Firewall Configuration






Firewall Configuration

As with any services that run on TCP/IP, the SMB networking services offered by Samba can be accessed from across the Internet unless your organization's firewall is configured to prevent it.

The following ports are used by Samba for SMB networking and SWAT:


137/udp

Used for NetBIOS network browsing (nmbd).


138/udp

Used for NetBIOS name service (nmbd).


139/tcp

Used for file and printer sharing and other operations (smbd).


445/tcp

The so called NetBIOS-less CIFS port, which is used by Windows 2000 and later clients (smbd).


901/tcp

Used by SWAT. Unless you have configured complementary stunnel support, it is best to limit access to this port to the loopback interface only.

As stated in Chapter 1, SMB/CIFS is really not Internet-ready. There have been many security improvements in CIFS recently, including the use of Kerberos for authentication, packet integrity check (SMB signing), and Secure Channel communication. However, other than passwords, most data in CIFS networks travels in the clear. If your users require external access to Samba or Windows file servers, it is best to use some type of a Virtual Private Network to secure data in transit. See the O'Reilly book Virtual Private Networks, by Charlie Scott et al., for more information on this subject.

Outside of a VPN solution, it is strongly advised that you block the appropriate ports from access by clients external to your network. In addition, you might wish to configure a firewall on the Samba host system to keep SMB packets from traveling further than necessary within your organization's network. For example, port 901 can be shut down for remote accesses so that SWAT can be run only on the Samba host system. If you are using Samba to serve only a fraction of the client systems within your organization, consider allowing SMB packets (i.e., packets on ports 137139 and 445) to go to or come from only those clients. For more information on configuring firewalls, see Building Internet Firewalls, by Elizabeth D. Zwicky et al. (O'Reilly).



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows