Windows Firewall Rules for File and Print Sharing

Tags: windows, firewall, file, printer, sharing, VPN, SoftEther

Saturday, July 7, 2018 5:58:00 PM

Source: http://tritoneco.com/2013/09/18/file-and-printer-sharing-firewall-rules-explained/

This article is an overview of the ports and services necessary for File and Print Sharing.  File shares to modern Microsoft Windows Operating Systems typically requires UDP port 138, TCP 139, TCP 445, and UDP 5355.

Windows-Firewall-File-Print-Inbound-Rules

Echo Request – ICMPv4-In

Internet Control Message Protocol for IPv4 – is typically used with tools like Ping and Traceroute to indicate a host or endpoint is available.  ICMP differs from transport protocols like TCP and UDP.  To allow or block ping responses from a server or PC, enable or disable these rules.

 

Echo Request – ICMPv6-In

Internet Control Message Protocol for IPv6 – similar to v4, ICMPv6 is used with tools like Ping and Traceroute to indicate a host or endpoint is available, only over IPv6 addresses.  To allow or block ping responses from a server or PC, enable or disable these rules.

 

The first shows an IPv6 ping (using ICMPv6) while the second command shows an IPv4 ping (using ICMPv4)

Ping-IPv4-IPv6-ICMP-Echo

SMB-In

Server Message Block

SMB transmission and reception over TCP port 445.  Most of a file share copy happens over SMB.  The SMB version has been updated to 3.0 in Windows Server 2012.  This article from Microsoft File Server team member Jose Barreto is a great summary of resources related to SMB 3.0.

 

LLMNR-UDP-In

Link Local Multicast Name Resolution – runs over UDP Port 5355, allows IP traffic to perform name resolution for local hosts.  In a Windows environment, network discovery runs over the LLMNR port.  So when you look at “Network” in Windows Explorer, you may see the media devices and computers on your local network.

 

Spooler Service – RPC

Typically allows the print spooler service to communicate via TCP and RPC

RPC, Remote procedure call, is used by remote discovery and administration applications.  For example, a request to access a file share will initiate its request over RPC then utilize other transfer ports to complete requested operations.  This process generally begins over TCP port 135 but may be dynamic.

 

Spooler Service – RPC-EPMAP

Print sharing data is typically transferred over RCPEPMAP.

EPMAP, Remote Procedure Call Endpoint Mapper, identifies a network service and asks for the port number on which the specified network service is listening.  RPC-EPMAP responds with the port number to which the remote computer is listening.  Requests begin with TCP port 135 then may be dynamic.

 

NB-Datagram-In

NetBIOS Datagram

allows inbound NetBIOS Datagram transmission and reception over UDP port 138.

 

NB-Name-In

NetBIOS Name

Allows inbound NetBIOS name resolution over UDP port 137.

 

NB-Session-In

NetBIOS Session

Allows NetBIOS service connections over TCP port 139.

No Comments

You must log on to comment.