[lug] firewall, samba and windows file sharing take 2

Tue Feb 24 18:10:48 MST 2004

Thanks for the ideas. I'll try to answer some questions and
clarify the setup and (of course) ask some more questions.

Currently there is no set A computers. All computers are on Set B and they
have internet routed IP addresses. I want to put some of these computers
(set A, which is a subset of B) behind a firewall.

If I do bridging, if I'm understanding correctly, then all set A computers
need internet routable IP addresses and will be on the same subnet as set
B. If I put 2 nics in the firewall, then set A can have non-routable IP's
(10.0.0.xxx) but will obviously be on a different subnet.

Are there any security arguments for one method vs the other? If I do
bridging, then I filter via MAC address (or IP?) and file sharing should
be unaffected assuming I allow smb broadcast messages through.

If I do a non-routable subnet, then can I run a WINS server of the
firewall to merge the two file/printer sharing networks? Is this a
security hole? Will the WINS server potentially interfere with whatever
WINS-like server is running on set B, which I know little about.

Thanks again,

Ben

Ben Luey
lueyb at jilau1.colorado.edu
On Mon, 23 Feb 2004, D. Stimits wrote:

> Ben Luey wrote:
>
> > I've got a bunch of computers (call them set A) that are connected to a
> > large, not very secure network (set B) that uses windows file and printer
> > sharing all over the place. 95% of the file/printer traffic for set A
> > computers is between set A computers. I want to put set A computer behind
> > a firewall since set B computer have little security protection. Set A
> > computer consist of windows XP desktops and a linux samba file server. The
> > question is how can I access file/printer shares on computers in set B but
> > keep reasonable security setup on the firewall.
> >
> > Some ideas I was thinking of:
> >
> > A) Since there are only a few resources that we use from set B, have the
> > firewall mount these services with smbclient and then reexport these
> > services to set A computers. I'm not sure how this will work for printers
> > and if XP boxes will see the right printer drivers etc. The firewall box
> > could either export directly to set A, or to the linux file-server, which
> > could then reexport.
> >
> > B) Open up ports 137:139 on the firewall to allow file/printer sharing
> > directly with the XP boxes. Does anyone know if this will work like other
> > services in terms of mapping internal ip address (set A) to internet
> > address (set B). Also, what about network neighborhood browsing and those
> > broadcast messages. All things being equal, I'd rather not open up those
> > ports.
> >
> > C) New Ideas
> >
> For one thing, if you set up a transparent bridge via linux between the
> two networks, using a newer kernel, I believe you can filter via MAC
> address, rather than just IP. Depending on the kernel, you might or
> might not need to patch it with ebtables (available on sourceforge). I
> couldn't give you the exact details, though I'm going to have to find
> out first hand soon.
>
> D. Stimits, stimits AT comcast DOT net
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>