From owner-freebsd-questions@FreeBSD.ORG Fri Dec 16 18:13:15 2005 Return-Path: X-Original-To: FreeBSD-questions@freebsd.org Delivered-To: FreeBSD-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D178916A420 for ; Fri, 16 Dec 2005 18:13:15 +0000 (GMT) (envelope-from bsdmail@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41AC543D67 for ; Fri, 16 Dec 2005 18:13:13 +0000 (GMT) (envelope-from bsdmail@gmail.com) Received: by wproxy.gmail.com with SMTP id i31so681637wra for ; Fri, 16 Dec 2005 10:13:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type; b=q2Lflr8R2BFuB5Zr7rYQacxGfB/I2kM8ymkcUCCTkmS+9h8HVrasu79xepQJK/3F1vzK7dgErN2SSGN5QGg28bP/3+T+tzggjrR7TokUXM2dL808iv+nR73wFs0mml85/EmjO8ygoimT5YeB9MbHWKWHZqzVzupUv//IChqX6Io= Received: by 10.65.116.16 with SMTP id t16mr87677qbm; Fri, 16 Dec 2005 10:13:13 -0800 (PST) Received: by 10.65.123.6 with HTTP; Fri, 16 Dec 2005 10:13:13 -0800 (PST) Message-ID: <8be663db0512161013n10cb8599sdcc0aefbd87c257@mail.gmail.com> Date: Fri, 16 Dec 2005 10:13:13 -0800 From: BSD Mail To: FreeBSD-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Closing some open ports X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Dec 2005 18:13:16 -0000 Greetings, I've finished installing a FreeBSD RELENG_6_0 which carries DNS/Apache/DHCP/SAMBA/TFTP Chrooted Bind9 / chrooted DHCP and tftp port is listening on the int_if onl= y thru inetd. Apache is only serving intranet site for docs. I know too many services on one machine, but it's not my call. My problem is with SAMBA and SNMP "for mrtg graph" I want them to bind to specific IPs instead of listening on *:port my sockstat -4l shows: root snmpd 717 6 udp4 *:161 *:* root smbd 709 21 tcp4 *:445 *:* root smbd 709 22 tcp4 *:139 *:* root nmbd 705 6 udp4 *:137 *:* root nmbd 705 7 udp4 *:138 *:* root nmbd 705 8 udp4 10.99.99.254:137 *:* root nmbd 705 9 udp4 10.99.99.254:138 *:* root nmbd 705 10 udp4 10.98.98.254:137 *:* root nmbd 705 11 udp4 10.98.98.254:138 *:* My general practice is always to bind each and every service to a specific IP for containing it. unless it's needed such as DHCP. I looked on samba's website first on how t= o make samba run as non-root unfortuantely looks that is not possible as far as I'm aware of, which is insance. Although I have "hosts allow" and "interfaces" statement in smb.conflistening only on the internal LAN. I can still scan my network with nmap from another network and get this: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds I can install samba inside a jail(8) but it will be still running as root and the ports will show up. Or I can put some rules in pf.conf to restrict access to whatever I want from outside. But maybe there is another way to do that, I'm all ears. All I want is to get rid of this: root smbd 709 21 tcp4 *:445 *:* root smbd 709 22 tcp4 *:139 *:* root nmbd 705 6 udp4 *:137 *:* root nmbd 705 7 udp4 *:138 *:* I can live with it running as root in my LAN, as long it doesn't show on th= e external interface when port scanning. Thanks in advance, -- BSDMail