[Samba] blocked ports 445 and 139 make printer-shares very slow

[Marcus Sobchak <lists at localguru.de>]

Hi James,

thanks for your answer.

Am Freitag, den 30.11.2007, 13:54 -0500 schrieb James Kosin:
> Marcus Sobchak <lists at localguru.de> wrote:
> > 
> > do ports 445 and 139 (incoming) have to be open for the samba server's
> > IP on WinXP client side (all WinXP clients are using netbios over
> > TCP/IP)? F-Secure 7.10 blocks all incoming microsoft-ds (445) and
> > netbios-ssn (139) by default, which ends up in very slow printer-shares
> > behaviour (for example opening the properties or the spool window of a
> > samba-printer takes up to 30 seconds).
> > 
> > For testing I opened ports 445 and 139 in the F-Secure firewall for the
> > IP of the samba server. This pushes the samba-print shares to a very
> > good speed at WinXP client side. Could someone explain that to me
> > please?
> > 

> (1)  You don't want to open file sharing from the internet, you should
> really restrict either to the local IP range on your private-network or
> rethink your plan.  Either get a hardware firewall or a good hardware
> router to help restrict your network from the outside.

I don't have the plan to open F-Secure's firewall on each XP client on
ports 139 and 445 to the whole network (0.0.0.0), just to the single IP
of the local samba server. This should not be a big security risk.
Please correct me if I'm wrong!


> (2)  You need to have at least one of those ports open 139 or 445 on
> your network.  You can have both as well.  139 and 445 are the back ends
> for the NETBIOS protocol.  I'm sure someone will correct me here, but
> basically without it things will get very sluggish.

Yes, right, but this doesn't explain to me in detail, why especially the
printing shares do work very slowly if ports 139 and 445 are blocked for
incoming traffic. Every thing else like domain login, roaming profiles
and share mapping works very well?!

Thanks,
Marcus