RE: Windows File Sharing with IPCop
From: Williams, Robert (RLWilliams@BBandT.com)Date: 08/21/02
- Previous message: Benjamin D. Goldman: "RE: Windows File Sharing with IPCop"
- Maybe in reply to: Bryan Ponnwitz: "Windows File Sharing with IPCop"
- Next in thread: Tony.Yates@bdgh-tr.trent.nhs.uk: "RE: Windows File Sharing with IPCop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Williams, Robert" <RLWilliams@BBandT.com> To: "'Benjamin D. Goldman'" <bgoldman@kipany.com>, Bryan Ponnwitz <bponnwit@btboces.org>, focus-ms@lists.securityfocus.COM Date: Wed, 21 Aug 2002 17:03:03 -0400
Ahhh, he's trying to use Direct Host, which is pretty much NetBIOS version 2
that's implemented with Windows 2000. DH uses the UDP/TCP ports of 445
instead of 139 for communications, and DNS instead of the NetBIOS Naming
Service. Direct Host and NetBIOS are tried in parallel and the first one to
respond wins.
RPC SHOULDN'T be necessary because RPC is for client/server communications
with application that don't have well known port numbers. Direct Host
clearly does, ie: UPD/TCP ports 445.
However, if I'm am wrong, and its happened before, open TCP port 135 (RPC
End Point Mapper) and lock down the RPC communication ports thusly:
Key: HKLM\SOFTWARE\Microsoft\RPC\Internet
Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port. This can be multiple lines.
64975-64995
Named Value: PortsInternetAvailable
Type: REG_SZ
Setting: Y
Named Value: UseInternetPorts
Type: REG_SZ
Setting: Y
Using the last 20 ports just make firewall rule set management a little
easier....
Hope this help,
Rob
-----Original Message-----
From: Benjamin D. Goldman [mailto:bgoldman@kipany.com]
Sent: Wednesday, August 21, 2002 12:21 PM
To: Bryan Ponnwitz; focus-ms@lists.securityfocus.COM
Subject: RE: Windows File Sharing with IPCop
even without NetBios, you probably have to open up the RPC, etc etc
ports... the ones that you should always block..
135-139... someone correct me if I am wrong - but I dont think you can
even use the browsing capability (which is still required even without
netbios use explicitly) without having these open.
-----Original Message-----
From: Bryan Ponnwitz [mailto:bponnwit@btboces.org]
Sent: Tuesday, August 20, 2002 8:36 PM
To: focus-ms@lists.securityfocus.COM
Subject: Windows File Sharing with IPCop
I've run into a road block with my IPCop firewall and I'm hoping for
some help. Here's the scenario:
I'm running IPCop at work to segment me from the rest of the network. I
have a WinXP box behind my IPCop firewall. The XP machine is acting as
a File and Printer Sharing and Terminal Services server. File sharing
is configured for TCP/IP (no NetBIOS). I would like to be able to
access the WinXP box from the outside network. I looked on the
Microsoft support site, and found that you need to forward 445/TCP and
445/UDP to get it to work. I set this up and still cannot access the
shares. I did the exact same setup for Terminal Services (except on
port 3389) and it works like a charm. When I try to telnet to port 445
on the IPCop machine from the external network, it doesn't connect which
makes me think that it's a problem with IPCop. Could it be that IPCop
runs it's secure web UI on port 445 and is therefore blocking that port?
Any help would be much appreciated!!
Bryan Ponnwitz
Webmaster - Broome-Tioga Boces
bponnwit@btboces.org
(607) 763-3609
- Previous message: Benjamin D. Goldman: "RE: Windows File Sharing with IPCop"
- Maybe in reply to: Bryan Ponnwitz: "Windows File Sharing with IPCop"
- Next in thread: Tony.Yates@bdgh-tr.trent.nhs.uk: "RE: Windows File Sharing with IPCop"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
