Solved [Solved] Stop Samba from listening on jail IP addresses?

[ph0enix]

I have a jail and when I port-scan it from another system it shows that the Samba TCP ports (139,445) are open. I don't have Samba installed in the specific jail but it is installed and running on the host. I tried setting:

interfaces = 192.168.5.222/24

...in smb.conf on the host which should limit it to listening only on the host address. Unfortunately that doesn't work. The jail's address is 192.168.5.225.

I also tried:

interfaces = 192.168.5.222

and

interfaces = 192.168.5.222/32

...in smb.conf

I'm running FreeBSD 10-RELEASE and Samba 3.6.22.

Thanks!

 

[ph0enix]

Re: How to stop Samba ports from listening on jail IP addres

I added

 bind interfaces only = Yes

...to smb.conf and that resolved the issue.

 

[ShelLuser]

Re: How to stop Samba ports from listening on jail IP addres

Using a /24 mask is useless since this specifies an address range, not a single address.

I think you're jumping to conclusions here (no offense): have you tried to discover what process is actually listening on those ports?

So start by running something like this: # sockstat -4lp 137 on the host and share the output. That should give us some hints on what is actually listening on those ports (and how). That should provide some useful clues.

Now, the reason why your approach failed is because interfaces is used to specify multiple interfaces to which Samba should listen. See also the default (demo) config file as well as the smb.conf(5) manualpage. What you need, besides using interfaces is specify that you want to use a single interface. For that you have the global (G) setting bind interfaces only.

So what I'd use is something like this:

bind interface only = yes
interfaces = 127.0.0.1/8 192.168.5.222/32

Then restart Samba and it should now only be listening on the host addresses while leaving the jail alone.

Edit: you beat me to the punch, oh well. I left my message because I think it's still important to note that your initial netmask was wrong. Also; if you only let Samba listen on the main IP address without specifying the localhost as well you can also run into problems since some tools and processes rely on the option to have access through the localhost.

 

[ph0enix]

If you hadn't noticed, I replied to my post about an hour before you did stating that the issue is resolved.
If you look at the smb.conf example that gets installed by default, it has the following listed in it:

interfaces = 192.168.12.2/24 192.168.13.2/24

That's the reason I tried specifying the 24bit subnet mask. If you read my original post, I also tried it with /32 and without the subnet mask at all.

As per your example, 127.0.0.1/8 is incorrect also because 127.0.0.1 is a host (localhost in this specific case) in the 127.0.0.0/8 subnet. 127.0.0.0 is the subnet/unusable address.

 

[SirDice]

This might clear up some of the confusion: http://lists.samba.org/archive/samba/20 ... 60866.html