Greetings, I've finished installing a FreeBSD RELENG_6_0 which carries DNS/Apache/DHCP/SAMBA/TFTP Chrooted Bind9 / chrooted DHCP and tftp port is listening on the int_if only thru inetd. Apache is only serving intranet site for docs.
I know too many services on one machine, but it's not my call. My problem is with SAMBA and SNMP "for mrtg graph" I want them to bind to specific IPs instead of listening on *:port my sockstat -4l shows: <snip> root snmpd 717 6 udp4 *:161 *:* root smbd 709 21 tcp4 *:445 *:* root smbd 709 22 tcp4 *:139 *:* root nmbd 705 6 udp4 *:137 *:* root nmbd 705 7 udp4 *:138 *:* root nmbd 705 8 udp4 10.99.99.254:137 *:* root nmbd 705 9 udp4 10.99.99.254:138 *:* root nmbd 705 10 udp4 10.98.98.254:137 *:* root nmbd 705 11 udp4 10.98.98.254:138 *:* <snip> My general practice is always to bind each and every service to a specific IP for containing it. unless it's needed such as DHCP. I looked on samba's website first on how to make samba run as non-root unfortuantely looks that is not possible as far as I'm aware of, which is insance. Although I have "hosts allow" and "interfaces" statement in smb.conflistening only on the internal LAN. I can still scan my network with nmap from another network and get this: PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds I can install samba inside a jail(8) but it will be still running as root and the ports will show up. Or I can put some rules in pf.conf to restrict access to whatever I want from outside. But maybe there is another way to do that, I'm all ears. All I want is to get rid of this: root smbd 709 21 tcp4 *:445 *:* root smbd 709 22 tcp4 *:139 *:* root nmbd 705 6 udp4 *:137 *:* root nmbd 705 7 udp4 *:138 *:* I can live with it running as root in my LAN, as long it doesn't show on the external interface when port scanning. Thanks in advance, -- BSDMail _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
