# How to keep nmbd from binding to 0.0.0.0?

## Guenther Brunthaler

Hi all,

I want SAMBA to only bind to interface 192.168.86.1 and restrict broadcasting to subnet 192.168.86.0/24.

But whatever I do, nbmd still binds to 0.0.0.0:137 and 0.0.0.0:138.

HOW CAN I KEEP NMBD FROM DOING THIS?

I have included the following interface-related settings into my smb.conf:

```
        interfaces = 192.168.86.1/24

        bind interfaces only = Yes

        hosts allow = 192.168.86.0/24

```

BTW, this is a nmbd-only problem. smbd honors my settings and does not try to bind to all interfaces.

----------

## desultory

```
       bind interfaces only (G)

           This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service smbd(8) and name service nmbd(8) in a

           slightly different ways.

           For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter.  nmbd also binds to the "all addresses" interface

           (0.0.0.0) on ports 137 and 138 for the purposes of reading broadcast messages. If this option is not set then nmbd will service name requests on all of these sockets. If

           bind interfaces only is set then nmbd will check the source address of any packets coming in on the broadcast sockets and discard any that don´t match the broadcast

           addresses of the interfaces in the interfaces parameter list. As unicast packets are received on the other sockets it allows nmbd to refuse to serve names to machines

           that send packets that arrive through any interfaces not listed in the interfaces list. IP Source address spoofing does defeat this simple check, however, so it must not

           be used seriously as a security feature for nmbd.
```

In short, you do not.

----------

## Guenther Brunthaler

 *desultory wrote:*   

> In short, you do not.

 

Do you mean by this that there is indeed no way to keep nmbd from exposing the information that a SAMBA server is running on my machine to the whole Internet?

If that were actually the case, I was considering this to be a severe security flaw!

For now, I have used the following workaround:

```
$ iptables -A INPUT -m multiport -p udp '!' -d 192.168.86.0/24 \

           --destination-ports 137,138 -j REJECT

$ iptables -A OUTPUT -m multiport -p udp '!' -s 192.168.86.0/24 \

           --source-ports 137,138 -j REJECT
```

But I still find it hard to believe that reverting to firewall-techniques is the only way to keep SAMBA from exposing potentially sensitive information.

----------

## desultory

 *desultory wrote:*   

> 
> 
> ```
>            For name service it causes nmbd to bind to ports 137 and 138 on the interfaces listed in the interfaces parameter.  nmbd also binds to the "all addresses" interface
> 
> ...

 

----------

## Hu

 *Guenther Brunthaler wrote:*   

> If that were actually the case, I was considering this to be a severe security flaw!

 If you run Samba on an internal host, and do not allow the edge router to forward malicious traffic, you will be fine.  This is generally in line with good practice for keeping edge devices simple.

 *Guenther Brunthaler wrote:*   

> 
> 
> For now, I have used the following workaround:
> 
> ```
> ...

 You do not need multiport if you want to cover a contiguous range.

----------

