You can stop a peer to peer , just block tcp and udp port's 137 - 139 . iptables -A INPUT -i eth0 -p udp --dport 137:139 -j DROP iptables -A INPUT -i eth0 -p tcp --dport 137:139 -j DROP
If your policy is accept then use the above iptables -A INPUT -i eth0 -p udp -s ! HOST address --dport 137:139 -j DROP iptables -A INPUT -i eth0 -p tcp -s ! HOST address --dport 137:139 -j DROP -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Arindam Haldar Sent: Saturday, April 20, 2002 4:52 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Windows networking > Antony Stone wrote: > >>On Friday 19 April 2002 5:18 pm, Arindam Haldar wrote: >> >>>YES ! i mean windows network neighborhood ! >>>how can a client only see his network pc in his network & not others ! >>> >>1. Turn off Windows Networking ? (Don't ask us here how to do that - this is a netfilter mailing list :-) >>2. You can't stop a peer-to-peer network with a firewall. Windows >>Networking is peer-to-peer, and netfilter is a firewall. Unless you >>put every client on its own subnet (which would involve an awful lot >>of network cards !) you won't stop them talking to each other using >>netfilter, because >>they're not going through the firewall. >> > > though...extending that thought a bit further...use 802.1q VLAN tagging. > Connect each physical ethernet port to a specific VLAN port on a > 802.1q-capable switch (cisco, HP, etc) and route through a 802.1q capable linux box. this sounds INTERESTING .... :) > > 802.1q support is now built into kernels > 2.4.15 and you can add a vlan > interface (akin to an IP alias) for each VLAN on your switch. Each PC can > continue to use DHCP thru that VLAN interface and can be prevented from > "seeing" any other VLAN interface using iptables. > Example: http://www.planetconnect.com/vlan/ > (note: examaple was written before 802.1 support was in kernel) THANX -- Will Try VLAN ... hope it works .. :) > > or...install a firewall app on each node PC. Perhaps one that can be centrally > managed (e.g. blackice, zonelabs ntegrity, etc?) > > Can't say how practical any of these 2 cents worth of ideas might be, but... > -- > Doug Monroe >
