I've just installed RH 8.0 to act as a gateway for my home LAN and I'm now doing the basic security thing - closing all the ports not in use, and setting the ones that are to only bind to the LAN interfaces.

I'm almost done, but I've a couple of questions about services that I can't seem to set to ignore the external interface.

- In named.conf I've set listen-on to the local interfaces. But, while netstat shows that it is bound to them on 53/tcp and 53/udp, it still reports named as also listening on 1024/udp. Am I missing something, or does named need this extra udp port open?

- I'm also running samba, and in smb.conf I've again set the interfaces to the local net and set "bind interfaces only" as well.
Netstat (and fuser) show me that the smbd bit of samba is bound only to my LAN on 139/tcp but that nmbd is bound twice on both 137/udp and 138/udp - once to the local interfaces and again on all interfaces. How can I get rid of the extra bindings?

Why is tcp behaving as I want it to, but not udp? Why do we need both protocols anyway?

cheers

It appears that port 1024 is used for a "back-channel"
https://support.algx.net/cst/dns/FAQservers.html#q3 refers...

thanks - so if I want to receive any replies to my DNS queries, the udp ports above 1023 have to remain open. That page also says that I shouldn't filter 53/udp traffic either - but that port is only bound to my local interfaces (eth0 and lo) and DNS is working. What gives?

I'm also guessing that the double entries for nmbd are from misconfiguration, so I'm rechecking the samba config.

Usually, if you have iptables running, the conntrack mechanism will track the back-channel and allow it for you.
The comment in the link refers to older firewall styles that blanket block udp ports, making the newer dns fail...
So, if you don't have any dns problems, you are seeing the port was used by named as a back-channel. It may stay in the conntrack list for several hours,depending on the timeout period for udp ports.
Have a blanket udp block if you use iptables

smb uses a combination of udp and tcp ports.
tcp for name resolution and udp for data. three ports in total, 137, 138 & 139.
There isn't any way to restrict the 0.0.0.0:137 & 0.0.0.0:138 udp entries.
If, of course, I am wrong, I get to taste my woolen hat, again.
It really doesn't matter if the box is listening, so long as you control the ports with rules, & -j LOG entries, to be sure.

Have you seen this tutorial?

That looks to be one of the better tutorials I've seen on iptables - I am running that at the moment, it's just with a mix of sample rules I've found elsewhere on the net. I will end up writing my own config - probably dropping everything I don't explictly allow - but I'd rather there wasn't anything listening on a port in the first place.

I'm surprised that samba wants to bind to the external interface - I don't plan on offering windows shares over the internet, and imagine anyone not running a WAN would want to either. I must be missing something, but I don't know what...

cheers