Blocking SMB sharing in only one direction

letnet · ‎11-01-2001

We have had troubles with students in our dorms trying to break into lab computers running Windows NT and 2000. This patch is open because we need to allow the students access to their dorm machines when they are in the labs - but we do not want to allow vice versa (to access the labs from the dorms).

We've tried a number of thing - including blocking all inbound attempts to connect to TCP and UDP ports 135-139 in the labs while allowing outbound requests in the other direction - we've tried a number of variations to this but always end up either facilitating no block at all - or blocking in both directions.

Can anyone toss in an idea of the best way (if there is one) to uni-directionally filter SMB like this?

- Ken Johnson

Mgr. Network Services

LeTourneau University

bfetzer · ‎11-07-2001

Are you running a mixed mode nt/win2k network. Either way you may be running into some other issues along with your IOS config. Here is an excerpt from a Technet Article taken from the win2k resource kit.

I am bumping this up as well because I am very interested in this topic. Currently I do not have a need for it, but will in the future.

"In Windows NT 4.0, Windows Internet Name Service (WINS), and Domain Name System (DNS) name resolution was accomplished by using TCP port 134. Extensions to CIFS and NetBT now allow connections directly over TCP/IP with the use of TCP port 445. Both means of resolution are still available in Windows 2000. It is possible to disable either or both of these services in the registry. "

Notice the use of 445 for CIFS.

letnet · ‎11-07-2001

Sure enough - it was 445 that was lurking - thanks!

- Ken

twiggles · ‎12-06-2001

The SMB negotiation is done via TCP port 139, so it needs two-way communication. You could try a reflexive acl though, that would probably work.