Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Network file sharing issue port 137 and 445

parsaparsa Member Posts: 42

Hi All,

I am very new to networking domain. Currently, I am encountering an issue on my server. Mapped Network drives are getting disconnected when turning on web protection in a third party AV.
In the AV logs, I see lot of these message printed. UDP packets on port 137 are blocked saying that filtering has occurred. But TCP connection on port 445 was succeeded to the client machine on my LAN.

FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V4_DISCARD Src=172.16.255.255:137, Dst=172.16.35.178:137, Protocol=UDP, PId=4, PName=System, DiscardReason=FWPS_DISCARD_FIREWALL_POLICY
FWPM_LAYER_ALE_FLOW_ESTABLISHED, SRC=172.16.50.125:49860, Dst=172.16.35.178:445, Protocol=TCP, Direction=Outbound, PId=4, PName=System"

As per the MSDN doc, I understood that when incoming accept() calls are discard this AUTH_RECV_ACCEPT_V4_DISCARD layer gets invoked.
https://docs.microsoft.com/en-us/windows/win32/fwp/ale-layers

Also, I got to know that port 137 is used for file sharing. If we want to disable file sharing on my server, I can block the port 137 so that no other computer can access the files on the server machine. I have two questions on my mind.

1) Does disabling port 137 prevents local file access by other machines or it blocks the entire file sharing so that my pc also can't access other machine files (in case other machine not blocked port 137 on it)?
2) Because of the port 137 on my server is not accepting incoming accept() calls, the mapped network drives are disconnected?

Thanks

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    Blocking incoming port 137 will prevent the machine from advertising its own shares. Blocking outgoing port 137 will prevent you from accessing other file shares. Since you're inside a NAT network, I don't know why you would do either.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • parsaparsa Member Posts: 42
    edited April 2

    Thanks Tim.

    So I understand it is based on incoming and outgoing rules on that particular port (137). Is there any tool or windows built-in command the list all the rules on a particular port set by all the processes. So that I will come to know what are the processes setting rules on port 137.

    Also, what specific events I have to look for the driver unmap in event viewer

    Post edited by parsa on
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    The Windows Defender Firewall control panel applet will be happy to show you all of the firewall rules in place right now. Most of the rules will be "allow" against a default rule of "block everything". I'm not sure what you're asking in the second question.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • parsaparsa Member Posts: 42

    The Windows Defender Firewall control panel applet can list all of the rules on the ports defined even by third party AVs and other software modules on the system?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,907

    No. If you have some other firewall installed, then naturally it will have its own control panel.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Jason_StephensonJason_Stephenson Member Posts: 93
    netsh wfp show filters
    netsh wfp show state
    

    The above will show you most of the firewall filters. When investigating some VPN compatibility issues I have used FwpmFilterEnum API to print and received some filters that weren't returned by the above. This won't be an option for you if you're not writing your own driver.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online