52

If I want to allow Windows networked drives between two firewalled computers, do I need to open ports 137-139, or is port 445 sufficient? I have to submit a form and get approval to open firewall ports, and I don't want to ask for more open ports than I need. All of the machines here are Windows XP or later.

Note: when I say "Windows networked drives", I'm not entirely sure whether I'm referring to SMB or CIFS, and I'm not entirely clear on the difference between the two protocols.

Jonathan
  • 623
  • 1
  • 5
  • 5

2 Answers2

73

Ports 137-139 are for NetBios/Name resolution. Without it you will have to access machines by IP address opposed to NetBIOS name. Example \\192.168.1.100\share_name opposed to \\my_file_server\share_name

So port 445 is sufficient if you can work with IP addresses only.

Tim
  • 2,997
  • 16
  • 15
  • At my site, NetBIOS names are always the same as DNS names. So if I refer to machines by hostname, will Windows be able find the machine through DNS without using NetBIOS? – Jonathan Jan 03 '12 at 17:28
  • 6
    As long as you have functioning DNS available to the client it should suffice. – Tim Jan 03 '12 at 18:45
  • 1
    does this also work with public IP addresses? Is it enough to open port 445 in the firewall of the ADSL modem/router? – Hrqls Feb 18 '15 at 09:33
  • 11
    @Hrqls In theory, yes, **but** AFAIK opening up your SMB to the whole world is a very bad idea. – Samuel Harmer Aug 16 '16 at 07:49
  • @Styne666 , totally agree. Even more: opening anything, which does not have adequate security support, to the whole Internet is generally bad idea. I would recommend to use IPsec transport mode to protect it at least. – dess Sep 29 '19 at 21:21
  • If you are access to this remote machine with DDNS, allow only TCP 445 because it's enough. I tested it today and works well. – Feriman Feb 01 '21 at 16:11
8

This configuration worked for me: 137/UDP, 138/UDP, 139/TCP and 445/TCP. Source and additional information at: http://www.icir.org/gregor/tools/ms-smb-protocols.html.

So these are the iptables rules for my Samba server:

# The router doesn't need SMB access.
-A INPUT -s 192.168.1.1 -p udp --dport 137 -j REJECT
-A INPUT -s 192.168.1.1 -p udp --dport 138 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 139 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 445 -j REJECT

# Actual Samba ports
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
Juan
  • 89
  • 1
  • 1
  • 5
    Given that the OP asked about Windows computers and their level of understanding of iptables is completely unknown, this would be better written out than as a completely different system's configuration file. – DarkMoon Oct 14 '16 at 02:30
  • 2
    In plain English, UDP 137 and 138, TCP 139 and 445 – Arlen Beiler Mar 21 '19 at 02:15