-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Brown wrote:
> Hi,
>
> As far as I have read (on the samba website), workgroups will work fine
> across subnets - as long as you have WINS working fully. DNS will get
> you some of the way, but is not complete in itself as WINS stores a
> "type" as well as the name (so that it can distinguish between clients,
> services, master browsers, etc.). But if you don't have WINS setup on
> every machine, or have two WINS servers on the network, things go wrong
> quickly. The examples on the samba website (at least, the ones I looked
> at) all have a single workgroup, which is okay for me (if I had to split
> it by subnet, that would be okay too).
>
> I'm still not quite sure what firewall and routing rules are needed
> between the networks - if anyone knows a website with a clear
> explanation I'd be glad to see it.
>
> My understanding at the moment is that the rules for name service (nmbd)
> and sharing (smbd) are slightly different - every computer on each (LAN)
> subnet will need nmbd access (udp 137, udp 138) to the WINS server, and
> the WINS server will need the same access to each machine (since it
> needs to contact the local master browser on each subnet, which could be
> any machine). Additionally, the domain master browser (totally
> different thing from a domain controller, even if they happen to be the
> same machine) needs the same access to the local master browsers - I'd
> use the same samba server for that as for WINS. There is no need for
> name service access to or from servers on any network (except to and
> from the WINS server).
>
> For the file serving (tcp 135, tcp 139, tcp 445), then access only has
> to be as one would expect for a server - if a client on Lan 1 needs
> access to a server on Lan 2, then the smb ports need to be opened for
> that route.
>
>
> As for the idea of a "god box" - I can sympathise somewhat. When I
> discussed hardware for a new firewall with my local computer shop (they
> are quite good for hardware, but are solidly windows-only), their idea
> of an advanced firewall (as distinct from a ready-made appliance) was a
> large, fast server (including SCSI disks for reliability), lots of
> single-port network cards, and - wait for it - Microsoft "Internet
> Security and Acceleration" server. Estimated hardware costs of around
> $3500 - I don't know what the software costs would be, and it was not
> exactly what I had in mind when I think of "security" !
>
> mvh.,
>
> David
>
>
>
>
> DarkFoon wrote:
>> I was hired to do the same thing for a small business a year ago.
>>
>> I learned about a month and a half into the project that windows shares,
>> while they work across subnets, the hostname can't be used because of
>> WINS,
>> only the IP address. Workgroups especially do not work across subnets. I
>> would like to know if DNS will work for your workgroup. I can't
>> remember if
>> I tried that, or even had the proper settings for get it to work.
>>
>> My employer's entire network was set up with a workgroup that had been
>> tweaked to act sorta like a domain. I set up a FreeBSD domain server,
>> but he
>> wanted a "god box" that was his domain server, web server,
>> firewall-which I
>> wouldn't build due to security reasons-and he had some custom server
>> software that would only work under windows, so I was let go; his son
>> can do
>> windows stuff for free.
>> Sorry, I got off topic there.
>>
>> WebDAV over https sounds like an interesting idea.
>> I hope I have been of some help.
>>
>> ----- Original Message ----- From: "David Brown" <[EMAIL PROTECTED]>
>> To: <discussion@pfsense.com>
>> Sent: Thursday, January 04, 2007 12:09 AM
>> Subject: [pfSense-discussion] Windows shares across the firewall
>>
>>
>>> I'm planning to set up a new firewall/router at our company, and am
>>> leaning towards using pfSense because I want several green networks
>>> (either using multiple ports on the firewall machine, or using a managed
>>> switch and VLANs - as far as I understand it, they can work the same
>>> way).
>>>
>>> There are going to be a couple of server machines on different branches
>>> of the LANs, but I need access to them from the other branches. The
>>> setup I've planned looks like this:
>>>
>>>
>>> /-----------\
>>> | |-red1----internet
>>> | pfSense |-red2----(second internet connection, optional)
>>> | |
>>> | |-orange--DMZ---web server, mail server, squid, etc.
>>> | |
>>> | |-blue---(wireless for laptops, including visitors)
>>> | | | | |
>>> | | LinkSys WRT54GL LinkSys LinkSys
>>> | | / \ / \ / \
>>> | | laptops, etc.
>>> | |
>>> | |-green1---LAN (192.168.1.x)---server1.1, pc1.1, pc1.2, etc.
>>> | |
>>> | |-green2---LAN (192.168.2.x)---server2.1, pc2.1, pc2.2, etc.
>>> | |
>>> | |-green3---LAN (192.168.3.x)---server3.1, pc3.1, pc3.2, etc.
>>> | |
>>> \-----------/
>>>
>>>
>>> Making appropriate firewall and routing rules for access to the DMZ
>>> servers from the green LANs is easy enough, as are things like allowing
>>> ssh access on different LANs for administrative purposes. But it is
>>> also important that I can get windows share access in some way across
>>> the LANs. For example, pc1.2 (say, 192.168.1.102) should be able to
>>> mount a share on server2.1 (192.168.2.1), while the reverse is not true
>>> (i.e., no machine on LAN2 should see the pc's on LAN1). Is it
>>> sufficient, and safe, to simply open a pinhole for traffic on port 139
>>> towards 192.168.2.1 from 192.168.1.x ? I suppose I could set up VPNs
>>> somewhere to tunnel traffic around, but I can't see that this would
>>> actually improve matters (I have no need to encrypt traffic passing
>>> between greens) - I would need similar rules to limit the VPN traffic.
>>> In fact, I'm assuming that once I've got things figured for cross-green
>>> routing, I can use the same sorts of rules for VPN's from laptops on the
>>> blue zone or attaching via the internet.
>>>
>>> As far as I can tell, it is only the share access that I need from the
>>> SMB/CIFS protocols. pfSense's DNS server should be able to handle
>>> naming, and I am not running a windows domain (it's all set up as a
>>> workgroup).
>>>
>>> If I can't get a stable and secure arrangement for SMB sharing, what are
>>> my other options? At the moment, we have a couple of linux file servers
>>> and one old windows one, which can be replaced if it is not flexible
>>> enough. I've heard of using WebDAV as a protocol - W2K and XP (and
>>> linux, and presumably FreeBSD :-) can mount WebDAV paths, and use them
>>> directly. If the WebDAV access is over https, then it could be used
>>> directly from outside the LANs without needing a VPN. Another idea I
>>> have read about is using a SFTP server along with WebDrive software.
>>>
>>> Any hints, tips, website pointers, or comments about how only an idiot
>>> would arrange things like that, would be much appreciated.
>>>
>>> mvh.,
>>>
>>> David
WINS name resolution must be done via Samba or an equivalent Windows
DNS-enabled machine, or you will have to use the full or partial DNS
qualified names in resolving servers. See
<http://lists.samba.org/archive/samba-technical/1998-August/001858.html>
for an example of what I'm referring to (discussion is a bit old, but
still applies AFAIK).
For WINS you need (IIRC) ports 137-139, maybe (netbios stuff), and 443
(Microsoft DNS aka "mdns") to be allowed through the firewall. You need
ports 137-139 for sure with 443 for SMB/CIFS based file/printer sharing
though, along with whatever ports you have in use for mountd since RPC
uses random ports for mapping out different related services (see your
OS's documentation for that).
- -Garrett
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.1 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFnt6HEnKyINQw/HARAvySAKCH5Kc3uqEe6XMsjbrYNtPWa96J3gCfR01Z
w2SOHaT/ZC3/q6y1ubAkfn0=
=Xi0l
-----END PGP SIGNATURE-----
