Merged - Port blocking

[Stuartbe]

Quote:

Originally Posted by rdhw

pem & stuartbe:

You are arguing over different things, and you're both right in your separate ways.

In the beginning, there was only NetBIOS, and it was both (a) a LAN-only protocol, and (b) an API specification for networking, that applications and services could write to. The low-level protocol was layered on 802.2.

IBM and Microsoft developed the SMB protocol for file and print sharing, and layered it on top of NetBIOS.

As networking developed, the protocol and the API were split apart. The low-level protocol became known as NetBEUI, while the high-level API remained called NetBIOS.

NetBEUI was and is a LAN-only protocol, which relies on system-wide broadcasts for locating other nodes, and cannot be routed.

NetBIOS was then ported onto several other transport protocols besides NetBEUI. One of those was IPX/SPX in Netware environments. Another was TCP/IP. The NetBIOS port onto TCP/IP uses the well-known ports 135-139. This enables applications written to the NetBIOS API to communicate over any of the underlying transport protocols (NetBEUI, IPX/SPX, TCP/IP) without being aware of which protocol they are using.

Because Microsoft/IBM file and print shaing used SMB (now also known as CIFS), which was layered on top of NetBIOS, this meant that file and print sharing could occur over any of the underlying low-level protocols: all of them were supporting SMB via NetBIOS.

There is no reason why the Filesharing-SMB-NetBIOS-TCP/IP stack cannot be routed over the internet and support long-distance file and print sharing. By default all IP routers support this because the traffic is indistinguishable from all other IP traffic, apart from port numbers. The downside to this is that it exposes the entire NetBIOS interface of each PC to the internet, and the NetBIOS API had no security model.

With Win2K and XP, Microsoft ported the SMB/CIFS filesharing protocol (which does have an inbuilt security model) to a direct TCP/IP transport on port 445, eliminating the NetBIOS layer. For backward compatability with Win9x systems, they left the NetBIOS transport still enabled by default. The port 445 implementation is perfectly capable of long-haul connections over the internet.

So now, 2K and XP users can do filesharing by any of the following stacks:

SMB -> TCP/IP port 445 -> LAN & internet
SMB -> NetBIOS -> TCP/IP ports 135-139 -> LAN & internet
SMB -> NetBIOS -> IPX/SPX -> LAN only
SMB -> NetBIOS -> NetBEUI -> LAN only

NTL, and many other ISPs, have now blocked both 135-138 and 445, thus making MS filesharing impossible over the broadband connection. If you need to do MS-style filesharing over the internet, you should set up VPN servers/clients and use PPTP or L2TP as the transport over the broadband connection, which imposes another layer of security and authentication over these links.

Thanks RDHW

I can se you think in cisco and not microsoft.

I wonder where we would be now if Xerox had not got envolved in tcp/ip !!!

Maybe everyone would be file sharing using tftp

[iadom]

Quote:

Originally Posted by iadom

After a couple of weeks without any of the several hundred port 135 scans per day, I have just had 9 in the past few minutes, 50% from Ntl customers. Has port 135 blocking been switched off?

EDIT....OMG. it is as bad as ever, dozens of scans racked up now. at least ten from different customers of the same French ISP.

Just to update anyone who is interested,

Since this started last Monday the 15th, my firewall has now logged over 8,000 hits, mainly port 135/445, almost 75% from ntl users, and my PC is not switched on all day.
I have been in contact with John in Swansea ( a very pleasant man ) and it would appear that I have bowled them a googly. Over the weekend, at their request, I added 3 IP addresses they supplied to my firewall trusted zone, to allow them to carry out some tests on the system. To date they are saying that the ports on this part of the network are definately blocked, it does seem that I am quite unique at the moment. They are now in possession of my firewall logs for Sat/Sun so watch this space.

I am not in the least worried about this, but I am intrigued as to why I suddenly started to get these hits when I have had none of this type since the port blocking was enabled.

[iadom]

Well, fingers crossed, the torrent of 135/445 scans seems to have stopped.

Yesterday I had 350 firewall hits in 4 hours, today the PC has been on for 90 minutes and has registered only 4 hits, none to ports 135/445.

I would still like to know who or what was responsible for the massive amount of 135/445 scans I received over the past couple of weeks.