[lug] firewall, samba and windows file sharing

Michael Belanger mrb at ciclops.org
Mon Feb 23 18:39:04 MST 2004 

Don't know if this was mentioned already, BUT...

You can add another NIC card to this equation.  Set it to be for the 'B' 
network.  Set the other for the 'A'.

There is still some security to add, but they can now be on completely 
seperate networks with one machine making the linkage to both.



David Anselmi wrote:
> Ben Luey wrote:
> [...]
> 
>> I want to put set A computer behind a firewall since set B computer
>> have little security protection. Set A computer consist of windows XP
>> desktops and a linux samba file server. The question is how can I
>> access file/printer shares on computers in set B but keep reasonable
>> security setup on the firewall.
> 
> 
> Are A and B on the same subnet (IOW, is there a router between them)?
> 
>> A) Since there are only a few resources that we use from set B, have the
>> firewall mount these services with smbclient and then reexport these
>> services to set A computers.
> 
> 
> For some requirements this might be reasonable.  But I'd be inclined to 
> avoid it.  It makes the firewall more complex and potentially exposes it 
> to attack.  That may not be significant in your environment.
> 
> [...]
> 
>> B) Open up ports 137:139 on the firewall to allow file/printer sharing
>> directly with the XP boxes. Does anyone know if this will work like other
>> services in terms of mapping internal ip address (set A) to internet
>> address (set B). Also, what about network neighborhood browsing and those
>> broadcast messages. All things being equal, I'd rather not open up those
>> ports.
> 
> 
> With iptables you can allow connections to originate one direction only. 
>  So you can say "A can access B but B can't access A".  More or less.
> 
> Since WINS browsing is broadcast based you have problems if A and B are 
> different subnets.  There are ways around it and probably Samba can 
> relay the WINS stuff.  Or your firewall can be the WINS server for both 
> A and B.  If you're on the same subnet the simplest (conceptually) thing 
> to do is set up the firewall as a bridge and you're still on the same 
> subnet.
> 
> Dave
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug

-- 
+----------------------------------------------------------------------
Michael R. Belanger                    Yahoo!:  darthwonka
DB Programmer                          MSN:     mrbelanger at hotmail.com
                                        Jabber:  mrb at jabber.ciclops.org
"We are the music makers,
And we are the dreamers of dreams.." -Arthur O'Shaughnessy (1844-1881)

More information about the LUG mailing list