Remote Windows Server > PfSense > Windows share on local machine

  • Hello all,

    I'm trying to figure this out with no luck.
    I'm trying to allow remote servers (each has static public IP) to connect to a network share on the inside of my firewall.
    I have a rule for 21 and it works fine, so I know routing is OK but..
    When I create a rule for 135-139, it fails. I don't even see a connection attempt from the remote server.

    What am I missing?

    Ps.. I'm trying NOT to use VPN.

  • Pretty bad idea to open Windows shares to the Internet, whatever the motivation. If you don't want to use a VPN (best solution), you can try SSH tunneling.

  • Windows Firewall blocks non-local connections by default.

  • I am filtering based on incoming IP, so unless someone knows what IP to spoof, I'm not in much risk (I think).
    I have Windows firewall disabled on both Windows machines.

    I would do VPN but Windoz does have a tendency to drop connectivity and as this is for backups, a dropped connection (even if it redials) with be a major issue.

    Thank you guys.. and gals!  ;D

  • If you want to do remote backup, the best thing to do is set up a VPN tunnel between both sites (or multiple) and robocopy from Windows.  If the robocopy gets interrupted, it's robust (hence the name) enough to recover and continue.

    Every port you open up on a firewall is hole.  Less holes, less worries.  Best to think of it that way.

  • I'm sure you have had it explained but:

    Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as "epdump" (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user's hosting computer and match them up with known exploits against those services.

    Any machines placed behind a NAT router (any typical residential or small business broadband IP-sharing router) will be inherently safe. And any good personal software firewall should also be able to easily block port 135 from external exposure. That's what you want.

    *******  And this is whats causing your inability to connect probably ********

    In addition, many security conscious ISPs are now blocking port 135 along with the notorious "NetBIOS Trio" of ports (137-139). So even without any of your own proactive security, you may find that port 135 has been blocked and stealthed on your behalf by your ISP.

    So, it doesn't much matter how awesome your security and filtering is, your ISP is in all likelihood not allowing it.
    VPN really is the way to go.

Log in to reply