Seeing samba server when disconnected

I want to restrict discovery and access to a samba server running on my Raspberry Pi NAS w/ NixOS.

Here are the relevant bits of the Nix configuration:

networking = {
  hostId = "6459f901"; # needed for ZFS
  hostName = "nas";
  useDHCP = false;
  interfaces.eth0.useDHCP = true;
  interfaces.wlan0.useDHCP = true;
  firewall = {
    interfaces.tailscale0.allowedTCPPorts = [ 22 80 139 443 445 ];
    interfaces.tailscale0.allowedUDPPorts = [ 137 138 ];
  };
};

services.samba = {
  enable = true;
  enableWinbindd = false;
  extraConfig = ''
    workgroup = WORKGROUP
    server string = nas
    netbios name = nas
    security = user
    min protocol = SMB2
    guest account = nobody
    map to guest = bad user
    load printers = no
  '';
  shares.public = {
    path = "/nas/backup";
    browseable = "yes";
    "read only" = "no";
    "guest ok" = "yes";
    "guest only" = "yes";
    "force user" = "akhil";
  };
};


services.tailscale.enable = true;

and the generated smb.conf

[global]
security = user
passwd program = /run/wrappers/bin/passwd %u
invalid users = root

workgroup = WORKGROUP
server string = nas
netbios name = nas
security = user
min protocol = SMB2
guest account = nobody
map to guest = bad user
load printers = no


[public]
 browseable = yes
 force user = akhil
 guest ok = yes
 guest only = yes
 path = /nas/backup
 read only = no

Is there some configuration missing that’s causing the NAS to be discoverable outside of Tailscale? The Samba docs mention an option for interfaces (https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#INTERFACES), but

By default Samba will query the kernel for the list of all active interfaces and use any interfaces except 127.0.0.1 that are broadcast capable.

Actually, I think I’m just going to disable netbios for now. I don’t want to worry about broadcast and properly guarding the firewall. smbd + magicDNS should be good enough for my use case.

A trick I like to use is to add an iptables rule to the OUTPUT chain that just blocks samba name service packets going to unwanted interfaces. Not quite as elegant as having it bind only to the right interfaces in the first place, of course.

1 Like