Is it possible to limit access to a single NIC?


jameson_uk

Recommended Posts

Is there a proper way of changing the listen address for SSH and unraid front end in a way that will stick?

It looks like 

/etc/ssh/sshd_config

has listenaddress commented out so will default to 0.0.0.0

and 

/etc/nginx/conf.d/emhttp-servers.conf

had 

    listen *:80 default_server;
    listen [::]:80 default_server;


Looks like Samba doesn't have anything configured again so I believe will bind to all interfaces.

 

So as it stands everything is listening on every interface

 

I can change each of the config files but these won't survive a restart.

 

Is there a way of achieving this?

Link to comment

There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI)

BIND_MGT="yes"

After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0).

 

  • Like 1
Link to comment
3 hours ago, bonienl said:

There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI)


BIND_MGT="yes"

After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0).

 

Can this be setup as an isolated network without breaking anything?

i.e. does this network still need internet access for UnraidOS, docker & plugin (github) updates?

Link to comment
14 hours ago, tjb_altf4 said:

Can this be setup as an isolated network without breaking anything?

i.e. does this network still need internet access for UnraidOS, docker & plugin (github) updates?

 

This setting restricts management access to interface eth0 only, still this interface needs connectivity as before to do upgrades and plugin/docker installations.

 

  • Like 1
Link to comment
17 hours ago, bonienl said:

There is a "hidden" parameter which you need to set directly in the file /config/ident.cfg (it is not available in the GUI)


BIND_MGT="yes"

After setting this parameter, reboot your system and it will have all management related access (GUI, ssh, telnet) restricted to eth0 (br0).

 

always eth0?

What about Samba / Docker?

 

I don't actually have the second NIC yet to test but I am hoping I would be able to have management and samba on one nic and docker on both.

Link to comment
  • 4 months later...

OK I have started playing around with this and 

BIND_MGT="yes"

Seems to do the trick for the web interface.

 

For Samba I added the following lines to [global] section in the SMB config via the UI

  bind interfaces only = yes
  interfaces = lo eth0

and that seems to work.

 

SSH however is still listening on my second IP.    I have added a VLAN interface in the network setting and assigned a static IP there.

 

Now the only things I can see running on this VLAN IP are SSH and rpcbind  (which is a separate question...) and the Docker mappings I have setup

 

 

Is the above incorrect that BIND_MGT does not limit SSH or is this a bug?

Link to comment
  • 4 weeks later...
9 minutes ago, sjaak said:

i cant connect with ssh to unRAID on the second NIC, bind_mgt works fine for me...

also nginx is only listening on eth0. i don't have ssl enabled so no listening on port 443

SMB/NFS is not affected with this setting, its not a management thing...

You basically want to have the NIC that is going to be used to access Unraid set as eth0.  You can change which NIC is eth0 under Settings ->Network Settings

Link to comment
18 minutes ago, sjaak said:

i cant connect with ssh to unRAID on the second NIC, bind_mgt works fine for me...

also nginx is only listening on eth0. i don't have ssl enabled so no listening on port 443

SMB/NFS is not affected with this setting, its not a management thing...

So when you run 

netstat -nplt

what does it say for port 22?

Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on 0.0.0.0:22 (ie. all interfaces).

 

As for nginx the same goes, I see

tcp        0      0 x.x.x.x:80       0.0.0.0:*               LISTEN      9182/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      9182/nginx: master

So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6.

 

I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on 0.0.0.0:22 so I don't see why this wouldn't have worked from a second NIC.

Link to comment
18 hours ago, itimpi said:

You basically want to have the NIC that is going to be used to access Unraid set as eth0.  You can change which NIC is eth0 under Settings ->Network Settings

i know,

 

18 hours ago, jameson_uk said:

So when you run 

netstat -nplt

what does it say for port 22?

Before I added ListenAddress x.x.x.x to /boot/config/ssh/sshd_config there was no listen address specified so it was listening on 0.0.0.0:22 (ie. all interfaces).

 

As for nginx the same goes, I see

tcp        0      0 x.x.x.x:80       0.0.0.0:*               LISTEN      9182/nginx: master
tcp6       0      0 :::80                   :::*                    LISTEN      9182/nginx: master

So whilst it is bound correctly for ipv4 it is still bound to all interfaces for ipv6.

 

I must admit there is on subtlety I have overlooked in my config in that my second NIC is actually a virtual interface so is eth0.10 but regardless of that netstat was clearly showing sshd listening on 0.0.0.0:22 so I don't see why this wouldn't have worked from a second NIC.

 

dangit, just test another nic with a static ip, i can access the gui...

ssh is only listening to eth0

 

nginx is indeed listening on 0.0.0.0 and ::: so it is open on the other networks.

i don't have enabled unraid to use ipv6, only some dockers and VM are using ipv6...

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.