| View previous topic :: View next topic |
| Author |
Message |
pactoo
Guru
Joined: 18 Jul 2004
Posts: 553
|
 Posted: Wed Feb 04, 2009 8:57 pm Post subject: Bind samba / nfs to specfic IP addresses? |
 |
|
Hello,
currently I have the fun of a multi homed host with 4 NICs, from which only two of them shall offer file services - samba and nfs, that ist. Now, how do I manage to bind those services only to two IP adresses?
I got the
| Code: |
interfaces = 172.16.32.1 10.0.0.1 127.0.0.1
|
directrive in smb.conf, works fine for port 139, but 137 and 138 are still listening on all interfaces
Worse for portmap
Using the "-i" switch in conf.d/portmap , I only manage to either bind to one address or all, but not two (+localhost). Not talking about the other nfs services, as the OPTS_RPC_NFSD variable only seems to take one hostname for -H, also.
So basically the ports 111 and 2049 are listening on all interfaces instead of two, as desired.
Any chances fixing either service without using tcp wrappers or firewalls, which in the end is just fighting symptoms? |
|
| Back to top |
|
 |
Will Scarlet
Apprentice
Joined: 19 Mar 2004
Posts: 239
|
| Posted: Sun Feb 15, 2009 9:10 pm Post subject: |
|
|
From the man of smb.conf:
| Quote: | bind interfaces only (G)
This global parameter allows the Samba admin to limit what interfaces on a
machine will serve SMB requests. It affects file service smbd(8) and name
service nmbd(8) in a slightly different ways.
For name service it causes nmbd to bind to ports 137 and 138 on the interfaces
listed in the interfaces parameter. nmbd also binds to the "all addresses"
interface (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast
messages. If this option is not set then nmbd will service name requests on all
of these sockets. If bind interfaces only is set then nmbd will check the
source address of any packets coming in on the broadcast sockets and discard
any that don´t match the broadcast addresses of the interfaces in the
interfaces parameter list. As unicast packets are received on the other sockets
it allows nmbd to refuse to serve names to machines that send packets that
arrive through any interfaces not listed in the interfaces list. IP Source
address spoofing does defeat this simple check, however, so it must not be used
seriously as a security feature for nmbd.
For file service it causes smbd(8) to bind only to the interface list given in
the interfaces parameter. This restricts the networks that smbd will serve to
packets coming in those interfaces. Note that you should not use this parameter
for machines that are serving PPP or other intermittent or non-broadcast
network interfaces as it will not cope with non-permanent interfaces.
If bind interfaces only is set then unless the network address 127.0.0.1 is
added to the interfaces parameter list smbpasswd(8) and swat(8) may not work as
expected due to the reasons covered below.
To change a users SMB password, the smbpasswd by default connects to the
localhost - 127.0.0.1 address as an SMB client to issue the password change
request. If bind interfaces only is set then unless the network address
127.0.0.1 is added to the interfaces parameter list then smbpasswd will fail to
connect in it´s default mode. smbpasswd can be forced to use the primary IP
interface of the local host by using its smbpasswd(8) -r remote machine
parameter, with remote machine set to the IP name of the primary interface of
the local host.
The swat status page tries to connect with smbd and nmbd at the address
127.0.0.1 to determine if they are running. Not adding 127.0.0.1 will cause
smbd and nmbd to always show "not running" even if they really are. This can
prevent swat from starting/stopping/restarting smbd and nmbd.
Default: bind interfaces only = no |
So try putting the following line in the [global] section
| Code: | | bind interfaces only = yes |
Hope this helps...
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. |
|
| Back to top |
|
|
pactoo
Guru
Joined: 18 Jul 2004
Posts: 553
|
| Posted: Sun Feb 22, 2009 10:40 am Post subject: |
|
|
| Thanks for you efforts, but this value is already set - and somehow only works for Port 139 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
