Networking with Windows Computers

Sat Dec 3 15:07:00 UTC 2005

On Sat, 03 Dec 2005 09:38:52 -0500, you wrote:

>First off, I have to say that having every machine on your network
>being dual-homed adds a lot of complexity.  If you're looking for
>"newbie friendly," that way certainly isn't.

Why do I always try to do things the hard way?!?  :)

Of course, back when I was an ignorant, paranoid Windows newbie, it
seemed like a simple, logical way for protection.  I realize now that it
is redundant, but things have worked that way for years and I could
never be bothered to change it. 

>The configuration file, /etc/interfaces, allows you to specify per
>interface settings.  As far allowing filesharing over one nic but not
>another, that probably will require blocking the appropriate smb ports
>for that nic using iptables rules.  There are tools that configure
>iptables for you such as firestarter, but I don't know if they're well
>suited for a dual-homed configuration.  TCP wrappers may also be able
>to help with this, but I'm not sure.  It's been a while since I've
>configured samba (assuming this is what you're using), so I don't
>remember if there are any directives in smb.conf that control what
>interfaces the samba daemons listen on, but if there is then that may
>an options.

I've obviously got a lot more reading to do.  I am using Samba but have
no experience with it (smb = Samba ?), iptables, TCP wrappers.
Unfortunately, reading this stuff makes my eyes glaze over after about
two minutes.  If I can figure out how to actually DO it, then what I
read actually makes sense, and I can usually proceed to the next steps
by myself.  My cross to bear!

>Since you say that your network is behind a router, I might suggest
>that smb traffic is non-routable, so I don't believe it is possible
>that your filesharing will be exposed beyond the router, and if your
>router is doing NAT, then your especially safe.  If someone wants to
>connect to an smb share or enumerate smb information from outside your
>network, they'll have to compromise one of the machines via another
>attack vector in order to do so.  If that happens, the dual homed
>configuration won't help because once they own the box they can talk
>and listen through any of its interfaces.  There should be no need to
>have your machines be dual homed.

Taken under advisement.  Thanks.

--

You WILL be assimilated!

Of course, if you pay exhorbitant prices for brand name products, go to Starbucks for five-dollar cups of coffee, watch Fox sit-coms or use AOL, you probably already have been assimilated!  Wake up!!!