On 5/05/2011 9:45 a.m., Grant Taylor wrote:
On 05/04/11 16:30, Don Gould wrote:
However I don't want people on 2.0 to be able to see computers in 3.0 or
4.0, etc.
What about 3.0 and 4.0 being able to see other subnets 2.0 / 4.0 and
2.0 / 3.0 (respectively)?
Sorry, my bad.
I want to block, drop, what ever, Microsoft networking... wins? but I
do want to permit internet networking (for what of some better terms.
I don't want users on the 2.0 network to see the 'shares' on the 3.0
networks in 'network neighbourhood'.
I know this could be achieved by simply putting everyone in different
work groups rather than the default of 'workgroup' (or 'home' depending
on what version of windows you're using). But I don't control the
computers, so I can't do that.
If user 2.35 sets up WAMP on their PC, I do want 3.45 to be able to see
that. http://192.168.2.35/ ... blar :)
So I need to drop some traffic unless it's heading to my NAS IP
(192.168.1.2 for sake of argument).
Do you want to single out the NAS IP (192.168.1.2) specifically, or is
the entire 1.0 network ok? (This makes little difference, just asking
for clarify.)
What I want is... When a user browses the "network" (windows term), I
want them to see DonsNAS\192.168.x.0_Share That's where I eventually
want to end up.
Everyone on the x.0/24 network gets access to 1.xGb of shared space
where they can put stuff they want to share with everyone else on their
network. People on y.0/24 will have their share on the same NAS (which
is actually a nice Debian box running samaba). The share is to be fully
open to everyone in x.0 but not visible to people in y.0 etc.
Think in terms of a block of apartments where each apartment is getting
a x.0/24. I'm wanting to give all the users in apartment 1 a network
and some shared space so they can transfer files etc but I don't want
the people in apartment 2 seeing the files of apartment 1. However I
don't have control of the computers, so I can't do stuff like ACLs etc.
I do want users in 192.168.x.0/24 to be able to see each other though.
Please elaborate on what you mean by "see each other". What services
do you want to allow to communicate?
I don't want them to be able to 'browse the network', errr... I don't
want them to be able to "browse" the other networks.
Shooting from the hip, I'd say that you want a default of DROP (or
REJECT at your preference) and allow traffic from 1.0 to the other
networks 2.0 / 3.0 / 4.0 and stateful replies to said traffic.
This would isolate the 2.0 / 3.0 / 4.0 networks from each other but
still allow them to communicate with the 1.0 network.
Ya, that's not what I want. I only want to drop the smb traffic. Is
that port 137? or do I need to drop more than that?
If I do what you just said then skype between networks will break won't
it? or it will travel out the public IP and transit to another peer?
Thanks for the help man :)
D
--
Don Gould
31 Acheson Ave
Mairehau
Christchurch, New Zealand
Ph: + 64 3 348 7235
Mobile: + 64 21 114 0699
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
