samba and firewalls

Duncan Hill dhill at
Thu Apr 27 03:19:33 GMT 2000

> Steve Cohen wrote:

> One of the points in this book is that a firewall PC should never
> run samba because it opens up vulnerabilities to attack.  The
> author doesn't go into much detail, nor does he offer any
> workarounds.  He just says you shouldn't do it.  Period.

Run IPchains or similar.  Tell it to deny all conenctions to port 139
of the firewall.  Run portsentry.  Bind Samba to the internal
interface of the machine only.  If samba isn't listening on the
external card (DSL), people can't get to it.  Use IPchains to deny
access to virtually everything if you want to.  Have portsentry log
probes, black-holeing them as needed.


Duncan Hill			Sapere aude
My mind not only wanders, it sometimes leaves completely.

More information about the samba mailing list