Greetings,

I've finished installing a FreeBSD RELENG_6_0 which carries
DNS/Apache/DHCP/SAMBA/TFTP
Chrooted Bind9 / chrooted DHCP and tftp port is listening on the int_if only
thru inetd.
Apache is only serving intranet site for docs.

I know too many services on one machine, but it's not my call.

My problem is with SAMBA and SNMP "for mrtg graph"  I want them to bind to
specific IPs instead of listening on *:port    my sockstat -4l  shows:

<snip>
root     snmpd      717   6  udp4   *:161                 *:*
root     smbd       709   21 tcp4   *:445                 *:*
root     smbd       709   22 tcp4   *:139                 *:*
root     nmbd       705   6  udp4   *:137                 *:*
root     nmbd       705   7  udp4   *:138                 *:*
root     nmbd       705   8  udp4   10.99.99.254:137      *:*
root     nmbd       705   9  udp4   10.99.99.254:138      *:*
root     nmbd       705   10 udp4   10.98.98.254:137      *:*
root     nmbd       705   11 udp4   10.98.98.254:138      *:*
<snip>

My general practice is always to bind each and every service to a specific
IP for containing it.
unless it's needed such as DHCP. I looked on samba's website first on how to
make samba run as
non-root unfortuantely looks that is not possible as far as I'm aware of,
which is insance.
Although I have "hosts allow" and "interfaces" statement in
smb.conflistening only on the internal LAN.
I can still scan my network with nmap from another network and get this:

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

I can install samba inside a jail(8) but it will be still running as root
and the ports will show up. Or I can put some rules
in pf.conf to restrict access to whatever I want from outside.

But maybe there is another way to do that, I'm all ears.

All I want is to get rid
of this:
root     smbd       709   21 tcp4   *:445                 *:*
root     smbd       709   22 tcp4   *:139                 *:*
root     nmbd       705   6  udp4   *:137                 *:*
root     nmbd       705   7  udp4   *:138                 *:*

I can live with it running as root in my LAN, as long it doesn't show on the
external interface when port scanning.


Thanks in advance,

--
BSDMail
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to