FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-26-2012, 11:34 AM
Clive Standbridge
 
Default How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

Hi Tuxoholic,

[...]

> With this smb.conf tweaking it works fine, but why could smbd/nmbd run past
> /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf?

Already answered by Juan Sierra Pons.

> To my limited CIDR understandig a /32 mask should restrict access to
> 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes.

Not sure about that. You can check it with ipcalc (in the ipcalc package):

$ ipcalc 192.168.2.0/32
Address: 192.168.2.0 11000000.10101000.00000010.00000000
Netmask: 255.255.255.255 = 32 11111111.11111111.11111111.11111111
Wildcard: 0.0.0.0 00000000.00000000.00000000.00000000
=>
Hostroute: 192.168.2.0 11000000.10101000.00000010.00000000
Hosts/Net: 1 Class C, Private Internet

So it looks like you need a 31 bit netmask for that address range:

$ ipcalc 192.168.2.0/31
Address: 192.168.2.0 11000000.10101000.00000010.0000000 0
Netmask: 255.255.255.254 = 31 11111111.11111111.11111111.1111111 0
Wildcard: 0.0.0.1 00000000.00000000.00000000.0000000 1
=>
Network: 192.168.2.0/31 11000000.10101000.00000010.0000000 0
HostMin: 192.168.2.0 11000000.10101000.00000010.0000000 0
HostMax: 192.168.2.1 11000000.10101000.00000010.0000000 1
Hosts/Net: 2 Class C, Private Internet, PtP Link RFC 3021


> Once this denies all services I'd set it to /24 to have access to the
> whole "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1

Well you don't seem to be allowed .0 and .255:

$ ipcalc 192.168.2.0/24
Address: 192.168.2.0 11000000.10101000.00000010. 00000000
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
=>
Network: 192.168.2.0/24 11000000.10101000.00000010. 00000000
HostMin: 192.168.2.1 11000000.10101000.00000010. 00000001
HostMax: 192.168.2.254 11000000.10101000.00000010. 11111110
Broadcast: 192.168.2.255 11000000.10101000.00000010. 11111111
Hosts/Net: 254 Class C, Private Internet


I hope this helps.

--
Cheers,
Clive


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120426113448.GA6767@rimmer.localdomain">http://lists.debian.org/20120426113448.GA6767@rimmer.localdomain
 
Old 04-26-2012, 01:30 PM
Lou
 
Default How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

Thanks for clearing this up Juan and Shawn.

I noticed I could change smbd to run in inetd mode if I flip the switch
in /etc/default/samba, but I don't known how this would improve things,
eventually create new drawback in cifs performance ... so I'll keep it
as it is with additional smb.conf entries + daemon mode.


The server is behind a router/firewall, it should be safe as it is.



On 26.04.2012 12:54, shawn wilson wrote:

Juan is correct. However my two cents - don't rely on hosts.allow and
hosts.deny for anything. Just use iptables rules to do this type of thing.

Also, most don't consider samba to be a very secure service (last CVE
was only a few weeks ago) so be very careful with this service.

On Apr 26, 2012 5:37 AM, "Juan Sierra Pons" <juan@elsotanillo.netwrote

I think the problem here is between tcpwrapper linux implementation
and the the samba package.
Are you running samba as a daemon or from then inetd?

I think you are running it as a daemon and I believe (check on the
internet) samba must be compiled in a tcpwrapper friendly way (I don't
know if this is the default)

Running samba from inetd must work OK as inetd is tcpwrapper friendly.

If this doesn't help you you can try iptables (but your workaround
is OK too)




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: BLU0-SMTP43485CCA6A02A0AB00E9DB0D8240@phx.gbl">http://lists.debian.org/BLU0-SMTP43485CCA6A02A0AB00E9DB0D8240@phx.gbl
 
Old 04-26-2012, 01:42 PM
Lou
 
Default How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

Hello Clive

Thanks for pointing me to to ipcalc,

I noticed smb.conf has a commented entry for 127.0.0.0/8

This would cover the whole local subnet:

HostMin: 127.0.0.1
HostMax: 127.255.255.254

Does it make sense to cover more than 127.0.0.1 and 127.0.1.1 in
/etc/hosts.allow ?


I don't know of any service using any other than those two addresses.
First one is localhost, the other one should be there for X-server
compatibility.


On 26.04.2012 13:34, Clive Standbridge wrote:



Not sure about that. You can check it with ipcalc (in the ipcalc package):




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: BLU0-SMTP309396095E191DAF6778AA5D8240@phx.gbl">http://lists.debian.org/BLU0-SMTP309396095E191DAF6778AA5D8240@phx.gbl
 

Thread Tools




All times are GMT. The time now is 03:49 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org