Name resolution & file sharing on local network

robin · January 2, 2007, 1:30pm

Forums have been very helpful, but i had to figure one thing out for myself - just wanted to mention it incase anyone else comes across a similar problem.

On a small local network, it is generally advised on this forum to create a zone using ‘tasks’ and then create a network rule to:
allow IP, from IP: local zone, to IP: any

Taking the approach of opening as little as possible, I allowed IP to the local zone only (eg. to 192.168.1.1 to 192.168.1.5).

Whilst it was possible to connect to local machines/printers by IP address, connection by name (ie \computername\sharename ) was not possible. Assuming your machine name is not given out by a DNS server, but the one you entered into windows (as mine is), you also need to allow UDP traffic (only) from the local zone to 192.168.1.255

I’ve attached a picture of the resulting network rule

Ofcourse this could be done more elegently by just making the local zone 192.168.1.1 - 192.168.1.255, or even more so by allowing the local zone to contact ANY IP, but I just mentioned it incase it helps anyone else who likes to open up as little as possible :s

Thanks for great firewall btw - zonealarm pro licence pretty useless now!

[attachment deleted by admin]

kail · January 2, 2007, 2:05pm

Hi robin, welcome to the forums & thank you for sharing this with us.

If it’s OK with you, I’ll move this to the FAQ section.

robin · January 6, 2007, 12:40pm

Kail, yes sure - I’ve corrected a couple of typos and attached a picture of the resulting rule.

regards, robin

kail · January 6, 2007, 1:06pm

OK, thanks robin… moved to FAQ.

jobeard · February 11, 2007, 6:25pm

btw: Map Network Drive will still work w/o this rule

pepoluan · March 14, 2007, 7:29am

If I want to batten down the computer but still allow file/printer sharing, what ports should I enable?

I enabled 137, 138, 139, 445. The result: mapping using ip e.g. \192.168.0.5\share$ works. But I am concerned that I opened too many ports.

pepoluan · March 15, 2007, 4:14pm

Any input on my concerns?

Little_Mac · March 15, 2007, 4:31pm

Sorry, pepoluan, I don’t have any significant input for you… I’m not the wizkid of file/print-sharing, I’m afraid. I try to stay thoroughly away from implementing that. ;D

However, I know some wizkids are here, so someone should help you out shortly…

LM

gibran · April 3, 2007, 10:36pm

Regarding the ports needed, look at the section Client/Server port usage in this page describing SMB (Server Message Block)

If the server has NetBT enabled, it listens on UDP ports 137, 138, and on TCP ports 139, 445. If it has NetBT disabled, it listens on TCP port 445 only.

Still testing it…

But these network rules could be put on top of the others.
modify your network range accordingly…

BLOCK and LOG TCP or UDP IN FROM IP NOT IN RANGE 192.168.0.0 -192.168.255.255
TO IP RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS [ANY] AND DESTINATION PORT IS IN [135,137,138,445]

BLOCK and LOG TCP or UDP OUT FROM IP RANGE 192.168.0.0 -192.168.255.255 TO IP NOT IN RANGE 192.168.0.0 -192.168.255.255 WHERE SOURCE PORT IS IN [135,137,138,445] AND DESTINATION PORT IS [ANY]