ArkanoiD wrote:
>I am yet to see a firewall capable of intelligent SMB filtering.

There was some research in collaborative cross-firewall filesystems
in the early 1990's. It was based on NFS with extensions and
some of us annoying bleepards kept coming up with cunning ways
to propagate executable content in spite of its best attempt to
prevent it. Turns out that there's just an inordinate number of
applications that can be tricked into doing things if you can alter
their dotfiles or inputs. It was this system that resulted in Paul
and my formulating the saying "A firewall that lets you run NFS
through it is like a seatbelt that's designed to let your face reach
the dashboard."

SMB, of course, is much much worse than NFS.

All that said, then, the only "intelligent" SMB filtering is
the 100% solution you get from a pair of wire cutters.


firewall-wizards mailing list