[Shorewall-users] How can I secure samba dmz <> loc?

Steve Sobka Steve Sobka" <hickbot@fuzzylinux.net
Mon, 8 Jul 2002 09:52:50 -0700


I am not sure if this setup is correct, or if I could go about doing this in
a more secure manner. I thought I would post here for suggestions.

I have a somewhat strange setup here at my house.

I have a leaf-bering box running shorewall 1.3.1. I get my IP via DHCP from
cable company.  I have a 3 nic setup.

I have most of my computers in the loc zone, including a Samba Server at
192.168.1.200.

I use the setup:

loc=192.168.1.0/24
dmz =192.168.2.0/24

Now the only thing I have in the dmz zome is a wireless router (not an
Access Point).  It was given to me free and I use it to allow me access to
the internet while walking around the house.
Now this router will not let me put the WAN and LAN ip's on the same subnet
(i.e. wont allow both WAN and LAN on the 192.168.2.0/24), therefore I put
the routers WAN IP at 192.168.2.253 so it's on the subnet of the leaf-bering
box and the LAN IP as 10.150.150.1 and my wireless nic on my laptop as
10.150.150.2 with the .1 address of the wireless router specified as the
gateway, dns, etc for my laptop and it works fine, I can browse the internet
and connect to the Samba shares on the loc zone.

Since I wanted to allow samba between the wireless NIC at 10.150.150.2 and
the samba server on the loc zone at 192.168.1.200.

I've added this to my rules file:

ACCEPT          dmz     loc                     udp     137:139
ACCEPT          dmz     loc                     tcp     137,139
ACCEPT          dmz     loc                     udp     1024:           137
ACCEPT          loc     dmz                     udp     137:139
ACCEPT          loc     dmz                     tcp     137,139
ACCEPT          loc     dmz                     udp     1024:           137

Everything DOES work, but I am wondering if there is some easier way to go
about this? Like using aVPN or somthing similar? I just have no idea what to
look for if there is a better way, or what it would be called?

Could anyone make a suggestion on a more secure way of accomplishing the
same task?
All I really want to do is allow my laptop to browse the internet and
connect to shares & printers on the loc zone, but I really dont want to open
the loc zone up to the entire dmz incase someone hitches a free ride onto my
wireless router.

I hope that made sense :-)

Steve Sobka