Currently, my Omnia is exposing Samba shares meant for the interface lan (192.168.1.1) on work-lan (192.168.2.1).
I’ve modified smb.conf.template to make it listen only on 192.168.1.1 but that doesn’t help, since someone like 192.168.2.100 can still access 192.168.1.1 and all its ports.
Is there a way to wall off everything except the necessary minimum on work-lan? Perhaps a custom firewall rule?
Cheers
Michal
hosts allow = 192.168.1.0/24 in smb.conf may do what you want (untested). I put /24 ,but adjust it to whatever your network configuration is.
You can also use hosts deny to do the opposite, to explicitly disallow access from work-lan. Both can accept multiple addresses, space separated.
Reference: https://bbs.archlinux.org/viewtopic.php?pid=854090#p854090
Thanks. While that’ll work for samba, I’m really looking for a more general mechanism that bars access to 192.168.1.1 from 192.168.2/24. Then I can stop relying on the security mechanisms of each service.
Check your firewall zones in Luci. You need a zone for each subnet, then you cann restrict access as needed. Everthing can be done via gui.
Take this howto for a guest wifi as an example (no copy & paste solition!)
https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface
Ask when you need further assistance
The link helped massively. I was missing ‘reject’ for the input chain. Doh!