UDP Communication on Port 138 blocked. Is this normal?

I’ve tried to research my issue on the COMODO forums and on the internet but find the discussions too technical for me to understand. Sorry if this has already been addressed in past threads.

I’m using CIS 4.1.150349.920 with no anti-virus module, sandbox active, proactive security selected, on a WIN XP SP-3 PC with DHCP enabled. My firewall and defense+ modules are set at “safe”. I’ve made no changes to the default CIS installation settings for my ports. The PC is hard-wired to a router/DSL modem via an ethernet cable. The router/modem’s internal firewall is turned off by default and I’ve turned off the windows firewall after successfully installing CIS.

I’m seeing a huge number of blocked “intrusion attempts”, almost all of which are identical. The one of interest to me is a UDP protocol via Port 138 from the 192.168.1._ IP address my router always assigns to my PC to on the same Port (138).

I’m an IT layman, and wish to know if this is expected firewall behavior for my system. Complete system scans with up-to-date Avira’s Anti-vir and Malwarebytes reveal no anomalies. Although my system seems to be functioning normally, this constant blocking activity must consume system resources and at least potentially slow down my system.

Thanks in advance for your reply.


The only situation where netbios ports (137-139 and, by extension, rpc 135) should be allowed is on a LAN.

If your router is a gateway to several computers, you must allow these ports ONLY for the LAN zone and, if not, you shall get thrown out of your own LAN.

But, even f you have a single computer, some routers might try to consider you as a member of a “global network” over Internet: in such an instance, you should definitely block (and not log, it’s useless) broadcasting requests (ip for these ports.

Said short, ports 135-139 are a very high security risk and should, both udp and tcp, both in and out:
-be allowed only for your LAN ip if any (including the local ip of the router as a gateway)
-and be blocked for whatever else.

My idea is also that you should disable dhcp and set your computer(s) as static ip 192.168.1.n.

Thanks for the detailed reply. There is another PC in the LAN that is connected to the router, via WiFi. We do not use the same printer or file-share.

While waiting for a reply to my inquiry, I experimented by disabling NETBIOS on the WINS tab of the advanced options for TCP/IP. After rebooting and using the PC for awhile, all the communications with the router and with the internet seem to be normal. I suspect that I don’t need NETBIOS at all.

The CIS firewall activity log has no further entries for UDP or for Port 138.

Would my PC be more secure if I had left NETBIOS in the default setting, and instead assigned my PC the router’s choice of IP address, disabling DHCP?


It would allow you to set a LAN zone made of your local assigned 192.168.1.n ip, and to restrain some ports to this LAN zone, making sure that Netbios is not used over Internet.

keep netbios disabled! a wonder that people find this strange hidden disable box for netbios.
you dont need netbios.
when you wonder if comodo would slow down your pc by blocking unwanted connections…
i would say, allowing unwanted connections would slow down not only your pc, but the internet connection too.
so if you see comodo blocking something, its a good thing. thats what a firewall does :wink:

generally you should block everything that was not started with a request by yourself!


If your are using a LAN and communications between your LAN computers, you definitely need Netbios over TCP/IP (other protocols exist, but none of them is currently used in a windows LAN for the home user).

In these conditions, disabling Netbios (and/or RPC) shall, as i said, lock you out of your LAN.

Netbios should be disabled only if not using a LAN.

Thanks brucine and clockwork for your comments.

Although I believe that technically I have a LAN, as I mentioned previously, the 2 PCs connected to the router do not share a printer or file-share. There are no utilities on either one that “talk” to the other. So in reality, my set-up may not constitute a LAN.

After disabling NETBIOS I haven’t detected any malfunctions in any of my programs that rely on an internet connection, e.g., browsers, updaters, etc. Therefore, in my circumstances, NETBIOS seems irrelevant and I’m going to leave it disabled unless I detect something that I use that has stopped working.

Shields-Up reports that for the IP address that my router reports to the internet, every port is in “stealth” mode except for port 21, which is “closed” (I’d put that one into stealth mode too if I knew how), and that it cannot find or communicate with NETBIOS. Except for responding to a ping and for the detection of a closed port 21, Shields-Up gives my system a very high rating for security.

I’m aware that sometimes “the enemy of good is better” and being a non-techie, I’m always worried about making some modification to my configuration that prevents me from undoing the modification. For example, I’m really hesitant to change the default “off” setting on my DSL modem/router’s built in firewall for fear that my change may either keep the modem from essential log-on or auto-update communications with Verizon, or keep my PC from talking to the router at I figure, perhaps in error, that if Verizon has defaulted the firewall in the equipment that they supply to “off”, there must be an important reason.

i never saw port 21 somehow in another state than all the other ports. i used the stealth port wizard inside comodo. “make me invisible to others”. that makes a rule “block ip in any” in global rules. you get all requested packet-answers from the internet. what you dont request, you dont need. for example, windows updates are requested by your pc. windows doesnt ask you. so you get them, even if you have this rule.

if you ask for an important reason for a company to give you a router without activated firewall: they just dont want to have people calling their phone to ask questions. thats all.

i hope you have at least changed the password of the router, because you can be sure, that the default password will never be used by someone of that company, but by a bad guy in the internet, trying all default passwords on random ips.

btw, i dont use the firewall of my router too. but since i use a router, even without firewall of the router activated, comodo has a lot less work. you could test if all is working fine for you with the router firewall, then switch it on. and if you make a wrong setting, at last you can press the reset button. then make the normal settings again, done. usually a router firewall provides only INgoing protection (if you dont like column settings) you need a easy to set firewall for outgoing anyway, and thats why having a desktopfirewall is a good idea always. for example, you cant tell your router a per application rule, you have to tell him only about ports in general. in other words, make holes in it. a desktopfirewall understands rules per application!

as long as comodo is set fine, its a good protection.
DONT forget to change the router password! and to protect your wlan from unauthorized usage!

Thanks for the comeback. I changed the password on my router within a few days of setting it up. :slight_smile:

I previously had used the Stealth Ports Wizard in CIS but ran it again to “stealth” all ports as you suggested. However, when I checked again with Shields-Up, Port 21 was still “closed”.

I may be wrong, but I suspect that port 21 on my PC probably IS in stealth mode (thanks to CIS’s “stealth mode”), and the Shields-Up report is from testing the router because the IP address that Shields-Up displays is not the 192.168.1.n IP address assigned to it by the router, but is the public IP address that the router responds to. I’m speculating that Verizon uses FTP (port 21) when it wants to update the software or firmware inside the router.

Verizon might use port 21 to update the firmware by ftp.

I am not sure that allowing firmware updates should always be a good idea: the firmware you have often is perfect for you, and update might make you either lose some functions, either implement some you don’t want.
But you might also not be, depending of the router, able to block such a feature: it is possible only if the gui settings have an option for it, but the said options are frequently hardcoded in the router, and if so, you don’t have any solution if you don’t have the password and the programming abilities to hack this hardcoding.

The only way to test if the router is the culprit is of course to shunt it, directly connecting from an external wireless access or modem if any.

Same observation for the ping function: uncheck the option for it if any in your router’s software (but it might give you some connexion troubles with some ISP).
On a firewall point of view, and if the router is not involved, it is enough to block ping as a firewall global rule:
Ping is not a security threat by itself; it only shows that you “exist”, and it won’t go any further if other ports are closed as they should be.

There are a lot of utilities out there to test inbound firewall rules. but the only web-based option to test outbound firewall rules is http://www.firebind.com.

Firebind is the world’s only web-based “path scanner”. It has both a browser-based javascript client (TCP only) and a Java Applet (TCP or UDP) that send packets back and forth to the Firebind server on the given port (or range of ports) you choose. If the packets come back to the client intact, then the port isn’t blocked by any sort of intervening firewall (like your own home router or your ISP’s firewall.)

Today the javascript client will actually tell you whether the TCP port is blocked due to a TCP RESET or a TCP TIMEOUT. This capability will be added to the Java Applet by the end of 2010, with even more granularity (it will be able to detect proxy servers.)

The site gets a lot of use by IT Administrators who are trying to test whether they configured their company’s outbound firewall rules properly. It’s also heavily used by WiFi hotspot users, corporate users, universities, and especially home broadband users who are trying to troubleshoot why a given application (like Skype or IPSec) won’t work.

I am not sure that allowing firmware updates should always be a good idea: the firmware you have often is perfect for you, and update might make you either lose some functions, either implement some you don't want.
+1 also wifi drivers too. If it works, leave it alone