[Samba] Firewall rules to block other's computers browse list

MargoAndTodd margoandtodd at gmail.com
Mon Jul 27 16:20:53 MDT 2009

Hi All,

My Samba server/firewall has three (two real, one
virtual) network cards:

eth0.5: connects to a terminal server
eth0: internal network with about 10 XP workstations
eth1: the Internet

Samba is set to talk to only, eth0.5
and eth0.

I have my firewall iptables rules set so that
users on eth0.5 can only use the samba server
on my server.  They can not share with any other
user on eth0.  Tested and it works.  So far so good.

Problem: users on eth0.5 can still see eth0 workstations
on their browse list.  Even though they can not do
anything with them, I would still be nice if eth0.5
users could not see them at all.

I do believe the offending rules:


    $tbls -A Vlan-in   -i $VlanNic  -p udp  -s $Vlan_net -d \
    $Vlan_Broadcast --dport netbios-ns    -j ACCEPT

    $tbls -A Vlan-in   -i $VlanNic  -p udp  -s $Vlan_net -d \
    $Vlan_Broadcast --dport netbios-dgm   -j ACCEPT

I have found that if I do not open up these two rules,
domain users on eth0.5 can not get past their user name and
password prompts.

How do I block eth0 workstations from eth0.5's browse list?

Many thanks,

More information about the samba mailing list