SMB trap for outbound (safeguard windows user info; cylance Spear report)
-
I was watching the Techsnap show like I do almost every week.
http://www.jupiterbroadcasting.com/80632/smbtrapped-in-microsoft-techsnap-210/
The Spear white paper : http://cdn2.hubspot.net/hubfs/270968/SPEAR/RedirectToSMB_public_whitepaper.pdf?t=1429209774760Did I block outgoing traffic correctly?
I made an Alias for the two mentioned TCP ports (139 & 445) and called this "SMBports"
On the WAN side I made a rule stating:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
(block) IPv4+6 TCP LAN net * ! LAN net SMBports * none SMB Trap for outboundDid I do it correctly, or should I only block IPv4?
-
I'm blocking this MS junk thoroughly on wifi, TCP+UDP, IPv4+IPv6. :P
-
Hi;
I tried to set this up via your screen shot.
what about destination in the rule?
I have it set to use the alias and to block but if I use the example here:https://doc.pfsense.org/index.php/Aliases.
but I didn't do the extra alias.
any help thank you.
-
Not really sure what's your concern with destination. LAN traffic does not go through the firewall.
-
ok; i was setting it up wrong then
had it set on wan
-
Not really sure what's your concern with destination. LAN traffic does not go through the firewall.
ok;
I'm still not getting it then. please give me a little lead way here made the alias . then go to rules then block set single and then any ip's .
get this:
The following input errors were detected:netbios_ports is not a valid source IP address or alias.
netbios_ports is not a valid destination IP address or alias.
what did i do wrong?
-
Uh. That was my example. Of course if your alias name does not match, you get errors. You cannot just copy things blindly. Please, think about what you are doing. ;)
-
Uh. That was my example. Of course if your alias name does not match, you get errors. You cannot just copy things blindly. Please, think about what you are doing. ;)
Hi;
Yes I named it the same as what I saw in the screen shot. ports and all.
then went to rules and try to set it up to block.
same name as i had it ope in another window.