Okay, I got this to work. Not sure if it's as secure as I might wish, but at least it makes the intruder have to spoof an internal address. I think. > > >Can it be done? > > > > > >If not, what do most people do when opening the netBIOS ports for samba > > >(those who use samba, that is)? I assume, even though it only buys a > > >speedbump, most people only open the netBIOS ports to the local net. > > > > > >Manual editing of /etc/sysconfig/iptables (in spite of > > >system-config-securitylevel warning away from that)? > > > > > >Incidentally, when adding rules from the shell, I seem to have noticed > > >that you can't specify multiple protocols and multiple ports in the same > > >line like > > > > > > iptables -A INPUT -p ALL -i eth0 -s 10.5.0.0/22 --destination-port > > >137:139 -j ACCEPT > > > > > >Seems that -p All and --destination-port start:end conflict with each > > >other. Am I imagining things? > > > > > > > > > > > You might want to try this, though I currently have my firewall turned > > off on the Linux box. > > Windows XP firewall exception for File and Printer Sharing: > > TCP 139 > > TCP 445 > > UDP 137 > > UDP 138 > > Thanks. > > Doing that with the security widget did the trick. I'll try > /etc/sysconfig/iptables on Monday. Here are the four lines I added to /etc/sysconfig/iptables to clear the firewall for the LAN: -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 137 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.5.0.0/25 --dport 138 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 139 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.5.0.0/25 --dport 445 -j ACCEPT At least, they were four before your mail browser wrapped them. ;-P Anybody see any obvious holes in that? -- Joel <rees@xxxxxxxxxxx>
