Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Dec 2005 10:13:13 -0800
From:      BSD Mail <bsdmail@gmail.com>
To:        FreeBSD-questions@freebsd.org
Subject:   Closing some open ports
Message-ID:  <8be663db0512161013n10cb8599sdcc0aefbd87c257@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Greetings,

I've finished installing a FreeBSD RELENG_6_0 which carries
DNS/Apache/DHCP/SAMBA/TFTP
Chrooted Bind9 / chrooted DHCP and tftp port is listening on the int_if onl=
y
thru inetd.
Apache is only serving intranet site for docs.

I know too many services on one machine, but it's not my call.

My problem is with SAMBA and SNMP "for mrtg graph"  I want them to bind to
specific IPs instead of listening on *:port    my sockstat -4l  shows:

<snip>
root     snmpd      717   6  udp4   *:161                 *:*
root     smbd       709   21 tcp4   *:445                 *:*
root     smbd       709   22 tcp4   *:139                 *:*
root     nmbd       705   6  udp4   *:137                 *:*
root     nmbd       705   7  udp4   *:138                 *:*
root     nmbd       705   8  udp4   10.99.99.254:137      *:*
root     nmbd       705   9  udp4   10.99.99.254:138      *:*
root     nmbd       705   10 udp4   10.98.98.254:137      *:*
root     nmbd       705   11 udp4   10.98.98.254:138      *:*
<snip>

My general practice is always to bind each and every service to a specific
IP for containing it.
unless it's needed such as DHCP. I looked on samba's website first on how t=
o
make samba run as
non-root unfortuantely looks that is not possible as far as I'm aware of,
which is insance.
Although I have "hosts allow" and "interfaces" statement in
smb.conflistening only on the internal LAN.
I can still scan my network with nmap from another network and get this:

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

I can install samba inside a jail(8) but it will be still running as root
and the ports will show up. Or I can put some rules
in pf.conf to restrict access to whatever I want from outside.

But maybe there is another way to do that, I'm all ears.

All I want is to get rid
of this:
root     smbd       709   21 tcp4   *:445                 *:*
root     smbd       709   22 tcp4   *:139                 *:*
root     nmbd       705   6  udp4   *:137                 *:*
root     nmbd       705   7  udp4   *:138                 *:*

I can live with it running as root in my LAN, as long it doesn't show on th=
e
external interface when port scanning.


Thanks in advance,

--
BSDMail

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8be663db0512161013n10cb8599sdcc0aefbd87c257>