blocking MS ports from WAN access

A neighbor asked me to help him setup
his new wireless router and laptops running.
One thing that I have done on mine and some others,
is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
What valid reason would there be to have these "MS sharing" ports
open across the WAN ?
Also - if left open... as most probably are... what do folks do ??

"Phil Schuman" <(E-Mail Removed)> wrote in message
news:%wrNf.38893$(E-Mail Removed) et...
>A neighbor asked me to help him setup
> his new wireless router and laptops running.
> One thing that I have done on mine and some others,
> is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
> What valid reason would there be to have these "MS sharing" ports
> open across the WAN ?
> Also - if left open... as most probably are... what do folks do ??
>
>
>
So you have blocked ports and you don't know why?
I can't see any reason for blocking ports, just buy a router with a built in
firewall and run appropriate protection on each PC. Make sure the router is
closed off to others and away you go.

Phil Schuman wrote:
> A neighbor asked me to help him setup
> his new wireless router and laptops running.
> One thing that I have done on mine and some others,
> is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
> What valid reason would there be to have these "MS sharing" ports
> open across the WAN ?

None -- other than you most likely getting the machine hacked to death
that those ports were port forwarded to a LAN IP/machine that was using
MS networking on the LAN.

> Also - if left open... as most probably are... what do folks do ??
>

Those ports are closed by default on a NAT router to the WAN or public
Internet,
unless you open those ports manually by doing port forwarding on the
router or
you have placed the machine into the DMZ.

http://www.homenethelp.com/web/expla...arding-dmz.asp

Duane

On Thu, 02 Mar 2006 01:04:59 GMT, "Phil Schuman"
<(E-Mail Removed)> wrote:

>A neighbor asked me to help him setup
>his new wireless router and laptops running.
>One thing that I have done on mine and some others,
>is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
>What valid reason would there be to have these "MS sharing" ports
>open across the WAN ?
>Also - if left open... as most probably are... what do folks do ??

Most folks purchase a router and not plug their computah directly into
the DSL or cable modem. The NAT translation and SPI firewall provide
the necessary protection. You can run a fairly sloppy and insecure
LAN behind a decent router/firewall. For these, all ports are blocked
unless specifically enabled.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <(E-Mail Removed)> on Thu, 02 Mar 2006 02:30:37
GMT, Jeff Liebermann <(E-Mail Removed)> wrote:

>On Thu, 02 Mar 2006 01:04:59 GMT, "Phil Schuman"
><(E-Mail Removed)> wrote:
>
>>A neighbor asked me to help him setup
>>his new wireless router and laptops running.
>>One thing that I have done on mine and some others,
>>is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
>>What valid reason would there be to have these "MS sharing" ports
>>open across the WAN ?
>>Also - if left open... as most probably are... what do folks do ??
>
>Most folks purchase a router and not plug their computah directly into
>the DSL or cable modem. The NAT translation and SPI firewall provide
>the necessary protection. You can run a fairly sloppy and insecure
>LAN behind a decent router/firewall. For these, all ports are blocked
>unless specifically enabled.

The problem with that assumption is that NAT and SPI alone provide *no*
protection against ET-phone-home-type and LAN-to-LAN-type attacks, where a
computer on the LAN has been compromised by virus, worm, browser exploit, etc.
Thus it is a good idea to lock down outgoing router ports that aren't needed,
and to run a good software firewall (filtering outbound as well as inbound) on
every LAN client.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

In article <HXrNf.77597$(E-Mail Removed)>, "simon" <(E-Mail Removed)> wrote:
>
>"Phil Schuman" <(E-Mail Removed)> wrote in message
>news:%wrNf.38893$(E-Mail Removed). net...
>>A neighbor asked me to help him setup
>> his new wireless router and laptops running.
>> One thing that I have done on mine and some others,
>> is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
>> What valid reason would there be to have these "MS sharing" ports
>> open across the WAN ?
>> Also - if left open... as most probably are... what do folks do ??
>>
>>
>>
>So you have blocked ports and you don't know why?

Works for me, if you don't know why it should be open, close it. Easier and
better to re-open it then to find out the cow is already out of the barn.

>I can't see any reason for blocking ports, just buy a router with a built in
>firewall

What do you think a firewall does, it blocks ports <grin>

> and run appropriate protection on each PC. Make sure the router is
>closed off to others and away you go.
>
>

fundamentalism, fundamentally wrong.

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <FyENf.169$(E-Mail Removed)> on Thu, 02 Mar 2006 15:57:23 GMT,
(E-Mail Removed) (Rico) wrote:

>In article <HXrNf.77597$(E-Mail Removed)>, "simon" <(E-Mail Removed)> wrote:

>>I can't see any reason for blocking ports, just buy a router with a built in
>>firewall
>
>What do you think a firewall does, it blocks ports <grin>

A good firewall does much more than that; e.g., protects against DoS attacks.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

On Thu, 02 Mar 2006 01:04:59 GMT, in alt.internet.wireless , "Phil
Schuman" <(E-Mail Removed)> wrote:

>is to block the MS ports (137, 138, 139 + 445) from to/from the WAN.
>What valid reason would there be to have these "MS sharing" ports
>open across the WAN ?

no reason at all to have them open to people outside your network,
unless you explicitly want people to be able to connect to your
machines via windows networking, which is generally NOT a good plan!

>Also - if left open... as most probably are... what do folks do ??

block them.
Mark McIntyre
--

----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----

"simon" <(E-Mail Removed)> wrote in message
news:HXrNf.77597$(E-Mail Removed)...
>> So you have blocked ports and you don't know why?
> I can't see any reason for blocking ports, just buy a router with a
built in
> firewall and run appropriate protection on each PC. Make sure the
router is
> closed off to others and away you go.
>
well - I used to run ISDN routers before we had broadband in our area.
We would block the Netbios traffic because it would cause a dialup of
the ISDN link.
A firewall merely offers the "capability" to block ports.
So, even if a router has a firewall, it may be passive,
or it may be actively blocking all unused ports,
or it may be SPI for managing the TCP/IP connections and port
sequencing.
As far as letting the Netbios traffic out on the WAN,
I think it might be necessary if you are trying to potentially connect
to a Microsoft based server application - like Exchange...

Phil Schuman wrote:
> "simon" <(E-Mail Removed)> wrote in message
> news:HXrNf.77597$(E-Mail Removed)...
>
>>>So you have blocked ports and you don't know why?
>>
>>I can't see any reason for blocking ports, just buy a router with a
>
> built in
>
>>firewall and run appropriate protection on each PC. Make sure the
>
> router is
>
>>closed off to others and away you go.
>>
>
> well - I used to run ISDN routers before we had broadband in our area.
> We would block the Netbios traffic because it would cause a dialup of
> the ISDN link.
> A firewall merely offers the "capability" to block ports.

I think you need to find out something. What does an Internet/network FW do?

http://www.firewall-software.com/fir...rewall_do.html

> So, even if a router has a firewall, it may be passive,
> or it may be actively blocking all unused ports,
> or it may be SPI for managing the TCP/IP connections and port
> sequencing.

You're somewhere in the ball park that's the least that can be said.

> As far as letting the Netbios traffic out on the WAN,
> I think it might be necessary if you are trying to potentially connect
> to a Microsoft based server application - like Exchange...
>


This last statement above is questionable to say the least about it.
That Exchange server would be behind a FW a closed/protect environment
on the LAN and would not be exposed to the Internet/WAN. I would think
it would be using SMTP and maybe port 25 and no one over the Internet
would expose the Exchange server, any MS server or workstation to the
WAN on any of the ports you talk about if they got any common sense.
That's 137-139 TCP and 445 UDP trying to network with a MS machine on
the WAN.

Duane