[original post from 10/2005... better late than never!] we have been searching for a proper solution to encrypt filesharing data between a windows client and a freebsd fileserver (because freebsd provides a good solution for disk encryption --> GELI). we wanted to use them as simple network drives (because somtimes software needs that).
vpn and hardware solutions (like encrypting NIC's) have been ruled out because of the investment or the effort and interoperability of these solutions. webdav, ftp, etc... have been ruled out because of the amount of services/configuration you need on the server and because of the behaviour in windows (it's never acting as a real network mapped filesharing folder). our choices (after some test/research) are: SMB over SSL. the solution is as simple as it should be with small networks that still have an requirement to encrypt data: on the fileserver you install samba, and let it bind only to the loopback adapter (eg. 127.0.0.1:10139). next you install stunnel on the server and let it tunnel the real ip's port 139 (eg. 192.168.10.1:139) back to 127.0.0.1:10139/tcp. on the client you have to install the microsoft loopback network adapter and give it a real and static ip address, that is NOT in your network (and hopefully will never be. in our example 10.232.232.232). for testing. remove all bindings except tcp/ip to this adapter (like ms filesharing). now install stunnel on your client, configure it like to map as a client from the loopback adapter's (10.232.232.232:139) to the fileservers ip/port (192.168.10.1:139). define automatic startup for stunnel and samba on your server and start the services. on your client you also install the stunnel service to run on system startup. finally, you have to map a network drive: just use "net use X: \\10.232.232.232\<your_samba_share_name>" and if everything went fine, you have a new drive X: like it would have been shared by a windows box. this configuration works perfectly for us! the only requirement is that you know how stunnel and samba work (at least from the administrator's view) and that you know your network. we didn't use hostnames in this example only for readability. if you want hostnames, don't forget to setup a proper hosts/dns. oh yes, using port 445 was NOT working because as soon as ms starts, it binds itself to 0.0.0.0:445 and therefore you can't bind anything else to this port. (we didn't find a way to tell ms to only bind port 445 to specific addresses, if someone knows how, let us know!) _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"