Home / server / Questions / 346196
Accepted
Jonathan
Asked: 2012-01-04 08:35:27 +0800 CST

TCP/IP ports necessary for CIFS/SMB operation

  • 772

If I want to allow Windows networked drives between two firewalled computers, do I need to open ports 137-139, or is port 445 sufficient? I have to submit a form and get approval to open firewall ports, and I don't want to ask for more open ports than I need. All of the machines here are Windows XP or later.

Note: when I say "Windows networked drives", I'm not entirely sure whether I'm referring to SMB or CIFS, and I'm not entirely clear on the difference between the two protocols.

windows firewall server-message-block cifs

2 Answers

  1. Best Answer

    Ports 137-139 are for NetBios/Name resolution. Without it you will have to access machines by IP address opposed to NetBIOS name. Example \\192.168.1.100\share_name opposed to \\my_file_server\share_name

    So port 445 is sufficient if you can work with IP addresses only.

    • 73

  2. This configuration worked for me: 137/UDP, 138/UDP, 139/TCP and 445/TCP. Source and additional information at: http://www.icir.org/gregor/tools/ms-smb-protocols.html.

    So these are the iptables rules for my Samba server:

    # The router doesn't need SMB access.
-A INPUT -s 192.168.1.1 -p udp --dport 137 -j REJECT
-A INPUT -s 192.168.1.1 -p udp --dport 138 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 139 -j REJECT
-A INPUT -s 192.168.1.1 -p tcp --dport 445 -j REJECT

# Actual Samba ports
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
    • 8