Question On Basic Firewall Usage

I have a small LAN that talks to the Internet through a
Netgear router. The router provides DHCP service and its
own firewall.

In the network I have a Windows 2003 Server that does a
few chores like run printers, provide file storage, and
run a simple web site. The LAN is running as a peer-to-
peer workgroup.

I have installed Routing and Remote Access to provide for
VPN and dial-in access as well. That server does not
provide DHCP, DNS or WINS.

Everything is working with the exception of the Basic
Firewall on that system. I can configure the firewall to
allow all of the above services and that works just
fine. The only thing I haven't been able to figure out
is that once I turn the firewall on, no other system
within my LAN can see that machine.

I'm mystified as to what to click to allow the other
systems in the workgroup to see that machine. Any help
would be appreciated.

Thanks,
Bob Cohen

Try opening ports 135, 136, 137, 139, 445. i cant
remember off hand what 136 and 137 are used for but i am
pretty sure it has to do with wins/netbios
>-----Original Message-----
>I have a small LAN that talks to the Internet through a
>Netgear router. The router provides DHCP service and its
>own firewall.
>
>In the network I have a Windows 2003 Server that does a
>few chores like run printers, provide file storage, and
>run a simple web site. The LAN is running as a peer-to-
>peer workgroup.
>
>I have installed Routing and Remote Access to provide for
>VPN and dial-in access as well. That server does not
>provide DHCP, DNS or WINS.
>
>Everything is working with the exception of the Basic
>Firewall on that system. I can configure the firewall to
>allow all of the above services and that works just
>fine. The only thing I haven't been able to figure out
>is that once I turn the firewall on, no other system
>within my LAN can see that machine.
>
>I'm mystified as to what to click to allow the other
>systems in the workgroup to see that machine. Any help
>would be appreciated.
>
>Thanks,
>Bob Cohen
>.
>

Here is a link to Microsoft KB that shows port requirements for all TCP/IP
applications. Scroll down to COMPUTER BROWSER, and SERVER to see the
reqiured ports and there protocols.

http://support.microsoft.com/default.aspx?scid=kb;[LN];832017

"Bob Cohen" <(E-Mail Removed)> wrote in message
news:7d3001c3e7d3$6d646e80$(E-Mail Removed)...
> I have a small LAN that talks to the Internet through a
> Netgear router. The router provides DHCP service and its
> own firewall.
>
> In the network I have a Windows 2003 Server that does a
> few chores like run printers, provide file storage, and
> run a simple web site. The LAN is running as a peer-to-
> peer workgroup.
>
> I have installed Routing and Remote Access to provide for
> VPN and dial-in access as well. That server does not
> provide DHCP, DNS or WINS.
>
> Everything is working with the exception of the Basic
> Firewall on that system. I can configure the firewall to
> allow all of the above services and that works just
> fine. The only thing I haven't been able to figure out
> is that once I turn the firewall on, no other system
> within my LAN can see that machine.
>
> I'm mystified as to what to click to allow the other
> systems in the workgroup to see that machine. Any help
> would be appreciated.
>
> Thanks,
> Bob Cohen

The doc was invaluable. It turns out that all I had to
do was allow the Computer Browser service in and out.
That happens to be a combination of UDP and TCP ports
135, 136, 137 and 139. (Port 445 is for printer sharing.)

I'm sort of amazed that something as basic as the
Computer Browser service isn't somewhere on a switch by
itself.

Thanks guys,

Bob Cohen


>-----Original Message-----
>Here is a link to Microsoft KB that shows port
requirements for all TCP/IP
>applications. Scroll down to COMPUTER BROWSER, and
SERVER to see the
>reqiured ports and there protocols.
>
>http://support.microsoft.com/default.aspx?scid=kb;
[LN];832017
>
>"Bob Cohen" <(E-Mail Removed)> wrote
in message
>news:7d3001c3e7d3$6d646e80$(E-Mail Removed)...
>> I have a small LAN that talks to the Internet through a
>> Netgear router. The router provides DHCP service and
its
>> own firewall.
>>
>> In the network I have a Windows 2003 Server that does a
>> few chores like run printers, provide file storage, and
>> run a simple web site. The LAN is running as a peer-
to-
>> peer workgroup.
>>
>> I have installed Routing and Remote Access to provide
for
>> VPN and dial-in access as well. That server does not
>> provide DHCP, DNS or WINS.
>>
>> Everything is working with the exception of the Basic
>> Firewall on that system. I can configure the firewall
to
>> allow all of the above services and that works just
>> fine. The only thing I haven't been able to figure out
>> is that once I turn the firewall on, no other system
>> within my LAN can see that machine.
>>
>> I'm mystified as to what to click to allow the other
>> systems in the workgroup to see that machine. Any help
>> would be appreciated.
>>
>> Thanks,
>> Bob Cohen
>
>
>.
>

That isn't strictly true. Many printers use the Netbios ports, and file
sharing can run on port 445 without any Netbios ports open. See KB 315267.

The Netbios ports are a major source of worry in security circles, and
should be blocked on any interface connected to the Internet.

The basic firewall was intended to be used on a machine which is
directly connected to the Internet. The filters are set to prevent
unauthorised access to your LAN through the public interface. If you use it
on a machine which is on a private LAN, you must expect to have to do a fair
bit of fiddling to get your local traffic running!

"Bob Cohen" <(E-Mail Removed)> wrote in message
news:81c401c3e883$25b5d820$(E-Mail Removed)...
> The doc was invaluable. It turns out that all I had to
> do was allow the Computer Browser service in and out.
> That happens to be a combination of UDP and TCP ports
> 135, 136, 137 and 139. (Port 445 is for printer sharing.)
>
> I'm sort of amazed that something as basic as the
> Computer Browser service isn't somewhere on a switch by
> itself.
>
> Thanks guys,
>
> Bob Cohen
>
>
> >-----Original Message-----
> >Here is a link to Microsoft KB that shows port
> requirements for all TCP/IP
> >applications. Scroll down to COMPUTER BROWSER, and
> SERVER to see the
> >reqiured ports and there protocols.
> >
> >http://support.microsoft.com/default.aspx?scid=kb;
> [LN];832017
> >
> >"Bob Cohen" <(E-Mail Removed)> wrote
> in message
> >news:7d3001c3e7d3$6d646e80$(E-Mail Removed)...
> >> I have a small LAN that talks to the Internet through a
> >> Netgear router. The router provides DHCP service and
> its
> >> own firewall.
> >>
> >> In the network I have a Windows 2003 Server that does a
> >> few chores like run printers, provide file storage, and
> >> run a simple web site. The LAN is running as a peer-
> to-
> >> peer workgroup.
> >>
> >> I have installed Routing and Remote Access to provide
> for
> >> VPN and dial-in access as well. That server does not
> >> provide DHCP, DNS or WINS.
> >>
> >> Everything is working with the exception of the Basic
> >> Firewall on that system. I can configure the firewall
> to
> >> allow all of the above services and that works just
> >> fine. The only thing I haven't been able to figure out
> >> is that once I turn the firewall on, no other system
> >> within my LAN can see that machine.
> >>
> >> I'm mystified as to what to click to allow the other
> >> systems in the workgroup to see that machine. Any help
> >> would be appreciated.
> >>
> >> Thanks,
> >> Bob Cohen
> >
> >
> >.
> >

You'd be better off scapping the "personal firewall" thing on this
machine. As Bill Grant said, it was designed for a machine with *one*
of its two or more interfaces connected directly to the Internet. This
is not the case with your machine, you are actually misusing the
firewall features from what they were designed for. You are bound to
have unending LAN connection problems with it in the future.

--

Phillip Windell [CCNA, MVP, MCP]
WAND-TV (ABC Affiliate)
www.wandtv.com

"Bob Cohen" <(E-Mail Removed)> wrote in message
news:81c401c3e883$25b5d820$(E-Mail Removed)...
> The doc was invaluable. It turns out that all I had to
> do was allow the Computer Browser service in and out.
> That happens to be a combination of UDP and TCP ports
> 135, 136, 137 and 139. (Port 445 is for printer sharing.)
>
> I'm sort of amazed that something as basic as the
> Computer Browser service isn't somewhere on a switch by
> itself.
>
> Thanks guys,
>
> Bob Cohen
>
>
> >-----Original Message-----
> >Here is a link to Microsoft KB that shows port
> requirements for all TCP/IP
> >applications. Scroll down to COMPUTER BROWSER, and
> SERVER to see the
> >reqiured ports and there protocols.
> >
> >http://support.microsoft.com/default.aspx?scid=kb;
> [LN];832017
> >
> >"Bob Cohen" <(E-Mail Removed)> wrote
> in message
> >news:7d3001c3e7d3$6d646e80$(E-Mail Removed)...
> >> I have a small LAN that talks to the Internet through a
> >> Netgear router. The router provides DHCP service and
> its
> >> own firewall.
> >>
> >> In the network I have a Windows 2003 Server that does a
> >> few chores like run printers, provide file storage, and
> >> run a simple web site. The LAN is running as a peer-
> to-
> >> peer workgroup.
> >>
> >> I have installed Routing and Remote Access to provide
> for
> >> VPN and dial-in access as well. That server does not
> >> provide DHCP, DNS or WINS.
> >>
> >> Everything is working with the exception of the Basic
> >> Firewall on that system. I can configure the firewall
> to
> >> allow all of the above services and that works just
> >> fine. The only thing I haven't been able to figure out
> >> is that once I turn the firewall on, no other system
> >> within my LAN can see that machine.
> >>
> >> I'm mystified as to what to click to allow the other
> >> systems in the workgroup to see that machine. Any help
> >> would be appreciated.
> >>
> >> Thanks,
> >> Bob Cohen
> >
> >
> >.
> >

After looking around more I can see the point you're
making. I had just hoped to avoid "one more piece of
software" on the machine and go with a minimal rig.

At the moment, everything is working just the way I want
it using the basic firewall. However, I have a copy of
ZoneAlarm Pro that I may put on it but probably not for
another week or two.

Thanks,
Bob Cohen



>-----Original Message-----
>You'd be better off scapping the "personal firewall"
thing on this
>machine. As Bill Grant said, it was designed for a
machine with *one*
>of its two or more interfaces connected directly to the
Internet. This
>is not the case with your machine, you are actually
misusing the
>firewall features from what they were designed for. You
are bound to
>have unending LAN connection problems with it in the
future.
>
>--
>
>Phillip Windell [CCNA, MVP, MCP]
>WAND-TV (ABC Affiliate)
>www.wandtv.com
>
>"Bob Cohen" <(E-Mail Removed)> wrote
in message
>news:81c401c3e883$25b5d820$(E-Mail Removed)...
>> The doc was invaluable. It turns out that all I had to
>> do was allow the Computer Browser service in and out.
>> That happens to be a combination of UDP and TCP ports
>> 135, 136, 137 and 139. (Port 445 is for printer
sharing.)
>>
>> I'm sort of amazed that something as basic as the
>> Computer Browser service isn't somewhere on a switch by
>> itself.
>>
>> Thanks guys,
>>
>> Bob Cohen
>>
>>
>> >-----Original Message-----
>> >Here is a link to Microsoft KB that shows port
>> requirements for all TCP/IP
>> >applications. Scroll down to COMPUTER BROWSER, and
>> SERVER to see the
>> >reqiured ports and there protocols.
>> >
>> >http://support.microsoft.com/default.aspx?scid=kb;
>> [LN];832017
>> >
>> >"Bob Cohen" <(E-Mail Removed)>
wrote
>> in message
>> >news:7d3001c3e7d3$6d646e80$(E-Mail Removed)...
>> >> I have a small LAN that talks to the Internet
through a
>> >> Netgear router. The router provides DHCP service
and
>> its
>> >> own firewall.
>> >>
>> >> In the network I have a Windows 2003 Server that
does a
>> >> few chores like run printers, provide file storage,
and
>> >> run a simple web site. The LAN is running as a
peer-
>> to-
>> >> peer workgroup.
>> >>
>> >> I have installed Routing and Remote Access to
provide
>> for
>> >> VPN and dial-in access as well. That server does
not
>> >> provide DHCP, DNS or WINS.
>> >>
>> >> Everything is working with the exception of the
Basic
>> >> Firewall on that system. I can configure the
firewall
>> to
>> >> allow all of the above services and that works just
>> >> fine. The only thing I haven't been able to figure
out
>> >> is that once I turn the firewall on, no other system
>> >> within my LAN can see that machine.
>> >>
>> >> I'm mystified as to what to click to allow the other
>> >> systems in the workgroup to see that machine. Any
help
>> >> would be appreciated.
>> >>
>> >> Thanks,
>> >> Bob Cohen
>> >
>> >
>> >.
>> >
>
>
>.
>