Jul 2002 18:43:15 -0000 Received: from unknown (HELO wuxin011.ibd.porsche.de) (141.36.65.1) by 193.197.149.150 with SMTP; 3 Jul 2002 18:43:15 -0000 Received: (qmail 6432 invoked from network); 3 Jul 2002 18:38:46 -0000 Received: from wuxws007.ibd.porsche.de (HELO porsche.de) (141.36.2.178) by smtp4cli.ibd.porsche.de with SMTP; 3 Jul 2002 18:38:46 -0000 Message-ID: <3D234521.8000907@porsche.de> Date: Wed, 03 Jul 2002 20:40:33 +0200 From: Marc Perisa User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523 X-Accept-Language: en, de-de, es-es MIME-Version: 1.0 To: adaml@visimation.com Cc: Danny Horne , 'freebsd-questions' Subject: Re: Samba on firewall - any issues? References: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Danny Horne wrote: >>-----Original Message----- >>From: owner-freebsd-questions@FreeBSD.ORG >>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Adam Lofstedt >>Sent: Wednesday 3 July 2002 5:40 pm >>To: 'freebsd-questions' >>Subject: Samba on firewall - any issues? >> >>I want to install Samba on BSD box to get the two systems talking. But, >>before I do something stupid, is there anything I need to know about >>putting Samba an a machine that acts as a firewall? I only want file >>sharing access on internal interface. Are there any security concerns >>in this type of situation? >> >> >> >I'm in no way an expert but you'd want to make sure Samba is only listening >on the internal interface, in the [global] section of smb.conf you'll need >something like - >interfaces = ??? (insert interface name here) >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.373 / Virus Database: 208 - Release Date: 01/07/2002 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > > > > > You may also choose to change your ruleset accordingly. The problem is: if there ever is a bug in samba which allows remote shells you can get rooted. If your colleagues now them before you that will be a problem. If you changes the ipfilter rules and/or the address samba is listening perhaps samba will be available with the outside ... If you HAVE TO do it. First of all: A firewall is a machine which is used to monitor/regulate the traffic and authorize it. For that only "trusted" persons should have a account on it. It should not be exploitable - making it useless. Because of that normaly on a firewall runs NOTHING - else from firewalling. If you have the chance to build a DMZ and put the FTP/Samba server in it - do it. But not ON the firewall. Hope that helps Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message