How to block Windows Share broadcasting? 137, 139, 445 block



  • Hello everyone!

    I am trying to block SMB & Windows Sharing broadcasting. As now the clients turns up under "Devices" on the Network in Finder/Network devices, which I don't want to.

    I can't figure out why my Firewall Block Rule is not working on a pfSense 2.0.3 and I can't see anything in my System Log about this.

    I have my clients on a VLAN, called VLAN10.

    I've tried different block rules:

    Source: VLAN10 subnet (also tried VLAN10 adress) to Destination: VLAN10 Any, subnet, adress (tried them all) for following ports:

    netbios-ns - 137/tcp # NETBIOS Name Service
        netbios-dgm - 138/tcp # NETBIOS Datagram Service
        netbios-ssn - 139/tcp # NETBIOS session service
        microsoft-ds - 445/tcp # if you are using Active Directory

    Port 389 (TCP) - for LDAP (Active Directory Mode)
        Port 445 (TCP) - NetBIOS was moved to 445 after 2000 and beyond, (CIFS)
        Port 901 (TCP) - for SWAT service (not related to client communication)

    And they still turn up! argh. What am I doing wrong?!

    EDIT: I've put these rules above my allow any to any traffic rule, so they should work, right?

    Thank you in advance.



  • I guess I can't block traffic between hosts on the same network since they never reach the router/firewall because the hosts can talk directly to each other without having to forward the traffic to the gateway…? Except Client isolation on the access points.



  • Yes, the firewall can only block data that goes through the firewall. Broadcast data only goes through the firewall in the case of the firewall bridging two networks, and even then, it can only block the broadcasts from reaching the other network.


  • LAYER 8 Netgate

    If you want to block traffic between hosts on the same subnet, you want Layer 2 isolation.

    Cisco: "Private VLAN Edge" and protected ports
    Brocade: Set the port on the switch going to the router as an "uplink" port
    Dlink, trendnet, etc: "Asymmetric VLAN" you can play some VLAN games with asymmetric VLANs to get the same traffic behavior.

    Any single switch supporting true "Private VLANs" will also work.  Private VLAN trunking requires all trunked devices (other switches, Access points, etc) to support Private VLANs.



  • I know it is old topic but it is good to know that if you want to disable netbios on LAN you can do that easy on every computer with windows if you edit:
    Internet Protocol Version and on WINS tab select Disable NetBIOS over TCP/IP

    full article can by find here:
    http://geekflare.com/os/netbios-disable-windows-8


Log in to reply