Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

To: debian-user@lists.debian.org
Subject: Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
From: Juan Sierra Pons <juan@elsotanillo.net>
Date: Thu, 26 Apr 2012 11:36:02 +0200
Message-id: <[🔎] CABS=y9tfVZnzHrho8VFQYWPwtjTdfiOqpmmzRM_+e1UtXLu2Pg@mail.gmail.com>
In-reply-to: <[🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl>
References: <[🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl>

2012/4/26 Tuxoholic <tuxoholic@hotmail.de>:
> hi list
>
> Can somebody explain why smbd and nmbd are not affected by the following
> strict ruleset in /etc/hosts* ?
>
> /etc/hosts
> 127.0.0.1       MYHOSTNAME localhost.localdomain localhost
> 127.0.1.1       MYHOSTNAME
> 192.168.2.10    MYSERVER
>
> cat /etc/hosts.allow
> #ALL: localhost 127.0.1.1 192.168.2.0/24
> ALL: localhost 127.0.1.1 192.168.2.0/32
>
> /etc/hosts.deny
> ALL: ALL
>
> With this ruleset in place nmbd broadcasts still pull through and cifs mounts
> are still possible, whereas ssh/rsh access is no longer possible.
>
> To get rid of nmbd/smbd access I have to tweak smb.conf additionally:
>
> /etc/samba/smb.conf
>
> [global]
>        bind interfaces only = Yes
>        interfaces = 127.0.0.0/8, eth0
>        ;; hosts allow = 192.168.2.0/24, 127.
>        hosts allow = 192.168.2.0/32, 127.
>        hosts deny = ALL
>
> With this smb.conf tweaking it works fine, but why could smbd/nmbd run past
> /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf?
>
> To my limited CIDR understandig a /32 mask should restrict access to
> 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes.
>
> Once this denies all services I'd set it to /24 to have access to the whole
> "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl">http://lists.debian.org/[🔎] BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl
>
Hi,

My two cents:

I think the problem here is between tcpwrapper linux implementation
and the the samba package.
Are you running samba as a daemon or from then inetd?

I think you are running it as a daemon and I believe (check on the
internet) samba must be compiled in a tcpwrapper friendly way (I don't
know if this is the default)

Running samba from inetd must work OK as inetd is tcpwrapper friendly.

If this doesn't help you you can try iptables (but your workaround is OK too)

Best regards.

--------------------------------------------------------------------------------------
Juan Sierra Pons                                 juan@elsotanillo.net
Linux User Registered: #257202       http://www.elsotanillo.net
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00  6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
  - From: shawn wilson <ag4ve.us@gmail.com>

References:
- How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
  - From: Tuxoholic <tuxoholic@hotmail.de>

Prev by Date: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Next by Date: Re: Single boot EFI Mac install
Previous by thread: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Next by thread: Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Index(es):
- Date
- Thread