Re: Broadcast packets

To: Pedro Corte-Real <typo@netcabo.pt>
Cc: Jim Penny <jpenny@universal-fasteners.com>, <debian-firewall@lists.debian.org>
Subject: Re: Broadcast packets
From: Alexander List <alexlist@sbox.tu-graz.ac.at>
Date: Fri, 19 Oct 2001 17:57:16 +0200 (CEST)
Message-id: <Pine.LNX.4.33.0110191733430.22379-100000@linux.babenberg.vc-graz.ac.at>
In-reply-to: <EXCH01SMTP01rGGXP9w000422cd@smtp.netcabo.pt>

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 18 Oct 2001, Pedro Corte-Real wrote:

> > > I asked if it was possible to hear broadcast packages without binding to
> > > 0.0.0.0 (all interfaces) but to 192.168.1.0 instead. Anyone know?

> That alone produces a config where samba listens on 0.0.0.0:137-138.
> I reported that as a bug and got an awnser that to listen to broadcasts you
> actualy had to bind like that. I find that odd since every interface has a
> broadcast address. Any guru out there care to enlighten me?

Not a guru, but I tried with Stevens, UNIX network Programming, Vol. 1,
and I also used Google, and found the behaviour the system SHOULD show:

http://samba.he.net/using_samba/ch04_06.html

[snip]
Finally, the bind interfaces only option instructs the nmbd process not to
accept any broadcast messages other than those subnets specified with the
interfaces option. Note that this is different from the hosts allow and
hosts deny options, which prevent machines from making connections to
services, but not from receiving broadcast messages. Using the bind
interfaces only option is a way to shut out even datagrams from foreign
subnets from being received by the Samba server. In addition, it instructs
the smbd process to bind to only the interface list given by the
interfaces option. This restricts the networks that Samba will serve.
[snip]

However, I think that such options in the daemon are not an appropriate
security measure. You might want to set up strict firewall rules to
prevent any outsider from connecting to your SAMBA machine. Running SAMBA
on the same machine as your Firewall is *evil*, but I admit that many
small businesses with one-box-for-everything will use such a setup...

regards

Alex

- -- 
People often think of research as a form of development -- that it's
about doing exactly what you planned, doing it on time, and doing it
with resources that you said you'd use.  But if you're going to do
that, you have to know what you are doing, and if you know what you
are doing, it isn't really research."
             --Dave Liddle, The New Yorker, Feb. 23/Mar.2, 1998, p84

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBO9BNaGWTYnZjEXP1AQFuZgP+Pd3WWMVzB4IlhGVH3w4w3Zp8idC/+kZY
6Vkmqpr9OUHy0b7lPu5Osv8pJRKcdPoMYgbcUIei/P7jeFwCeoGO4oqwGS6tNm3D
CGY3JHcG9xLW2GTr2js6DrJONSVCqANSlO+5gsnab13HoX40cwlHB9DGTU2RAROC
GEUSuns8qMY=
=iCD9
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Broadcast packets
  - From: Pedro Corte-Real <typo@netcabo.pt>

References:
- Re: Broadcast packets
  - From: Pedro Corte-Real <typo@netcabo.pt>

Prev by Date: expert kernel config for iptables.
Next by Date: Re: Broadcast packets
Previous by thread: Re: Broadcast packets
Next by thread: Re: Broadcast packets
Index(es):
- Date
- Thread