On Sun, 22 Jul 2012 15:59:29 +0800 lina <lina.lastn...@gmail.com> wrote:
> On Sun, Jul 22, 2012 at 3:49 PM, Andrei POPESCU > <andreimpope...@gmail.com> wrote: > > On Du, 22 iul 12, 15:41:16, lina wrote: > >> > >> Thanks, I don't have some basic understanding about samba, > >> will read something about it. > >> just a short quick question, is it necessary to keep it? > > > > Only you can tell since we don't know what you use/need. > I felt a bit silly to ask, and a bit annoyed about myself for knowing > so little. > seems no need to share files with outside. > have rejected all inbound towards the port 139 and 445. > These ports should never be open to the Net, or any potentially hostile computers, as there is a great deal of activity by bots looking for open Windows shares. If this machine is part of a network which shares files using the Windows SMB protocol, and this machine hosts shares, then the ports need to be open to the other network machines. If it's a standalone computer, or doesn't host any shares, you don't need samba running at all, or even installed. If you need to access SMB shares on other machines, the client programs to do this do not need the main samba program to be installed. You should probably be working towards rejecting all incoming packets, and only explicitly permitting what you need. That way, you don't need to worry about samba ports or what the portmapper does, etc. If you can, run nmap from another network computer to see what ports are actually available, since netstat doesn't take iptables filtering into account, and can worry you needlessly. If you have a standalone computer, Shields Up!! on the site http://grc.com will show ports open to the Internet, but it can do only very limited tests compared with nmap, and you must ignore all the dire warnings on the site, intended to panic Windows users into doing something to protect themselves. If for reasons above, you do need to run samba and allow access, the samba configuration allows you to specify IP addresses which have access. The configuration file is a bit of a beast, but the samba web administration tool (SWAT) takes away some of the pain. Iptables will also do this, of course, but as always, belt *and* braces... it is always embarrassing to discover that last time you were debugging a networking problem, you temporarily turned off iptables and forgot to re-enable it. -- Joe -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120722093526.269af...@jretrading.com