Samba Port Usage: Difference between revisions
Mmuehlfeld (talk | contribs) (Added Global Catalog port) |
Mmuehlfeld (talk | contribs) (Complete re-write (Add missing ports, bring it in tabular form, add notes about dynamic RPC ports, add information for NT4 style domains, etc.)) |
||
Line 1: | Line 1: | ||
= Introduction = |
|||
When running with a firewall, several protocols/ports must be enabled to allow Samba 4 to operate as expected. These are: |
|||
* DNS: port 53 (both TCP and UDP) |
|||
* Multicast DNS: port 5353 (both TCP and UDP) |
|||
* Samba/smbd: UDP ports 137 - 138, TCP ports 139 and 445 |
|||
* EPMMAP: TCP port 135 |
|||
* LDAP: TCP ports 389 and 636, UDP port 389 |
|||
* Kerberos: ports 88 and 464 (both TCP and UDP) |
|||
* Directory Sync: TCP port 1024 |
|||
* Global Catalog: TCP port 3268 |
|||
If you require to secure your Samba installation with a firewall, you would need information, what ports and protocols are used. This page will give you an overview. |
|||
TODO: Add rules needed for IPTABLES and other firewall types. |
|||
= Identify on which ports and interfaces Samba is listening = |
|||
You can use "netstat" to identify which ports Samba and related daemons are listening on and on which IPs: |
|||
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind" |
|||
The following is a snippet of an example output: |
|||
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
|||
tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba |
|||
tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
|||
tcp 0 0 10.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd |
|||
..... |
|||
The above example shows, that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - each on the listed ports (139, 88, 445,...). |
|||
= Port usage when Samba runs as DC = |
|||
{| border="1" |
|||
!Service |
|||
!Port |
|||
!protocol |
|||
|- |
|||
|DNS |
|||
|53 |
|||
|tcp/udp |
|||
|- |
|||
|Kerberos |
|||
|88 |
|||
|tcp/udp |
|||
|- |
|||
|End Point Mapper (DCE/RPC Locator Service) |
|||
|135 |
|||
|tcp |
|||
|- |
|||
|NetBIOS Name Service |
|||
|137 |
|||
|udp |
|||
|- |
|||
|NetBIOS Datagram |
|||
|138 |
|||
|udp |
|||
|- |
|||
|NetBIOS Session |
|||
|139 |
|||
|tcp |
|||
|- |
|||
|LDAP |
|||
|389 |
|||
|tcp/udp |
|||
|- |
|||
|SMB over TCP |
|||
|445 |
|||
|tcp |
|||
|- |
|||
|Kerberos kpasswd |
|||
|464 |
|||
|tcp/udp |
|||
|- |
|||
|LDAPS ''(only if "tls enabled = yes")'' |
|||
|636 |
|||
|tcp |
|||
|- |
|||
|Dynamic RPC Ports* |
|||
|1024-5000 |
|||
|tcp |
|||
|- |
|||
|Global Cataloge |
|||
|3268 |
|||
|tcp |
|||
|- |
|||
|Global Cataloge SSL ''(only if "tls enabled = yes")'' |
|||
|3269 |
|||
|tcp |
|||
|- |
|||
|Multicast DNS |
|||
|5353 |
|||
|tcp/udp |
|||
|} |
|||
<nowiki>*</nowiki> Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024). |
|||
'''Remember, that there can be other ports too, which are related to your Samba installation but not provided from Samba itself, like if you run a NTP server for time syncronisation as well.''' |
|||
= Port usage when Samba runs as NT4-domain = |
|||
{| border="1" |
|||
!Service |
|||
!Port |
|||
!protocol |
|||
|- |
|||
|End Point Mapper (DCE/RPC Locator Service) |
|||
|135 |
|||
|tcp |
|||
|- |
|||
|NetBIOS Name Service |
|||
|137 |
|||
|udp |
|||
|- |
|||
|NetBIOS Datagram |
|||
|138 |
|||
|udp |
|||
|- |
|||
|NetBIOS Session |
|||
|139 |
|||
|tcp |
|||
|- |
|||
|SMB over TCP |
|||
|445 |
|||
|tcp |
|||
|} |
|||
= Prevent Samba from listening on all interfaces = |
|||
Sometimes you don't want Samba to listen on all interfaces of your host. For example, when the host is directly connected to the internet, you surely don't want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside. |
|||
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback: |
|||
bind interfaces only = yes |
|||
interfaces = lo eth0 |
|||
The "interfaces" parameter allows various ways to restrict. See the manpage for more details. |
|||
After the changes, restart Samba. |
Revision as of 05:21, 22 June 2013
Introduction
If you require to secure your Samba installation with a firewall, you would need information, what ports and protocols are used. This page will give you an overview.
Identify on which ports and interfaces Samba is listening
You can use "netstat" to identify which ports Samba and related daemons are listening on and on which IPs:
# netstat -tulpn | egrep "samba|smbd|nmbd|winbind"
The following is a snippet of an example output:
tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:139 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:88 0.0.0.0:* LISTEN 43273/samba tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd tcp 0 0 10.0.0.1:445 0.0.0.0:* LISTEN 43270/smbd .....
The above example shows, that the services are listening on localhost (127.0.0.1) and the interface with IP 10.0.0.1 - each on the listed ports (139, 88, 445,...).
Port usage when Samba runs as DC
Service | Port | protocol |
---|---|---|
DNS | 53 | tcp/udp |
Kerberos | 88 | tcp/udp |
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
LDAP | 389 | tcp/udp |
SMB over TCP | 445 | tcp |
Kerberos kpasswd | 464 | tcp/udp |
LDAPS (only if "tls enabled = yes") | 636 | tcp |
Dynamic RPC Ports* | 1024-5000 | tcp |
Global Cataloge | 3268 | tcp |
Global Cataloge SSL (only if "tls enabled = yes") | 3269 | tcp |
Multicast DNS | 5353 | tcp/udp |
* Samba, like Windows, supports dynamic RPC services. The range starts at 1024. If something occupies this port for some reason, it will be a different port (literally walked up from 1024).
Remember, that there can be other ports too, which are related to your Samba installation but not provided from Samba itself, like if you run a NTP server for time syncronisation as well.
Port usage when Samba runs as NT4-domain
Service | Port | protocol |
---|---|---|
End Point Mapper (DCE/RPC Locator Service) | 135 | tcp |
NetBIOS Name Service | 137 | udp |
NetBIOS Datagram | 138 | udp |
NetBIOS Session | 139 | tcp |
SMB over TCP | 445 | tcp |
Prevent Samba from listening on all interfaces
Sometimes you don't want Samba to listen on all interfaces of your host. For example, when the host is directly connected to the internet, you surely don't want to provide your shares to the rest of the world. If you limit Samba to listen only on the internal NIC(s), you don't need a firewall to prevent access from the outside.
Add the following to the "[global]" section of your smb.conf to bind Samba to eth0 and loopback:
bind interfaces only = yes interfaces = lo eth0
The "interfaces" parameter allows various ways to restrict. See the manpage for more details.
After the changes, restart Samba.