File Sharing

panic · March 14, 2007, 6:02am

Hey Bill,

I think your original problem is getting “lost in translation”.

If I understood it correctly, you have one laptop which you would like to :

CONDITION A - WHEN AT HOME

automatically connect to the home network
enable file and print sharing to a restricted number of PCs

CONDITION B - WHEN AWAY FROM HOME

automatically connect to the “away from home” network
disable file and print sharing absolutely

and you would like this done without you having to change anything.

If this is correct, then, AFAIK, it can’t be done without you having to change something for the following reasons;

You are dealing with two disparate environments - the home network and the “not at home” network. You can control the network parameters of the home network, but the parameters of the “not at home” network are beyond your control.

As such, we can modify the DHCP address allocation range of the home network to a relatively uncommon range (this is needed to more clearly differentiate between the home network and the “not at home” network), ensure that it is only going to allocate addresses for the exact number of machines that we want to connect to the home network and then create a tight ruleset that allows file sharing to take place only from specific addresses within the relatively uncommon home network DHCP range and blocks file sharing from all other IP addresses.

Assuming that this has been done, when the laptop goes to the “not at home” network, if it is allocated an IP that is not in the same address range as the home network (and therefore the other PCs on the “not at home” network would also be in this “not at home” address range), the tight file sharing rule that referred to addresses specific to the home network would block file sharing access.

If, on the other hand, when the laptop goes to the “not at home” network and it is allocated an IP address in the same address range used for the home network, then our tight rule will only allow file sharing to occur between our laptop and the specific IPs nominated in our rule.

EXAMPLE
Router IP : 172.31.252.252
Router DHCP allocation range : 172.31.252.248 - 172.31.252.251
Laptop IP : (DHCP assigned) 172.31.252.251 (only want to share files with PC#1)
PC #1 IP : (DHCP assigned) 172.31.252.250
PC #2 IP : (DHCP assigned) 172.31.252.249
PC #3IP : (DHCP assigned) 172.31.252.248

In the CFP network monitor running on the laptop, we need to have a zone defined as 172.31.252.248 to 172.31.252.252. This is to try and get out home network out of the way, as much as possible, of the normally assigned address ranges. We then need to add a rule that allows port 137 and 138 traffic from PC#1 (you would need to find out the host name or computer name first - we need to use names as the actual address could change from machine to machine). We then need to have another rule that explicitly blocks the file sharing traffic from any name other than the name used to allow the traffic to PC#1.

The only time this would come unstuck is if the “not at home” network" was using the same address range as the home network. In this case, your laptop would be shareable with one other IP address on the “not at home” network (providing it had the same “name” as the home network PC), assuming the two rules outlined above had been set up. A small risk, but a risk nonetheless.

Other than this method, you will have to change something, like manually disabling sharing. Like it or not, to make an omlette, you have to break a few eggs. You are moving between a semi trusted network and an untrusted network and your firewall can’t be expected to just “know” when you are at home and when you are not.

Hope this helps,
Ewen

system · March 14, 2007, 6:14am

Great advice Ewen, and I think that address range is a good choice, as its unlikely to be used as much as, say 192.168 or 10…

Toggie

wjmartin · March 14, 2007, 12:50pm

Ok, thanks to everyone for their input. I think we’ve arrived at the point where we’re just spinning the tires.

I do understand that I can pick an IP address at home that is less likely to be duplicated in the real world – and have done so. It’s a totally unsatisfactory solution though as it’s a “maybe you’re safe” condition, not an “ensured safe” condition.

Also I further understand that the firewall is incapable of any further level of security than that. Which is what I believed when I first came here, but thought I’d ask the experts since traveling with a laptop is such a common 21st century problem in the world.

I’ll continue to use the firewall while I also continue to look at other products to see if someone else has recognized and solved the problem. Personally I think it should have been solved by Microsoft’s OS as it was in Win98, but failing that I hope to find a firewall somewhere that does so.

Thanks for all the advice.

Bill

panic · March 14, 2007, 8:27pm

Hey Bill,

One thing I forgot to add, which would overcome the “maybe you’re safe condition”, is if you enabled your login password, then any PC at the “not at home” network that had been allocated the IP you had chosen to allows file sharing with would need to know the password to connect to you. Unfortunately, password are a 21st century necessity.

P.S. A word of advice, logging on to your PC as a passwordless administrator when on a “not at home” network is on the silly side of caution. Not being demeaning or facetious - why ask for trouble?

Cheers,
Ewen

wjmartin · March 14, 2007, 8:57pm

Apparently untrue. I just enabled the XP logon password on one machine and rebooted (which caused a moment of panic - but that’s another story). The other home machine can still access it without any logon password or change in machine name or anything.

Bill

panic · March 14, 2007, 9:15pm

Hey Bill,

Assuming laptop is “PC A” and your other PC is " PC B", if you have identical user credentials on both PC A and PC B, then you can get a seamless login from PC B to PC A.

Check the user accounts on PC B, and if they are the same as the user account on PC A, try renaming the user account or changing the password on PC B. This should prevent PC B automatically connecting to PC A and it should force a login prompt on PC B when it attempts to connect to PC A.

Cheers,
Ewen

wjmartin · March 14, 2007, 10:16pm

No, the point is that even with deliberately, horribly mismatched credentials the remote machine can still access the files on the local machine. Which is to say that any villain with the right IP address could still access the machine even when it does have a logon password.

Bill

system · March 14, 2007, 10:38pm

It sounds to me like something is not working the way it should.

For example, you have two PC’s:

PC1 - User name Fred - Pass abcdef123
PC2 - User name Bert - Pass 123abcdef

Log on to PC1 using Fred and then to PC2 using Bert. You should now NOT be able to connect from PC2 to PC1 or PC1 to PC2 without receiving a password prompt.

panic · March 15, 2007, 12:39am

If these are the only accounts on each PC then you definitely should receive a login prompt when trying to connect. If however, PC2 has a user account called “Bert (password = abcdef123)” AND a user account called “Fred (password = 123abcdef)” then, even if you log in as “Bert”, you will be able to connect seamlessly to PC1, as the other user account (Fred) will do a remote connection without a prompt because its credentials match.

Curiouser and curiouser said the cat.

Ewen

Leebme · March 15, 2007, 1:24am

Thanks Ewen. This is what I have been trying to say to Wjmartin, but just couldn’t put it into the correct words. (:CLP)

Lee (B)

system · March 15, 2007, 6:21am

Ewen.

Your quite correct, of course. I was just trying to create a simple scenario by way of explanation. With hindsight, I should have been more thorough in my explanation.

Toggie