Michel, One approach that hasn't been suggested is to block access to the netbios nameservice port on the samba host with a firewalling rule. That way the other computers on the subnet can't register themselves with nmbd. Suppose that your internal network is all within the 192.168.15.0/24 network. Each Windows workstation will automatically announce itself with a udp packet broadcast to 192.168.15.255 on port 137. So if your OS supports firewalling you can just write a deny rule for packets that meet those criteria. For instance, using Linux, I can write the following rule: ipfwadm -I -a deny -S 192.168.15.0/24 -D 192.168.15.255 137 -P udp which drops all packets destined for the udp netbios-ns port at 137. Of course, you could enable specific machines to be listed by adding additional rules above this one. If, for instance, you wanted the machine at 192.168.15.1 to appear in Network Neighborhood, you'd add the rule: ipfwadm -I -a accept -S 192.168.15.1 -D 192.168.15.255 137 -P udp before the general deny rule above. Peter ----- Peter H. Lemieux Voice: (800) 5-CYWAYS CYWAYS, Incorporated (+1 617 796 8995) 19 Westchester Road Fax: (617) 796-8997 Newton, Massachusetts 02458-2519 USA Web: http://www.cyways.com
Thanks for your thoughts. But would this still allow these clients to browse the server ? Michel. -- Michel van der Laan - michel@nijenrode.nl http://www.nijenrode.nl/~michel In your mail from 6-10-1998 you write:> Michel, > > One approach that hasn't been suggested is to block access to the netbios > nameservice port on the samba host with a firewalling rule. That way the > other computers on the subnet can't register themselves with nmbd. > > Suppose that your internal network is all within the 192.168.15.0/24 > network. Each Windows workstation will automatically announce itself with > a udp packet broadcast to 192.168.15.255 on port 137. So if your OS > supports firewalling you can just write a deny rule for packets that meet > those criteria. > > For instance, using Linux, I can write the following rule: > > ipfwadm -I -a deny -S 192.168.15.0/24 -D 192.168.15.255 137 -P udp > > which drops all packets destined for the udp netbios-ns port at 137. Of > course, you could enable specific machines to be listed by adding > additional rules above this one. If, for instance, you wanted the machine > at 192.168.15.1 to appear in Network Neighborhood, you'd add the rule: > > ipfwadm -I -a accept -S 192.168.15.1 -D 192.168.15.255 137 -P udp > > before the general deny rule above. > > Peter > > > ----- > > Peter H. Lemieux Voice: (800) 5-CYWAYS > CYWAYS, Incorporated (+1 617 796 8995) > 19 Westchester Road Fax: (617) 796-8997 > Newton, Massachusetts 02458-2519 USA Web: http://www.cyways.com