Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Netbios Port 137 Outbound

306 views
Skip to first unread message

Redeye

unread,
May 27, 2006, 6:31:02 AM5/27/06
to
I have recently Wallwatcher on a newly build SBS 2003. Looking at the network
traffic, I have noticed that the SBS is sending out port 137 packets out onto
the internet. The router is blocking incoming port 137, shall I also block
outgoing too. Im a bit confused why the server is doing this.

The server has one NIC card and the router has a built in firewall

Regards
Redeye

Mark

unread,
May 27, 2006, 8:51:45 AM5/27/06
to
I bet you you had a dual NIC setup you wouldn't have NB going outbound.
That is one of the reasons for a multi-homed setup


"Redeye" <Red...@discussions.microsoft.com> wrote in message
news:F46FAD1C-FAAE-4E9D...@microsoft.com...

Garth H

unread,
May 27, 2006, 2:30:09 PM5/27/06
to
Yup, looking at all the stuff that's slammed against your router can be
scary, but knowing what's going on is a good step in maintaining control
of your network.

Are you running just a single NIC, or dual?

If single, they yeah, you're going to see that happen.

If dual, then you need to tweak the config of your Internet side NIC. It
should be TCP/IP Only. No WINS, No NetBIOS. There's no reason for the
wild side nic to do anything but send and receive traffic for the
services you have enabled/exposed to the outside. Mail, Web, VPN, etc.


--
Garth H
webd...@spamcop.net
Microsoft Certified Professional
Macromedia Certified Developer

Dan

unread,
May 29, 2006, 1:46:50 PM5/29/06
to
Yes, you probably want to block outgoing port 137 using the router's
filters or software firewall filters on the computer running
WallWatcher. Also, see whether WallWatcher's LOGGING menu has "OK to
use NETBios" selected. If so, WallWatcher's rDNS lookups (IP->URL) are
causing some or all of those outgoing 137's. The "Instant Help" for
that option gives more details, and so does WallWatcher's full HELP.

To determine whether the outbound 137's are caused by WallWatcher, turn
off both of the "Convert" options on WW's LOGGING menu and click OK.
(Do this before telling the router to block outgoing port 137.) You
won't see many URL's when those options are off, but if the port 137
activity in the logs disappears, you'll know for sure what was causing
it. Then, you can decide which options to use in WW, and which filters
to use in your firewalls.

On most versions of Windows, WallWatcher can use either of two kinds of
rDNS lookups. The advantage of the "OK to use NETBios" option is that
it finds more URL's than the other, safer lookup method. The drawback
is that it sometimes sends your IP address to the remote IP address
it's querying, and you may not want that to happen.

If you want to see as many URL's as can be obtained safely, a
reasonable compromise is to use "OK to use NETBios" in WW, but to tell
the router or your software firewall to block port 137 outgoing. Then,
when WW asks for an IP->URL lookup, Windows will ask your ISP's
NameServer for the URL; if it gets an answer, the query ends
successfully; if it doesn't get an answer, it'll send the query to the
remote IP, using port 137, asking the remote IP to identify itself.
The port 137 filter you've set will block that request, so your IP will
not be sent to the remote IP; eventually, Windows will timeout the
query and give an "unsuccessful" reply to WW.

If you set that filter in the router, you'll see lots of log entries
reporting it use. Once you're sure the filters are working properly,
you can reduce the size of your logs by telling WW to not display (or
not log) those log entries. Or, you can leave them in the logs if they
don't distract you.

Finally, if you want as many successful lookups as possible, even if it
means sending your IP address to those unknown remote IP's, you can use
"OK to use NETBios" in WW, but not set a blocking filter in the router.
(That may be your current setup.)

-Dan Tseng (WallWatcher author)

0 new messages