Can I deny internet from a doze box, but still get samba?

OK, here's the thing. I've got a "gateway" box, that has apache, for the
website, Samba, for the LAN, and "dnsmasq", which it's. It plugs into the
DSL, and there are 6 other boxen on the LAN. 3 of them are doze boxen, 2
are "spare" Slack boxen, and one - my workstation - I dual-boot, Slack
11.0 or W2K.

Is it possible, when I boot my box to Doze, to deny internet access to it,
but still let it get to the Samba server?

In other words, I've got this:
____________
---DSL---["The Server"]-------["My Workstation"]
[ ]-------[box A]
[ ]-------[box B]
[____________] etc.

And what I want to do is, when I boot "My Workstation" in Slack, I want
internet and Samba (which I have) but when I boot it in Windows 2000, I
want Samba file access (which I now have), but no internet (which I have
but don't want).

The server is running Slackware 11.0, with all of the defaults, and it's
the first time I've seen "dnsmasq", which somebody told me "doesn't really
mean masquerading" or something like that. I've looked at dnsmasq.conf,
and am pretty much baffled as to how to do that, and, as I said, I don't
even know if it's possible, let alone how to do so if it is.

And, of course, I want the other boxen (3 x W2K + 1 x Slack 11.0 +
1 x Slack 10.0) to still have both Samba and Internet access - the guys
in the office run AV almost daily, and so on. I've also stuck a big
"hosts" file on "The Server" - I'll have to check if that has
"answerworks" - that's always been a pain in the ass.

Thanks,
Rich



Rich Grise

On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:
> Is it possible, when I boot my box to Doze, to deny internet access to it,
> but still let it get to the Samba server?

If you're assigning IP addresses statically, you could give different
addresses to the Windows and Linux installations, and then use a
firewall rule on the gateway machine to deny Internet access to the
Windows system.

Mike

On Mon, 26 Feb 2007 20:12:25 +0000, Mike Playle wrote:

> On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:
>> Is it possible, when I boot my box to Doze, to deny internet access to it,
>> but still let it get to the Samba server?
>
> If you're assigning IP addresses statically, you could give different
> addresses to the Windows and Linux installations, and then use a
> firewall rule on the gateway machine to deny Internet access to the
> Windows system.
>

Thanks for this, but now how do I learn how to "use a firewall rule"?

I'm sure there's an RTFM out there somewhere, could you or anyone
please point me to it?

Thanks,
Rich

Rich Grise post:

> Thanks for this, but now how do I learn how to "use a firewall rule"?

It's been a while since I set up a server, but here's where I would
look:

http://www.slackbook.org/html/security.html
especially section Host Access Control

man iptables
man hosts

/usr/share/doc/Linux-HOWTOs/Firewall-HOWTO
or other HOWTOs, but keep in mind that they may be a bit old.

Roel

Roel Kluin wrote:
> Rich Grise post:
>
>
>>Thanks for this, but now how do I learn how to "use a firewall rule"?
>
>
> It's been a while since I set up a server, but here's where I would
> look:
>
> http://www.slackbook.org/html/security.html
> especially section Host Access Control
>
> man iptables
> man hosts
>
> /usr/share/doc/Linux-HOWTOs/Firewall-HOWTO
> or other HOWTOs, but keep in mind that they may be a bit old.
>
> Roel

There's plenty of information on the Netfilter pages
<http://www.netfilter.org/>, including current HOWTOs.

--

Tauno Voipio
tauno voipio (at) iki fi

Rich Grise wrote:
> Is it possible, when I boot my box to Doze, to deny internet access to it,
> but still let it get to the Samba server?

Download zone alarm (firewall) for the windows box. It defaults to no
apps allowed to connect to the internet, they need to ask for
permission. when you see the box come up warning that firefox or IE are
trying to access the internet. say no, and check the "remember this
decision" box.

As for samba, look at the 'trusted zones' section in zone alarm, and put
in the (local) address of your samba server. Allows connections into and
out of the windows box.

Should be pretty easy with zone alarm.

HTH.

--
As we enjoy great advantages from inventions of others, we should be glad
of an opportunity to serve others by any invention of ours;
and this we should do freely and generously.
--Benjamin Franklin
(remove _eh to email)

On Tue, 27 Feb 2007 08:39:40 +0000, johnny bobby bee wrote:
> Rich Grise wrote:
>> Is it possible, when I boot my box to Doze, to deny internet access to it,
>> but still let it get to the Samba server?
>
> Download zone alarm (firewall) for the windows box. It defaults to no
> apps allowed to connect to the internet, they need to ask for
> permission. when you see the box come up warning that firefox or IE are
> trying to access the internet. say no, and check the "remember this
> decision" box.
>
> As for samba, look at the 'trusted zones' section in zone alarm, and put
> in the (local) address of your samba server. Allows connections into and
> out of the windows box.
>
> Should be pretty easy with zone alarm.
>

Is there a freebie version of this? I find it morally reprehensible that
a person should have to pay even MORE money after shelling out two hundred
bucks for a broken operating system. >:-[

But thanks anyway!

Rich

Rich Grise wrote:
> On Tue, 27 Feb 2007 08:39:40 +0000, johnny bobby bee wrote:
>
>>Rich Grise wrote:
>>
>>>Is it possible, when I boot my box to Doze, to deny internet access to it,
>>>but still let it get to the Samba server?
>>
>>Download zone alarm (firewall) for the windows box. It defaults to no
>>apps allowed to connect to the internet, they need to ask for
>>permission. when you see the box come up warning that firefox or IE are
>>trying to access the internet. say no, and check the "remember this
>>decision" box.
>>
>>As for samba, look at the 'trusted zones' section in zone alarm, and put
>>in the (local) address of your samba server. Allows connections into and
>>out of the windows box.
>>
>>Should be pretty easy with zone alarm.
>>
>
>
> Is there a freebie version of this? I find it morally reprehensible that
> a person should have to pay even MORE money after shelling out two hundred
> bucks for a broken operating system. >:-[
>
> But thanks anyway!
>
> Rich
>
>

sure is:
http://www.zonelabs.com/store/conten...eeDownload.jsp

Mark

Rich Grise wrote:
> On Tue, 27 Feb 2007 08:39:40 +0000, johnny bobby bee wrote:
>
.... snip ...
>>
>> Should be pretty easy with zone alarm.
>
> Is there a freebie version of this? I find it morally reprehensible
> that a person should have to pay even MORE money after shelling out
> two hundred bucks for a broken operating system. >:-[

Zone Alarm used to be free. Check their home site.

--
Chuck F (cbfalconer at maineline dot net)
Available for consulting/temporary embedded and systems.
<http://cbfalconer.home.att.net>

On Mon, 26 Feb 2007 19:14:18 +0000, Rich Grise wrote:

> Is it possible, when I boot my box to Doze, to deny internet access to
> it, but still let it get to the Samba server?
>
> In other words, I've got this:
> ____________
> ---DSL---["The Server"]-------["My Workstation"]
> [ ]-------[box A]
> [ ]-------[box B]
> [____________] etc.

Are the boxen configured with fixed IP addresses? If yes, simply remove
the default gateway entry in Doze or point it to an unused IP address in
your subnet.

If no (the server runs dhcpd), things get a little more tricky - dhcpd
doesn't know the OS of the calling box and Slack/W2k will both connect
with the same MAC address by default. However, if supported by your NIC,
you could set different MAC addresses in Slack or W2k and make a special
entry for the W2k MAC address in your dhcpd.conf so that no gateway
address is passed to W2k, or the gateway address passed is an unused IP
address in your subnet.

http://www.irongeek.com/i.php?page=security/changemac



--


--
Posted via a free Usenet account from http://www.teranews.com