Setting up services not to listen on *
One of the greatest things about FreeBSD for servers is the jail infrastructure. It lets you separate different services from each other, preventing things like cross-site attacks, and helping to minimize the damage if there is someday a breach. It’s similar to chroot in the old days, and it generally makes sysadmins sleep better at night.
Reading more about jails and the best way to set them up, I learned that as a preliminary step, it’s important to make sure the host machine isn’t running services that listen on * (all available interfaces.) Listening on “all interfaces” is something a lot of services do by default, but you can configure most of them not to do it.
Section6 Wiki lists a good way to list the services listening on *:
sockstat|grep "\*:[0-9]"
You can also try
sockstat -l
and look for items with a * listed under the local address column
I went ahead and drew up a chart of different services, and steps I took to reconfigure:
May 7th, 2009 at 12:43 PM
Follow-up item: after disabling nmbd as the Section 6 wiki mentioned, I found that I could no longer access Windows network shares from the FreeBSD machine.
It turns out that the FreeBSD machine didn’t know the IP address of the Windows machine (as tested by nmblookup). It also turns out Samba and windows file sharing have a bunch of different ways they try to figure out the IP address from the machine name.
Anyway, to fix this, I just edited usr/local/etc/smb.conf to let SAMBA be a WINS server. WINS is one way to let machines know each other by name. I also edited the WINS settings on the Windows machine to use the FreeBSD machine as its WINS server.
May 30th, 2009 at 10:27 PM
One other item. CUPS. To get this working right, I edited /usr/local/etc/cups/cupsd.conf, and added the line
Browsing Off
and commented out the line reading
Port 631