Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block Windows Share broadcasting? 137, 139, 445 block

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      ulflun
      last edited by

      Hello everyone!

      I am trying to block SMB & Windows Sharing broadcasting. As now the clients turns up under "Devices" on the Network in Finder/Network devices, which I don't want to.

      I can't figure out why my Firewall Block Rule is not working on a pfSense 2.0.3 and I can't see anything in my System Log about this.

      I have my clients on a VLAN, called VLAN10.

      I've tried different block rules:

      Source: VLAN10 subnet (also tried VLAN10 adress) to Destination: VLAN10 Any, subnet, adress (tried them all) for following ports:

      netbios-ns - 137/tcp # NETBIOS Name Service
          netbios-dgm - 138/tcp # NETBIOS Datagram Service
          netbios-ssn - 139/tcp # NETBIOS session service
          microsoft-ds - 445/tcp # if you are using Active Directory

      Port 389 (TCP) - for LDAP (Active Directory Mode)
          Port 445 (TCP) - NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
          Port 901 (TCP) - for SWAT service (not related to client communication)

      And they still turn up! argh. What am I doing wrong?!

      EDIT: I've put these rules above my allow any to any traffic rule, so they should work, right?

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • U
        ulflun
        last edited by

        I guess I can't block traffic between hosts on the same network since they never reach the router/firewall because the hosts can talk directly to each other without having to forward the traffic to the gateway…? Except Client isolation on the access points.

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          Yes, the firewall can only block data that goes through the firewall. Broadcast data only goes through the firewall in the case of the firewall bridging two networks, and even then, it can only block the broadcasts from reaching the other network.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            If you want to block traffic between hosts on the same subnet, you want Layer 2 isolation.

            Cisco: "Private VLAN Edge" and protected ports
            Brocade: Set the port on the switch going to the router as an "uplink" port
            Dlink, trendnet, etc: "Asymmetric VLAN" you can play some VLAN games with asymmetric VLANs to get the same traffic behavior.

            Any single switch supporting true "Private VLANs" will also work.  Private VLAN trunking requires all trunked devices (other switches, Access points, etc) to support Private VLANs.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              n3by
              last edited by

              I know it is old topic but it is good to know that if you want to disable netbios on LAN you can do that easy on every computer with windows if you edit:
              Internet Protocol Version and on WINS tab select Disable NetBIOS over TCP/IP

              full article can by find here:
              http://geekflare.com/os/netbios-disable-windows-8

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.