Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

UDP/TCP Ports 137, 138, 139

1,098 views
Skip to first unread message

Nana Ni.

unread,
Feb 20, 1999, 3:00:00 AM2/20/99
to
Hi,

I've read that UDP/TCP ports 137-139 which are used for NetBios, can be
some security threats to system. Does anybody knows if I can block at
least incoming this kind of packets on firewall without making any
restrictions for Windows (NT/95) PCs?

Thanks,
Nazila N.

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com


To Unsubscribe: send mail to majo...@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Christopher J. Michaels

unread,
Feb 21, 1999, 3:00:00 AM2/21/99
to
Yes you could just block incoming connections from your firewall on these
ports. Although reading your message I'm not sure I understand exactly what
you want to block. Are you intending on blocking netbios connections coming
from an outside network to an inside network, or are you just blocking these
connections to the FreeBSD machine?
-Chris

-----Original Message-----
From: owner-freeb...@FreeBSD.ORG
[mailto:owner-freeb...@FreeBSD.ORG]On Behalf Of Nana Ni.
Sent: Sunday, February 21, 1999 12:54 AM
To: freebsd-...@FreeBSD.ORG
Subject: UDP/TCP Ports 137, 138, 139


Hi,

I've read that UDP/TCP ports 137-139 which are used for NetBios, can be
some security threats to system. Does anybody knows if I can block at
least incoming this kind of packets on firewall without making any
restrictions for Windows (NT/95) PCs?

Thanks,
Nazila N.

To Unsubscribe: send mail to majo...@FreeBSD.org

Nana Ni.

unread,
Feb 21, 1999, 3:00:00 AM2/21/99
to
Dear Chris,

You're right, I must explain the case much clearly. Actually, I want to
block any packet with source or destination port equal to 137, 138 or
139 from coming in or going out of our intranet. It will be done on our
firewall which is IPFW on FreeBSD. So Netbios connections will be
allowed inside our Intranet, but be denied from/to go out/come in.
I'd like to get sure that it doesn't make any restriction for existing
services.

Thanks,
Nazila

>
>Yes you could just block incoming connections from your firewall on
these
>ports. Although reading your message I'm not sure I understand exactly
what
>you want to block. Are you intending on blocking netbios connections
coming
>from an outside network to an inside network, or are you just blocking
these
>connections to the FreeBSD machine?
>-Chris
>
>-----Original Message-----
>From: owner-freeb...@FreeBSD.ORG
>[mailto:owner-freeb...@FreeBSD.ORG]On Behalf Of Nana Ni.
>Sent: Sunday, February 21, 1999 12:54 AM
>To: freebsd-...@FreeBSD.ORG
>Subject: UDP/TCP Ports 137, 138, 139
>
>
>Hi,
>
>I've read that UDP/TCP ports 137-139 which are used for NetBios, can be
>some security threats to system. Does anybody knows if I can block at
>least incoming this kind of packets on firewall without making any
>restrictions for Windows (NT/95) PCs?
>
>Thanks,
>Nazila N.
>

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

Christopher J. Michaels

unread,
Feb 22, 1999, 3:00:00 AM2/22/99
to
If you just block all traffic going over the firewall's outside interface on
those ports you'll be fine.

the rules I use are the following...

01000 deny tcp from any 137-139 to any via tun0
01000 deny udp from any 137-139 to any via tun0
01001 deny tcp from any to any 137-139 via tun0
01001 deny udp from any to any 137-139 via tun0

tun0 being my interface to the outside world, and yes I know netbios is udp
but I'm a bit paranoid I guess.

hope this helps.
-Chris

Gerhard Sittig

unread,
Feb 25, 1999, 3:00:00 AM2/25/99
to
On Mon, 22 Feb 1999, Christopher J. Michaels wrote:

> If you just block all traffic going over the firewall's outside interface on
> those ports you'll be fine.
>
> the rules I use are the following...
>
> 01000 deny tcp from any 137-139 to any via tun0
> 01000 deny udp from any 137-139 to any via tun0
> 01001 deny tcp from any to any 137-139 via tun0
> 01001 deny udp from any to any 137-139 via tun0
>
> tun0 being my interface to the outside world, and yes I know netbios is udp
> but I'm a bit paranoid I guess.

Not really, I guess :>

------------------------------------------------------------
[sittig@speedy] (529) ~ $ grep netbios /etc/services
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
[sittig@speedy] (530) ~ $ head -15 /etc/services
#
# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, most entries here have two entries
# even if the protocol doesn't support UDP operations.
# Updated from RFC 1340, ``Assigned Numbers'' (July 1992). Not all ports
# are included, only the more common ones.
#
# from: @(#)services 5.8 (Berkeley) 5/9/91
# $Id: services,v 1.9 1993/11/08 19:49:15 cgd Exp $
#
[sittig@speedy] (531) ~ $ netstat -a | grep netb
tcp 0 0 speedy.gsin:netbios-ssn *:* LISTEN
tcp 0 0 speedy.gsin:netbios-ssn *:* LISTEN
udp 0 0 *:netbios-ns *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 speedy.gsine:netbios-ns *:*
udp 0 0 speedy.gsin:netbios-dgm *:*
udp 0 0 speedy.gsine:netbios-ns *:*
udp 0 0 speedy.gsin:netbios-dgm *:*
[sittig@speedy] (532) ~ $
------------------------------------------------------------


Gerhard Sittig
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

0 new messages