Port 445 rule advice requested

Discussion in 'other firewalls' started by Bob D, Sep 7, 2007.

Thread Status:
Not open for further replies.
  1. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    The reason for this query is dialup ISP connectivity issues I've been experiencing (XP Pro).
    I've been having issues with unwanted disconnects / inability to re-connect (until re-boot).
    Examination of my FW log seems to indicate disconnects (or inability to re-connect) are subsequent to denial of access to port 445.
    The IP that attempted access belongs to Level 3 Communications (my ISP's provider).
    Does the provider require access through port 445? As I understand while its closure is possible, other dependent services such as DHCP (dynamic host configuration protocol) which is frequently used for automatically obtaining an IP address from the DHCP servers used by many ISPs, will stop functioning.
    I understand also that leaving 445 unsecure could lead to dire consequences.
    Any advice appreciated.

    Regards all
     
  2. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
  3. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Hi Kerodo
    I know. That's where I found the text pasted above.
    It suggests that "port 445.. closure....DHCP.... will stop functioning.".
    Which has me concerned/curious as how to securely deal with it.

    Regards
     
  4. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Bob D :)

    What's TCP port 445 used for in Windows 2000/XP?

    If you don't need this port, his listening state may be disabled this way:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

    Create a new key: DWORD SmbDeviceEnabled value 0. Reboot.

    :)
     
  5. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Bob D,
    First, I would e-mail your ISP and ask if a need of "unsolicited inbound to port 445 is needed" by them. I would be surprised if it was.

    While you wait for a reply from your ISP:-

    It as been quite a while since I have used/setup on dialup (win3.1), so please excuse my need to ask some questions.

    Have you disabled any of the windows services from the default installation (the main one I am looking at, at this point, is the "locator service", which if disabled completely (via such tools as WWDC (windows worm door closer)) can cause problems for DHCP).

    Which firewall are you using?

    Do you have ISP software installed (the software for dialup~ that you would of installed to create your account?)

    When you connect, are you given a "time out" for lease?(~ start menu~ run~ type "CMD" ok, in the popup (command) window type ipconfig /all you will then be shown your IP etc, this should include a "lease" time, do you lose internet connection before this expires?

    Have you just started having this problem (or is this a new account with that ISP), if you could connect before without this problem, then what as changed on your system (new firewall or network related application)
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    If for some reason you should need to open 445 to your ISP, you can always create a rule in your firewall to do this for your ISP's specific address only. That would probably be safe enough, but as Stem says, it seems rather unlikely that your ISP really needs this.
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Kerodo,
    This would certainly be the direction to take if this inbound was needed,.. but,.. I would then expect the ISP to filter this port from WAN inbound.

    comment
    I see many inbound attempts from my own ISP, which thay claim are "purely and simply" scans/attempts for security/exploit possibilities (I did/do have some fun with my ISP, as I setup an "Honypot" with (password)HTTP server, and one time my ISP spent 3 hours trying to crack the password, lol, I now repeat this every couple of weeks).
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Now that's service! :D
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    (with ref to my comment)It is how some ISP`s work.
    __________________________________
    For me, any unsolicited inbound attempt from your ISP is "Invasion", and should not be needed (and I base this as an attack). If some form of "Stay alive" connection is needed, then this should be put forward by the ISP, and software made avalible that only requires an outbound "Alive" function.

    There sould be no need for ANY inbound port to be left open simply to have your internet connection left alive.
     
  10. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Yep, I agree 100%. One should be able to block ALL unsolicited inbound without any ill results.. I am on cable here and have never seen anything like that.
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Kerodo,

    Hopefully "Bob D" will supply more details, so we can look at this.
    If such a provider is requiring this inbound, well, I have doubts to user protection under that provider.
     
  12. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    By default windows machines listen on port 445. Under a typical firewall rule set, this port would be available for unsolicited traffic on the local network where all traffic is designated as safe (192.168.1.0-192.168.1.255 or whatever) but blocked unless soliciting traffic otherwise.

    Do we need something else?
     
  13. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I see various from firewall to firewall, some give "allow all" for such service, as at most times this is controlled via svchost (or should I say indirect/redirect access) as with "locator"

    We certainly need more direct info on such events, if in fact this user is being "dropped" from access due to blocking inbound to this port.
     
  14. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    I too would be surprised, but I will query.
    No
    Filseclab
    No
    No "lease time" is displayed.
    No. Problem has been ongoing / sporatic.
    Have done reinstalls of TCP/IP, winsock repair, etc.
    Problem even continued after recent reformat.
    I may totally be off-base assuming relation between dialup woes and port 445 issue, but I figured this is the place to ask.
    Phone lines here are not optimal, but the occassional necessity to reboot (after connection dropped) is rather annoying.

    Tks Kerodo, Stem, et al for your suggections.

    Regards all
     
  15. herbalist

    herbalist Guest

    Do you have ICMP echo reply enabled? Some ISPs use it to see if the connection is being used, especially if yours is a dynamic or floating IP. If your system doesn't reply to their ping, they assume you're not connected and give the IP to another customer.
    Something to check into.
    Rick
     
  16. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Thanx for that interesting tidbit Rick, had not considered it.
    Echo reply here is blocked.
    Don't remember ICMP log entries when I've encountered problems, but I'll keep an eye out.
    Some consider echo replies as a security flaw, others claim it's fairly innocuous.
    I'd welcome comments on this.
     
  17. Diver

    Diver Registered Member

    Joined:
    Feb 6, 2005
    Posts:
    1,444
    Location:
    Deep Underwater
    I say we nuke it. {alt-n}
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I have seen a need for a "stay alive" signal being required, but I normally have seen this as outbound from the ISP software. Any sort of unsolicited inbound should not really be needed/used. But, this can only be fully confirmed by your ISP.

    Please clear out your firewall logs, then re-boot, when you lose connection, copy and post the log, maybe something in the log (blocked) may give us some insight into what is happening.
     
  19. herbalist

    herbalist Guest

    It's only a flaw if you consider being stealthed a necessity. "Stealthed" roughly translates that your PC/network does not reveal its existence by responding to unsolicited packets. The only real advantage stealth offers is that it makes your PC a bit harder to find with random port scans, and then only if your system has no open ports. When your existence or IP is known, stealthed ports offer no advantage over closed ports. It's far more important that your ports are closed and for ones that need to be open to be limited to accepting connections from only the necessary IPs.
    Rick
     
  20. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Thanx Stem, Herbalist for the replies.
    Currently running Windows FW, allowing incoming echo requests, with the hope of identifying the problem.
    GRC'd it, and all is stealthed, with the (expected) exception of reply to ICMP Echo requests.

    Regards all
     
Loading...
Thread Status:
Not open for further replies.