[Samba] deny new connections

Steven Broos Steven.Broos at politie.antwerpen.be
Fri Mar 7 05:20:23 MST 2014

Hi Marc,

"Reject" seems a good idea.
I tested the IPtables way and it seems to work.
However, it would be nice if someone with more understanding of the working of the protocol could evaluate it :-)

-----Original Message-----
From: Marc Muehlfeld [mailto:samba at marc-muehlfeld.de] 
Sent: donderdag 6 maart 2014 19:46
To: Steven Broos; 'samba at lists.samba.org'
Subject: Re: [Samba] deny new connections

Hello Steven

Am 06.03.2014 14:06, schrieb Steven Broos:
 > I was wondering: is it possible to deny all new connections to samba,  > but keep the current connections working ?

I don't know a good solution for that inside Samba.

Maybe you can try to set 'max smbd processes' and after a while, if some more users have logged out, reduce it and reload Samba with smbcontrol. 
Don't restart, because your client's will loose the connection!

Repeat this and when you finally reached that the last one is locked out, you can shut the Service down.

I'm not sure if this is a working way. But the only I get in my mind at the moment for doing this inside Samba.

Am 06.03.2014 14:20, schrieb Steven Broos:
> I was looking for a solution in Samba, but just tried something with iptables.
> Does this seem like a valid solution ?
> iptables -A INPUT -m state --state new -j DROP

You can try this. I'm not very familiar with the SMB protocol details. 
But newer SMB protocol version have features for connections, that can 
get interrupted and can reconnect without any interruption for the 
client and open files (See 
Maybe if a connection get's temporary disconnected, but not because the 
client logs out, it wouldn't reconnect and you would loose data, too, if 
a server based application crashes.

If you use the iptables way, don't choose DROP - use REJECT. If you drop 
the connections, the clients have to wait until they get a timeout and 
your client/application could be slow or hanging. If you reject the 
connection, then Windows knows directly that the connection isn't possible.


More information about the samba mailing list