samba - Jul 2009 - Firewall rules to block other's computers browse list

Hi All,

My Samba server/firewall has three (two real, one
virtual) network cards:

eth0.5: connects to a terminal server
eth0: internal network with about 10 XP workstations
eth1: the Internet

Samba is set to talk to only 12.0.0.1, eth0.5
and eth0.

I have my firewall iptables rules set so that
users on eth0.5 can only use the samba server
on my server.  They can not share with any other
user on eth0.  Tested and it works.  So far so good.

Problem: users on eth0.5 can still see eth0 workstations
on their browse list.  Even though they can not do
anything with them, I would still be nice if eth0.5
users could not see them at all.

I do believe the offending rules:

    VlanNic="eth0.5"
    Vlan_mask="24"
    Vlan_net="192.168.254.0/$Vlan_mask"
    Vlan_Broadcast=192.168.254.255

    $tbls -A Vlan-in   -i $VlanNic  -p udp  -s $Vlan_net -d \
    $Vlan_Broadcast --dport netbios-ns    -j ACCEPT

    $tbls -A Vlan-in   -i $VlanNic  -p udp  -s $Vlan_net -d \
    $Vlan_Broadcast --dport netbios-dgm   -j ACCEPT

I have found that if I do not open up these two rules,
domain users on eth0.5 can not get past their user name and
password prompts.

How do I block eth0 workstations from eth0.5's browse list?

Many thanks,
-T

MargoAndTodd wrote:
> My Samba server/firewall has three (two real, one virtual) network
> cards:
> eth0.5: connects to a terminal server
> eth0: internal network with about 10 XP workstations
> eth1: the Internet
An Internet firewall should be a dedicated machine.  I use IPCop:

    http://www.ipcop.org/

IPCop has a reasonably simple installer, an excellent CGI interface,
lots of features, and is light-weight -- I ran a Pentium 166 machine
with 32 MB RAM, 4 GB HDD, and three 10/100 Mbps NIC's until recently.
It could have used more RAM, but it worked.


HTH,

David