Do all the netbios ports (135:139) need to be open

[David Lechnyr]

Mike O'Neill <mikeo at redhillstudios.com> wrote:
> Can someone please share their ipchains for samba?  Do all the netbios ports
> (135:139) need to be open?  Are they all that's needed?  -mike

Mike,

You can open up UDP Ports 137 (netbios_ns), 138 (netbios_dg) and TCP 139 (netbios_ss) for Win95/98/NT/ME client SMB access.  I'm not sure what services you are supporting on ports 135-136, so I'll assume it's a typo.  Please note that unlike most services, Netbios_NS communicates FROM port 137 TO port 137.  You will need to also allow loopback (-i lo), explicit REJECT/DENY statements/POLICIES, and MAY (depending on your setup) need your fake address clients registered with a fake DNS and/or /etc/hosts.  Here are some samples. Qualify all variables with a Netmask (e.g., 10.1.1.1/24).  If you are going to play with any SMB stuff and are still new to what ports do what, it would probably be a good idea to review http://serendipity.magnet.ch/hermetic/crypto/cifs.txt (CIFS: Common Insecurities Fail Scrutiny) backwards & forwards.

# Netbios_NS
/sbin/ipchains -A input -p udp -s $trusted 137 -d $extip 137 -j ACCEPT
/sbin/ipchains -A input -p udp -s $broadcast 137 -d $extip 137 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 137 -d $broadcast 137 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 137 -d $trusted 137 -j ACCEPT

# Netbios_DG
/sbin/ipchains -A input -p udp -s $trusted 1024:65535 -d $extip 138 -j ACCEPT
/sbin/ipchains -A input -p udp -s $broadcast -d $extip 138 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip -d $broadcast 138 -j ACCEPT
/sbin/ipchains -A output -p udp -s $extip 138 -d $trusted 1024:65535 -j ACCEPT
	
# Netbios_SS
/sbin/ipchains -A input -p tcp -s $trusted 1024:65535 -d $extip 139 -j ACCEPT
/sbin/ipchains -A output -p tcp -s $extip 139 -d $trusted 1024:65535 -j ACCEPT

Regards,
David Lechnyr