diff --git a/config.cfg b/config.cfg
index 6b5358b..72a0837 100644
--- a/config.cfg
+++ b/config.cfg
@@ -108,6 +108,12 @@ unattended_reboot:
 # Block traffic between connected clients
 BetweenClients_DROP: true
 
+# Block SMB/CIFS traffic
+block_smb: true
+
+# Block NETBIOS traffic
+block_netbios: true
+
 congrats:
   common: |
     "#                          Congratulations!                            #"
diff --git a/roles/common/templates/rules.v4.j2 b/roles/common/templates/rules.v4.j2
index 05789b7..4d8f60b 100644
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@@ -88,10 +88,10 @@ COMMIT
 # Forward any packet that's part of an established connection
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Drop SMB/CIFS traffic that requests to be forwarded
--A FORWARD -p tcp --dport 445 -j DROP
+-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
 # Drop NETBIOS trafic that requests to be forwarded
--A FORWARD -p udp -m multiport --ports 137,138 -j DROP
--A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
+-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
+-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
 
 {% if ipsec_enabled %}
 # Forward any IPSEC traffic from the VPN network
diff --git a/roles/common/templates/rules.v6.j2 b/roles/common/templates/rules.v6.j2
index 4c42f14..d586a42 100644
--- a/roles/common/templates/rules.v6.j2
+++ b/roles/common/templates/rules.v6.j2
@@ -91,9 +91,10 @@ COMMIT
 -A OUTPUT -d {{ subnets|join(',') }} -m owner --gid-owner 15000 -j {{ "DROP" if BetweenClients_DROP else "ACCEPT" }}
 
 -A FORWARD -j ICMPV6-CHECK
--A FORWARD -p tcp --dport 445 -j DROP
--A FORWARD -p udp -m multiport --ports 137,138 -j DROP
--A FORWARD -p tcp -m multiport --ports 137,139 -j DROP
+-A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
+-A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
+-A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
+
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 {% if ipsec_enabled %}
 -A FORWARD -m conntrack --ctstate NEW -s {{ strongswan_network_ipv6 }} -m policy --pol ipsec --dir in -j ACCEPT