Firewall alert for netbios request on public network

So, I am sitting at the public library, connected via wifi. When I first connected to this network weeks ago, I told CIS that I did NOT want to be seen (or accessed? whatever the option is) by other computers here. But, occasionally, I get a Firewall Alert - which went away by itself, by the way, when I was logging on here to ask - that said it had gotten a request on port 137, identifiied as nbsess (or something like that). I assume some other PC was trying to browse the wifi network for netbios connections - either innocently or not.

So my first question is: by not replying in a timely fashion, was this request ultimately allowed? It does not show up in the firewall events as blocked, so I guess it must have been … but why?

Secondly - I typically block these when on a public network - but I don’t click the Remember button - because I am not sure whether this will be remembered for ALL my networks - even my hone network - or just this one, or just this source IP address … I want to be accessible to other PC’s when I am at home. Can I block this, and have it remembered, and still work OK at home? More basically - why do I even see this if I told it that this was a public network?

This is Vista Home Premium, with CIS 3.10.102363.531.

Thanks
Dan

When the public and home network are in the same network range you would block your home situation when you would deny and remember.

The only workaround I know is to make a general allow rule for Netbios. When being in a public place you move that rule underneath the basic block rule(s) (with the red icon(s)). When back home move it back to somewhere above the basic block rule(s).

So I guess you are saying is that will “remember” it within the context of the network. The networks are not exactly the same - the library uses 192.168.160.52/255.255.255.0, and starbucks uses 192.168.5.110/same mask - while I use, well, something else. Not sure there is any reason not to post it - but no reason to do so, either. So I guess I am safe setting it to remember.

But I guess the question is - why isn’t this blocked (or allowed) by whatever I tell the New Network Wizard (or whatever it is called)? Is this not necessarily a risk - if it just going to see that I exist - but its better to block it, on the assumption that being hidden is always better when possible?

Thanks for the reply, in any case.
Dan

Is it not possible to create separate network profiles for each location, define one as public and the other home, then adjust the settings for each accordingly?

Are you asking me, your average Joe User? I am sure someone can - with a rule based system, you can probably do just about anything - but I don’t really plan to become an expert on writing rules. I just want a firewall I can use to protect my system while I am on the road, and get my work done when I am at home.

I guess I would ask - what is Comodo’s target audience? If it is consumers, then it is fine to have a rule based system, but customization needs to be automated up the wazoo. If the target audience is IT professionals, then simply having a rule engine, and good documentation, and no bugs, will probably do the trick.

Altho I will tell you one other thing it needs - a rule test mechanism. Some way to build a set of rules, then ask it "what happens if you see a packet from this address to that address, using these ports, and this program name, and … " - you can fill in the rest better than me. But that’s still not going to work for the average consumer. I have 35 years of IT experience - but very little with building firewalls - and absolutely no interest in doing so now.

Comodo got great ratings for protecting a computer - the firewall will presumably do what the rules tell it to do - but I am not sure that’s sufficient for a consumer product. Which maybe it’s not supposed to be.

Maybe I am off based here. Maybe I just don’t get it. But someone will have to 'splain.

Dan

Sorry, I wasn’t referring to CIS configuration, I was referring to Windows network profiles. I should have made that more plain.

You can change the settings for a given network type, i.e. you can differentiate between Home and Public. These settings may be configured to support a given environment.

The traffic you were seeing NetBIOS on port 137 is used by Microsoft and some other types of clients that support NetBIOS for the process of Discovery, Name registration and Name removal, it’s basically broadcast chatter. It’s one of a group of protocols used in Microsoft’s file and print sharing.

If you wish to ensure you are protected from people gaining access to your PC via these mechanisms, then you can, of course, create individual rules in CIS, however, disabling file and print sharing on a particular network connection in windows, not only disables UDP port 137, but 135, 138, 139 and 445.

Something else you could do to restrict your exposure on public networks, is the following:

Open an elevated command prompt and type:

Net config server /hidden:yes

This will hide your computer from prying NetBIOS eyes. When you want to be seen again, simply reverse the command and use ‘no’

Hallo Dan

Alerts are automatically blocked without user intervention after (user configurable) 120 sec delay. It looks like that D+ will log these automated deny actions but the FW does not.

The details for rule generated by alerts are related to Firewall Tasks > Advanced > Firewall Behavior Settings \ Alert Level

The default setting (Low) will not retain IP address,protocol nor port but only if the connection is outgoing or incoming.

When an alert is not marked to be remembered the rule is enforced until the related application is terminated.

It depends on the Stealth wizard options used.

Could you please post also screen-shot of all your network zones as listed in Firewall Tasks > Common Tasks > My Network Zones ?

OK - I can live with that. :slight_smile: Makes me feel better that they are blocked, ratehr than allowed, as the absence of the log entry made me think.

Just to be clear - the alert level also controls the rule level that is built if I select remember? But I have to go all the way to High, to get IP address alerts - meaning I have to use High to get IP address built into the remembered rules?

I am not sure I have ever run the Stealth Ports Wizard, if that’s what you are referring to. But I thought some rules were built based on my answer to the New Private Network dialog - “I would like to be fully accessible …” - or not. I am pretty sure I did NOT select that box when I added the non-home networks.

I attached my zones screenshot …

Thanks
Dan

[attachment deleted by admin]

May be make two little batch files for this? I put the lines Net config server /hidden:yes and Net config server /hidden:no each in separate batch files. They are attached in a zip archive.

[attachment deleted by admin]

Indeed alert level also control the detail of the rule generated when “Remember my answer” is checked. Setting alert level setting to ‘Very high’ take IP address in account as well but for each destination IP will differentiate between protocol,direction and destination port (if applicable) so one IP address might trigger different alerts.

When new IP ranges are detected an option is provided to add them to “My network Zones” which provide a way to configure IP lists, IIRC the option checkbox you mentioned will create “Define a trusted network” rules as well.

Using stealth port wizard is possible to generate rules that could be viewed/modified through Firewall Tasks > Advanced >Network Security Policy \ Application rules and Global rules tabs

  • Define a new trusted network will generate some rules that will allow all IP traffic for one or more of the IP ranges (Zones) listed in “My network Zones”.
  • Block all incoming connections will create a global rule to allow outbound traffic and Block & log Inbound traffic.

Using both is possible to fully allow the home zone while automatically blocking inbound connections form the rest, though in case some application act as a server it is necessary to create corresponding global firewall rules to allow incoming connections on fixed ports.

Alert me to incoming connections on the stealth wizard is seemingly meant to remove “block all incoming connection” global rules.

Thanks. I think I understand it better now. I’ll experiment with some of these options.

Dan