Can't access windows shares from Mac OS X machine (SMB blocked) - REPOST.

Hello. I just switched to Comodo Firewall Pro a couple days ago, from Zonealarm Pro.
I got everything set up, but I can’t access my Windows shares on the computer from my Macintoshes. I’m using the SMB protocol. I can connect, login and select shares with my mac but it won’t “mount” them.

All of my network is in the address ranges. The network is of 2 working intel macs (one laptop, wireless, one desktop, wireless, all Mac OS X 10.5), 1 working PowerPC mac (wired, hardly ever used) and one old shuttle homebuilt (wired, windows xp, the one with Comodo installed and the one I’m trying to access). a Linksys 24 port gigabit switch and a 2wire gateway (wireless access point) make up the backbone.

I have put all 172.16.1.* addresses into the trusted zone in Comodo. I have also opened up port 445 in comodo.
I had the same problem with zonealarm until I allowed SMB traffic through, but I don’t know how to let it through on Comodo.

I still can’t access my windows shares with my Macs. What am I doing wrong? and is there any way to resolve this problem?

Hi urbanracer34, generally, for Windows file and print sharing to work effectively we will need communication over TCP on ports 139 and 445 and over UDP on ports 137 and 138.

If you have created a Trusted Zone you should have seen the addition of two rules to the System Object in application rules and also to the top of Global rules.

These rules should allow for complete communication both inbound and outbound for all devices that are within that Zone IP address scope.

Can you tell us what you have in your current Application and Global rules. Also are you seeing any blocl events in the firewall logs.

Here’s the CIS report.
All the intrusion attempts I’m getting in the logs is for applications that are trying to access the manufacturer’s website that I don’t want them to. :wink:

[attachment deleted by admin]

having looked through your report, I haven’t found anything that sticks out. although you might want to look at the Application rules for the System object. The top two rules should allow communication on you LAN, so keep those, but I have to wonder why you have additional inbound rules?

Also in Global rules, do you need the TCP/UDP In/Out Any?

That aside, as it stands you can’t connect with the firewall active and there are no log entries?

Regarding the first 2 points, those were entries that I had added to try to resolve the problem before coming here for help. I have since removed most if not all of them.

Nothing in the logs, and even when the firewall is off my mac still won’t mount the share. Even one of my macs in Windows 7 can’t access it!

If it helps at all, I also switched antivirus products too at the same time as I switched firewalls, from Sophos to Norton (Sophos was maxing my machine’s CPU usage repeatedly)

I guess we should make sure everything is set-up for sharing correctly, although if you’ve done this before, it probably is, but it won’t hurt to run through it anyway:

  1. You have created a shared folder on the Windows box with appropriate permissions and a share name not greater than 12 characters?

  2. When you attempt to connect to the share, you do so using a valid account name and password appropriate for the Windows host?

  3. You have configured the Mac to use SMB/CIFS?

  4. You have Inbound and Outbound rules for IP at the top of Global rules in CIS and also on the System object in Application rules?

  5. There are no Block rules above theses rules?

  6. Are you using the NetBIOS/Host name or the ip address in the UNC?

  7. In CIS edit the rules for the trusted zone in Global and Application and check the option to log.

  8. Try the connection again and see if any events are generated.

  1. Yes.
  2. No, I have the folder set up to allow full access to guest users for accessibility, and I use the guest account to access it. I have used this setup even when I was running ZoneAlarm. It worked flawlessly till I switched to COMODO.
  3. Yes.
  4. Yes.
  5. Correct.
  6. Host name.
  7. Done.
  8. One log entry that corresponds to the machine I was connecting from:
    Application: System
    Action: Allowed
    Protocol: UDP
    Source IP: (Machine with COMODO)
    Source Port: 137
    Destination IP: (Macintosh)
    Destination Port: 50018

No connections were logged in the opposite direction.

I’m running out of ideas here…

The communication your seeing is simply the NetBIOS Name Service, basically this service is used to let other machines on the network know about the services offered. It’s also used to to register NetBIOS names and subsequently find NetBIOS services.

If you open a command prompt on the XP box and type nbtstat -an it should provide you with a list on known resources, both it’s own local services and those that have registered with it. I can’t recall if the Mac has nbtstat installed by default, if it has, you could try the same thing there too.

Another suggestion is to replace the host name in the UNC and use the XP’s IP address. It might also be worth checking out what kind of connectivity you have. See if you can ping the XP box also, on the XP box run nbtstat -S 1 and then from the Mac try something like “\xp box name” and observe the connections information in the nbtstat window.

Ok. I tried the nbtstat commands you suggested.
Options “-an” only reported the local machine (One with comodo) and the workgroup name (MSHOME), no macs in the list.
Options “-S 1” came up with no connections, even when the Mac was accessing.

I’m some other things: I decided to (temporaily) uninstall COMODO to find once and for all what was going on. Even when COMODO was removed, the Mac still wouldn’t mount the share. Now I know that COMODO wasn’t to blame at this point in time.

I started questioning my new antivirus product, Norton Antivirus Gaming Edition. I decided to do a removal of Norton while keeping my settings. the mac was able to mount it finally! :-TU

I reinstalled COMODO, this time installing both the Anti-virus and the Firewall. After getting everything set back up on COMODO, the mac failed to mount the share again! :-TD

Hello Urban,

Does the problem go away when you set the Firewall Security Level to disabled ?

Did you try connecting using the ip address of the XP box as opposed to the host name?

I must admit I can’t think of any reason why the AV should be prevention the connection, but I guess it would, if possible, be worth trying with the AV component removed. You should be able to do the by running cpfconfg.exe -u and selecting Add/Remove.

The only other thing I can think of is removing the trusted Zone and the associated rules in Global and Application and creating a single dedicated rule that allows communication specifically between your Mac and the Comodo. Just use TCP and UDP. First create a new Port set from the Common tasks/My Port Sets and add ports 137, 138, 139 and 445 it might be worth adding 135 too.

Allow TCP or UDP
Direction IN and OUT
Source Address = Internal IP Address range - (or what ever you have chosen)
Destination Address = Internal IP Address range - (or what ever you have chosen)
Source Port = Any
Destination Port = The Port Set.

Add this rule at the top of Global Rules and to the top of the System Object in Application Rules.

Also make sure you can ping the Comodo box.

I tried the IP address and it didn’t work.
Disabling the firewall had no effect. (tried both host name and IP.)
Uninstalling the Antivirus had no effect. (tried both host name and IP.)

Added the single dedicated rule Quill suggested and it had no effect. (tried both host name and IP.)
Pinging worked before adding the above rule.

So if i understand correctly it doesn’t work with or without firewall installed on the Windows machine ?

Can you test the following:

telnet 139

Press ENTER after that and see if it connects or give’s an error, a connect should turn up with a blinking cursor on the top left, if that works we know there is a connection possible with the system, then the problem should be caused by permissions.

Hi, I’d remove that rule now and revert to the Trusted Zone rules you had before, it was only for testing.

Just out of interest, did the ping work when you still had the Trusted Zone rules in place, or was it after you removed them?

Telnet worked.
Ping did work when I had the trusted Zone rules in place.
Reverted testing changes

As I stated before, it worked fine when I was using ZoneAlarm.

Making the connection should be possible, if you try to connect from the MAC can you try in a console window to type:

netstat -an

and see if there is a line with the ip of the windows host in it with the state ESTABLISHED ?

There is a line for the windows machine, but the state is TIME_WAIT instead of ESTABLISHED.

Okay so the connection is RESET, is seems like there is something wrong with the credentials your using to map the drive, are you sure those are correct ?

Do you have an other windows system to test if it works from that one ?

Yes, My Credentials are correct. I had already stated this before. I am using the guest account and the folder is set up for full read/write access.
I already tried from a Mac booted into windows via BootCamp (Windows 7) and It was unable to mount the share as well.

I’ve decided that Comodo is being too much of a hassle for me, so I’m going to go find another firewall.
I appreciate all the help you guys did for me, but it didn’t solve my problem.