[lug] firewall, samba and windows file sharing

[D. Stimits]

Ben Luey wrote:

> I've got a bunch of computers (call them set A) that are connected to a
> large, not very secure network (set B) that uses windows file and printer
> sharing all over the place. 95% of the file/printer traffic for set A
> computers is between set A computers. I want to put set A computer behind
> a firewall since set B computer have little security protection. Set A
> computer consist of windows XP desktops and a linux samba file server. The
> question is how can I access file/printer shares on computers in set B but
> keep reasonable security setup on the firewall.
>
> Some ideas I was thinking of:
>
> A) Since there are only a few resources that we use from set B, have the
> firewall mount these services with smbclient and then reexport these
> services to set A computers. I'm not sure how this will work for printers
> and if XP boxes will see the right printer drivers etc. The firewall box
> could either export directly to set A, or to the linux file-server, which
> could then reexport.
>
> B) Open up ports 137:139 on the firewall to allow file/printer sharing
> directly with the XP boxes. Does anyone know if this will work like other
> services in terms of mapping internal ip address (set A) to internet
> address (set B). Also, what about network neighborhood browsing and those
> broadcast messages. All things being equal, I'd rather not open up those
> ports.
>
> C) New Ideas
>
For one thing, if you set up a transparent bridge via linux between the 
two networks, using a newer kernel, I believe you can filter via MAC 
address, rather than just IP. Depending on the kernel, you might or 
might not need to patch it with ebtables (available on sourceforge). I 
couldn't give you the exact details, though I'm going to have to find 
out first hand soon.

D. Stimits, stimits AT comcast DOT net