I have a network with a range of IP addresses, and I would like to be
able to share folders and printers from a Windows XP system to Mac OS
X and Linux systems on that network, with that sharing limited to
OS X and Linux systems at specific IP addresses.  All systems have
fixed IP addresses and are exposed to the Internet.

Ideally I would like to be able to limit the sharing using Windows XP
configuration settings, but, if that is definitely not possible, use
of a third party software product could be an option, provided that
product does not noticeably contribute to the instability of the
Windows XP system.  I do not want to add additional hardware (e.g. an
external firewall) to accomplish the goal.

I am reasonably proficient with networking jargon and technology (I
could probably do this on a Solaris, OS X, or Linux system without
assistance), but I am not very familiar with MS Windows administration.

---

Clarification of Question by snowdog-ga on 09 May 2004 11:58 PDT

The IP filtering available on network interfaces in Windows XP doesn't
seem to be a viable solution because (as far as I can tell) it only
allows you to limit *all* incoming traffic to specified IP addresses,
and has no provision for only limiting traffic to specified
ports/services for particular IP addresses (and *not* limiting traffic
to other ports/services).  If folder and printer sharing was the only
type of network connectivity needed by the machine, the network
interface filtering might be workable, but unfortunately that isn't
the case.

(I do thank you for the suggestion though, Scott.)

---

Clarification of Question by snowdog-ga on 10 May 2004 07:00 PDT

All of the systems involved are on the same small class C subnet
(netmask of 255.255.255.248), connected to the same switch.  (The
switch does not have any sort of firewall capability, unfortunately.)

Snowdog,

You can setup ip filtering on the XP machines to only accept
connections from the ip addresses that you specify.  Go into the ip
settings in your network card, click advanced, click options and edit
ip filtering.  I believe file and print sharing work on port 137 TCP.

Scott

Snowdog,

What does the topology of you network look like?  Are all of the
machines on the same network segment?  Do your XP machines need to be
limited to certain machines on the same network or are the amchines on
the same local network trusted to access the XP machines and you need
to limit access for machines that are on another network segment?

Scott

Could you not just block Netbios traffic at your Router / Internet Gateway ?

I too have a network similar to that which you describe, and here All
the systems run no firewalls, and have public IPs accessible from the
Internet.

It is my gateway (an ADSL Router) that blocks all Netbios traffic from
travelling between the WAN and LAN ports of the router, hence cutting
off File sharing from the internet whilst maintaining 100% internal
LAN File sharing functionality.

If I nmap my Windows box from the internet, I get the following:

Port       State       Service
21/tcp     open        ftp
135/tcp    open        loc-srv
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
445/tcp    open        microsoft-ds


As you can see (I hope) the netbios ports are all filtered from
Outside connections.


I hope this helps you.

Snowdog,

If  all of the machines that need to be hidden from eachother are on
the same subnet then you need to split it into 2 networks and place a
firewall in between.

Scott

I know that I can add a hardware firewall (or a router with filtering
capabilities);  my whole point was to find out if there is some way to
configure the Windows XP system to limit file and printer sharing by
IP address.  I can do this easily under Linux or OS X, so it seemed
like there should be some way to accomplish it under Windows.