Hypronix: He doesn't need to allow anything from his firewall/router either. There is no reason for it to be talking to his box and it just leaves another exploitable hole. The router will only be passing traffic from other IP's through to the initiating box so the IP's will all be on the public network. Assuming he is using 192.168.x.x then he can drop all packets from 192.168.0.0/16.

Goth: You wanna really piss off your brother? Add a second IP address to the desktops NIC. Make the subnet 10.x.x.x and add similar to the laptop too. For example:-

Desktop:

Secondary IP Address: 10.13.127.1
Secondary subnet mask : 255.255.255.252
Secondary default gateway: 10.13.127.2

Laptop:

Secondary IP Address: 10.13.127.2
Secondary subnet mask : 255.255.255.252
Secondary default gateway: 10.13.127.2

Add entries to each computers hosts file to point the computer name to the appropriate IP address. Then let him see you connecting freely to both. It'll take him a while to work out what you are doing and as long as both computers are online he can't get onto the subnet. You'll know if he tries because one of your machines will show an IP address conflict. If you want to go further set up IPSec or similar between the two boxes, then he can't sniff and won't be able to spoof the laptop if you remove it from the network.....

That will piss him off......