File Sharing

My apologies for what must be a dumb, obvious question but I haven’t been able to find an answer. I have what must be a very common requirement.

Can I somehow make the firewall and/or XP Home work together such that when I’m home on my wireless LAN I can allow file sharing to one other specific machine. But when I connect into a public wireless LAN the sharing is disabled with no human intervention required? I really don’t like the trusted IP address approach since who knows when my home LAN address of the trusted machine will happen to pop up on a shared LAN somewhere? The LANs all seem to use the same address ranges with only about 256 distinct addresses available.

It would seem one could tell a firewall to only trust a specified MAC address for sharing, or a machine name & password or some such. Or a network name plus an IP address?

Am I looking in the wrong place? Is this problem solved somewhere other than the firewall?

Thanks.

Bill

Hello wjmartin.

First of all, there is a possible solution to your problem, however, I don’t feel this is a problem that can be overcome through manipulation of the firewall alone, although setting some rules will be necessary.

The first thing to consider is how two computers of a Microsoft network communicate. To understand this, it is important to understand some terminology.

1. Host name

The host name is a simple text string used to identify a computer on a network. Whilst it may take different forms, for the sake of simplicity, we will use the following:

computer1
computer2
enterprise
fred

Each computer on a network has a unique name assigned to it and it is this identifier that we humans use to decide which computers to connect to.

On Microsoft networks we also come across a variation of the host name, which is called the NetBios name, but that is for another conversation.

2. IP Address

In addition to the host name, each computer is assigned a unique IP address. This address may be assigned either manually or automatically via DHCP (Dynamic Host Configuration Protocol).

Addresses today fall into a series of different categories. For the purpose of this discussion we will consider just two of these categories, Reserved or private addresses and public addresses. Public addresses are those that are used on the Internet and are typically assigned to Internet clients via DHCP, although sometimes they are also fixed.

Reserved or private addresses are those that companies or people with LAN’s use internally on their private networks. These networks are typically connected to the Internet via a gateway device such as a NAT (Network Address Translation).

The reserved addresses fall into three blocks, where each block can provide a range of unique IP Addresses.

10.0.0.0 - 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255

Another you may come across is:

169.254.0.0 - 169.254.255.255

This is reserved for use on Microsoft networks and is used to dynamically allocate an IP address in the absence of a DHCP server.

On a private network any of the aforementioned blocks of addresses may be used, however, because of the number of unique addresses that may be allocated from each range, most small companies and small LAN’s typically use 192.168.0.0…

3. MAC Address

Finally, each computer attached to a network has a NIC (Network Interface Card) and each NIC has a unique identifier called a MAC (Media Access Control) address.

To summarise, each PC connected to a network has three unique identifiers. A host name an IP address and a MAC address, e.g.

computer1 - 192.168.1.1 - 00-0C-76-1E-4E-70

The usual way to connect to a computer on a Microsoft (TCP/IP) based network is via Network Neighbourhood, although there are several alternative methods. This process starts when a computer is selected from the interface or by manually entering the information. Lets look at what happens:

1. The computer is selected by name (computer1)

2. A process occurs where the name is resolved to an IP Address. This may be performed via DNS (Domain Name Service) or via a host table. (192.168.1.1)

3. The IP Address is resolved to the MAC address of the remote computer by ARP (Address Resolution Protocol)(00-0C-76-1E-4E-70)

4. A connection is established.

As you can see the process is quite involved and whilst it is quite possible to connect to a computer using the IP Address (if known) without recourse to the host name, connecting by using the MAC address alone is not easily achieved.

To reach your desired goal you will need to create a new ‘Zone’ and define a ‘Trusted Network’ in CPF, this will provide the necessary connectivity between your computers.

To provide the extra level of security for your shared folders, the best advice I can offer is to use the security built into XP (I assume XP home has similar features to XP Pro in this area?) Essentially this means creating an account for each user that needs to connect to the shares and then changing the default permissions on each share from Everyone/Read to explicitly allow only the defined user. By doing this, when someone needs to connect to a share of your computer they will be asked to enter a user name and password.

A little long winded, but I hope it help you understand the mechanics involved.

Toggie.

I can’t think of any way to achieve this without human intervention.

There are a couple of ways I can think of to achieve what you want (hardware profiles, multiple NICs (with varying IP address ranges) passworded shared folders), but none of them are automatically triggered based on your geographic location.

Either way you’re going to have to get your hands dirty.

Cheers,
Ewen

Ewen – I don’t mind getting my hands dirty, but…

The issue is that if my wife or other mere human being travels with the computer they may not remember to disable file sharing – or I may even forget it myself (horrors!). That’s why it seems like a good problem for technology to resolve. And an easy one given that the firewall just has to check for the specified machine name or network name or MAC address as well as IP address before allowing access. Even if it just checks that host name once per session it would work – it doesn’t have to check it for every data transfer. I haven’t been able to find a firewall that does this however.

To the best of my knowledge, XP Home does not support passwords on file sharing. They did in Win98, but “improved” security when they wrote XP. Why I never understood. I think XP Pro supports it, but I don’t have that.

Toggie – I’m all for setting up a trusted zone, but all I’ve found the firewall capable of doing is setting one up by IP address only. Not much help in this particular (and very common) case. If I’ve misinterpreted your remarks, please let me know though.

Thanks.

Bill

Bill,

I agree to the “dirty hands” thing, and I understand about the other users as well. I don’t think there’s a quick & easy solution, unfortunately. A combination of things will work, but I think in the end it will require some user action at the point of being at the “remote” location (which I think will boil down to changing 1 network rule from Allow to Block).

You might read through this thread: https://forums.comodo.com/index.php/topic,6342.0.html. jobeard was wanting to do something similar, and with similar security concerns. Perhaps that will be helpful in getting you (close) to where you want to go.

The “Profile” approach is, I do believe, in the Wishlist.

Hope this helps,

LM

Bill, forgive me, I’m a little confused (a common occurrence :-\ ) When you say “setting one up by IP address only” What exactly do you mean?

Toggie

My, possibly misunderstanding, is that the firewall lets one set up a trusted zone based strictly on IP address – or a range of addresses. I does not allow other conditions like network name to be part of the rule.

Bill

Hey Bill,

I’ve just had a thought and it hinges around changing the IP range used for your home network from the usual 192.168.X.X range to the less frequently used 172.16.X.X range.

If your home network is set up on the 172.16 subnet, you can create a zone for those addresses and then set up rules that block the file sharing ports to any PC that is on the 192.168.X.X subnet. You may also need to adjust any custom rules you’ve created when your PC was using the 192.168.X.X net.

The zone rules should be at the top of your rules list and your file sharing block rule should be immediately below these but above the conventional rules and the catch-all block rule.

The key here is that there is a fundamental difference between the IP range used at home and the IP range generally allocated outside your home (at some point there must be a means of differentiating between home and outside).

Mind you, this method totally depends on the fact that you usually get allocated an IP address in the 192.168.X.X range from publicly accessible hotspots. If you get an address in the 172.16 range then you’re a shot duck again.

As I said, this thought just popped into my head and may need refining, but at least you only have to get your hands dirty once and you only have to dirty your router.

Anybody else got an idea on if this will work and if it can be improved/refined?

Hope this helps,
Ewen

Ewen’s suggestion is good and will work in most cases but if it happens to get an address in the 172.16 range, it will not help.

For now the easiest sollution would be to move the 2 rules of your zone just above the default block rule. And when you go in a public lan just move the block rule over those 2. It is only two clicks away. ;D

I don’t think there is a hard a nd fast rule that will work in every case. Mac had an alternative method of raising the DHCP allocation pool range on his router to somewhere near the top of the range, say, 192.168.1.220 - 192.168.1.222, and adjusting his zone definition accordingly (and blocking file and print sharing requests from IPs below 192.168.1.200).

This might actually work out better.

Ewen

Are you using Simple File Sharing and the Guest Account?

Lee (B)

I’m using whatever file sharing XP Multimedia provides. So far as I know there’s only one kind. No guest account or any other kind of account – this is a single user machine.

Bill

hum; playing probability roulette? what if my laptop is used in an infrastructure where all/most
systems are valid participants in sharing?

imo, we need a

1. hardware profile (ie rules based upon the specific adaptor in use)
   or
   2)the ability to initialize the system with a set of defaults (eg no access other than DHCP)
   and then switch to a Share vs No Share environment.

Simple File Sharing (ie that used by XP/Home) ALWAYS uses the Guest account for access

That was the reasor for my asking.
I have a 5 node lan and only have 3 computer which are allowed to share. I disabled the Guest Account and created another account on each PC (same name and password) with a very secure name and password on each of the computers I wanted to be able share files with. Works like a dream. 3 Sharing and 2 not but all with access to the Internet.
Just a thought.

Lee (B)

Given that I do use file sharing, and do not use a guest account, I think you may not be entirely correct. I simply am set up to boot the machine into the master admin account and use none other.

Bill

This would put us getting into a completely different scenario, where CFP would be in charge of controlling whether or not Windows File Sharing is enabled. From a literal standpoint, that seems to be outside the purvue of the firewall. Although I don’t know the technical aspects of how it’s accomplished, I know that Sygate has a feature for Sharing vs No Sharing; I’m thinking it’s probably similar to the trusted Zone for CFP, rather than the FW controlling something that is a Windows function.

LM

Along this same line of thought, “IF” you have accounts on “both” computers with the same name and password this would be all that is needed for file sharing to work.
There are options which can be set so that each time you access another computer you must LOG IN to them, but it is a real PITA.

Lee (B)

Either you missed the part where I pointed out that XP Multimedia does not have a password facility for file sharing, or I’ve misunderstood what password you’re talking about - which is entirely possible. I have no password of any kind on the machine that I’m aware of.

Bill

Bill.

Forgive me, but I am not entirely familiar with XP Home.

When you log on to XP, do you have to specify a user name and a password? If so, I think this is what Leebme is referring to.

Toggie