This section explains how to use SMB host restrictions in Qumulo Core to provide fine-grained control of access to SMB shares, based on client IP address ranges.

Depending on the configuration of your Qumulo cluster, you can grant full access, read-only access, deny specific hosts, or deny all access. It is also possible to configure a Qumulo cluster to prevent shares which a client can’t access from being enumerated.

Host restrictions apply in the order in which you write them, from top to bottom. For example, if you deny a privilege to a host at the beginning of the permission list, and a later entry allows the same privilege to the same host, Qumulo Core doesn’t grant the privilege.

How SMB Host Restriction Precedence Works

When you create or modify an SMB share, you can use one of the following SMB host restrictions, listed here in order of precedence.

  1. Deny All Access

  2. Deny Specific Hosts: IP address ranges to which Qumulo Core denies access to this share, regardless of other permissions

  3. Permit Read-Only Access: IP address ranges to which Qumulo Core permits only read-only access

  4. Full Access: IP address ranges to which Qumulo Core permits full access

Managing SMB Host Restrictions by Using the qq CLI

For information about viewing, modifying, and removing host restrictions and hiding SMB shares from unauthorized hosts by using the qq CLI, see the following sections in the Qumulo qq CLI Command Guide: