[Samba] Security concerns?

Anthony Messina amessina at messinet.com
Sun Feb 12 18:32:08 GMT 2006


Steve Freeman wrote:
> Thank you Anthony. The following is the output
> 
> -----------------------------------
> 
> Chain FORWARD (policy DROP)
> num  target     prot opt source               destination
> 1    QUEUE      all  --  anywhere             anywhere
> 2    ACCEPT     all  --  anywhere             anywhere
> 
> Chain INPUT (policy DROP)
> num  target     prot opt source               destination
> 1    QUEUE      all  --  anywhere             anywhere
> 2    ACCEPT     all  --  anywhere             anywhere            (NB - 
> this should refer to loopback)
> 3    ACCEPT     all  --  anywhere             anywhere            (NB - 
> and this one, the internal NIC)
> 4    ACCEPT     tcp  --  anywhere             anywhere            tcp 
> spt:http
> 5    ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:http
> 6    ACCEPT     tcp  --  anywhere             anywhere            tcp 
> spt:domain
> 7    ACCEPT     udp  --  anywhere             anywhere            udp 
> spt:domain
> 8    ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:8767
> 9    ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:3000
> 10   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:ssh
> 11   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:ftp
> 12   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:13139
> 13              tcp  --  anywhere             anywhere            tcp 
> dpts:14690 :14693
> 14   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpts:27243 :27425
> 15   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:27900
> 16   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:28900
> 17   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:29900
> 18   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:29901
> 19   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:6500
> 20   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:6515
> 21   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:3783
> 22   ACCEPT     tcp  --  anywhere             anywhere            tcp 
> dpt:ircd
> 23   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:13139
> 24              udp  --  anywhere             anywhere            udp 
> dpts:14690 :14693
> 25   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpts:27423 :27425
> 26   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:27900
> 27   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:28900
> 28   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:29900
> 29   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:29901
> 30   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:6500
> 31   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:6515
> 32   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:3783
> 33   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:ircd
> 34   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:20500
> 35   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:20510
> 36   ACCEPT     udp  --  anywhere             anywhere            udp 
> dpt:28960
> 
> Chain OUTPUT (policy ACCEPT)
> num  target     prot opt source               destination
> 1    QUEUE      all  --  anywhere             anywhere
> 
> ----------------------------------------
> 
> Kind regards, and thanks again,
> 
> Mike F
> 
>> From: Anthony Messina <amessina at messinet.com>
>>
>> post your iptables rules:
>>
>> ~#] iptables -L --line-numbers
>>

well steve, you have it configured, but i am confused about the first 
few lines, specifically the first:

1    QUEUE      all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere            (NB - 
this should refer to loopback)
3    ACCEPT     all  --  anywhere             anywhere            (NB - 
and this one, the internal NIC)

if your input policy is set to DROP everything, but your first rule is 
"QUEUE everything from anywhere to anywhere".  according to the iptables 
man page:

"QUEUE means to pass the packet  to  userspace  (if  supported  by  the 
  kernel)."

do you have some userspace app that will handle all these packets?  i 
may be way off, but if you don't then wouldn't this be the equivalent of 
allowing  everything from anywhere to anywhere?


-- 
My Website: http://messinet.com
My Online Gallery: 
http://messinet.com/modules.php?name=Web_Links&l_op=visit&lid=3


More information about the samba mailing list