[lug] firewall, samba and windows file sharing

David Anselmi anselmi at anselmi.us
Mon Feb 23 18:33:02 MST 2004


Ben Luey wrote:
[...]
> I want to put set A computer behind a firewall since set B computer
> have little security protection. Set A computer consist of windows XP
> desktops and a linux samba file server. The question is how can I
> access file/printer shares on computers in set B but keep reasonable
> security setup on the firewall.

Are A and B on the same subnet (IOW, is there a router between them)?

> A) Since there are only a few resources that we use from set B, have the
> firewall mount these services with smbclient and then reexport these
> services to set A computers.

For some requirements this might be reasonable.  But I'd be inclined to 
avoid it.  It makes the firewall more complex and potentially exposes it 
to attack.  That may not be significant in your environment.

[...]
> B) Open up ports 137:139 on the firewall to allow file/printer sharing
> directly with the XP boxes. Does anyone know if this will work like other
> services in terms of mapping internal ip address (set A) to internet
> address (set B). Also, what about network neighborhood browsing and those
> broadcast messages. All things being equal, I'd rather not open up those
> ports.

With iptables you can allow connections to originate one direction only. 
  So you can say "A can access B but B can't access A".  More or less.

Since WINS browsing is broadcast based you have problems if A and B are 
different subnets.  There are ways around it and probably Samba can 
relay the WINS stuff.  Or your firewall can be the WINS server for both 
A and B.  If you're on the same subnet the simplest (conceptually) thing 
to do is set up the firewall as a bridge and you're still on the same 
subnet.

Dave




More information about the LUG mailing list