Community discussions

MikroTik App
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

hot to forbid Windows file sharing in wireless ???

Thu Jan 20, 2005 5:23 pm

Hi!

IS there a way to forbid ONLY the widows file sharing between my users.
This need to be done to users that are logged in into hotspot, and also
to users that are not logged in...

how this could be done???

maybe firewall > forward chain????

one thing: i DO NOT want to turn off DEFAULT FORWARDING...


any ideas???
 
nhalachev
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Fri May 28, 2004 4:41 pm
Location: Bulgaria

Re: hot to forbid Windows file sharing in wireless ???

Thu Jan 20, 2005 5:58 pm

Hi!

IS there a way to forbid ONLY the widows file sharing between my users.
This need to be done to users that are logged in into hotspot, and also
to users that are not logged in...

how this could be done???

maybe firewall > forward chain????

one thing: i DO NOT want to turn off DEFAULT FORWARDING...


any ideas???
Yes, uninstall client for microsoft networks at all users pc's .....
Seriously, you should turn off DEFAULT FORWARDING if your users are within same IP subnet.
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:

Thu Jan 20, 2005 6:54 pm

Disallow netbios traffic on your APs firewalling it out.
 
UniKyrn
Member Candidate
Member Candidate
Posts: 245
Joined: Fri Dec 24, 2004 9:27 pm
Location: Spokane, WA

Thu Jan 20, 2005 6:56 pm

And then block ports 135-139 tcp/udp in the forwarding firewall table, which will kill windows networking between users.
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Thu Jan 20, 2005 9:54 pm

Hi!

Thanks guys for your replies, i tried all that but windows file sharing still works...

Because i have hotspot and enabled address login method my users can log in to hotspot, but also they can skip the login procedure and communicate between themselfs freeely because default forwarding is ON...

is there a way to forbid users that are not logged in to use windows file sharing, and same for users that ARE logged in???

can somebody send a more detailed reply...???
for example:
in what firewall chains should i put rules for users that are not logged in?
and for those that are logged in???


please help i need this ....
:lol:
 
User avatar
YazzY
Member Candidate
Member Candidate
Posts: 140
Joined: Fri May 28, 2004 3:26 pm
Location: Norway, Østfold
Contact:

Thu Jan 20, 2005 10:04 pm

Just disallow following in your forward chain:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp

Another advice is to set up a syslog server and log all your firewall traffic to it, then analize it and see what happens and block desired stuff.
And why in heavens do you want to enable default forwarding ?
Your users will abuse your links and set up services on their private networks eating up all your BW.
You should at least set up some shaping.
 
savage
Forum Guru
Forum Guru
Posts: 1220
Joined: Mon Oct 18, 2004 12:07 am
Location: Cape Town, South Africa
Contact:

Thu Jan 20, 2005 10:13 pm

You need to block 445 (tcp & udp) as well. This port is used for a newer version (extension) to netbios introduced in XP.
Regards,
Chris
 
UniKyrn
Member Candidate
Member Candidate
Posts: 245
Joined: Fri Dec 24, 2004 9:27 pm
Location: Spokane, WA

Thu Jan 20, 2005 10:17 pm

And is one of the most abused ports by internet worms as well.
 
spavkov
newbie
Topic Author
Posts: 39
Joined: Mon Sep 06, 2004 11:23 am

Thu Jan 20, 2005 11:44 pm

hmm...

tnx for advice people....

maybe i will disable default forwarding after all...

tnx again for your help guys.....

Respect!
 
gianluca
Member Candidate
Member Candidate
Posts: 258
Joined: Sun Aug 08, 2004 11:00 pm
Location: Italy - Spain - USA

Sat Jan 22, 2005 7:11 pm

very interesting all this. We would like to set up a file sharing system (traffic will be using pppoe to the mikrotik pppoe server concentrator).

We are thinking about Direct Connect and of course disable window sharing.

Any suggestion?
 
Yuri
just joined
Posts: 6
Joined: Wed Jan 26, 2005 4:10 pm

Wed Jan 26, 2005 4:31 pm

1. Disable Default forwarding
2. In DHCP server for Radionet you need set mask to 32 (255.255.255.255), but leave parameters of net the same.
For example:
/ ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.253 netmask=32

3. Only AFTER this steps you CAN setup firewalls and shapers

Thus size of net is 24, client have net 32 and ALL traffic whill send throuth gateway.

But there still one problem: if client connect to PPTP server in another network, ALL LOCAL traffic will go throuth VPN tunnel.

For this time I don't know how solve this problem :(
Last edited by Yuri on Wed Jan 26, 2005 6:09 pm, edited 1 time in total.
 
UniKyrn
Member Candidate
Member Candidate
Posts: 245
Joined: Fri Dec 24, 2004 9:27 pm
Location: Spokane, WA

Wed Jan 26, 2005 4:55 pm

I doubt what goes throught the VPN is a problem anyway, the goal is to keep windows users off the same AP from doing something stupid like leaving their file shares available to every other user of the AP I believe. :)

Who is online

Users browsing this forum: No registered users and 120 guests