cancel
Showing results for 
Search instead for 
Did you mean: 

Locking down Port 135 - NetGear Router/Symantec Firewall

N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

How can I lock down Port 135 on Windows Small Business Server with the Netgear Router and HArdware Symantec Firewall?

I keep getting hte F9 redirector because of access on this port and I have no idea which client PC is doing it.
There are no virii on the network.

Any help woul dbe much appreciated.
8 REPLIES
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

By "lock down port 135" I assume you mean you want to configure your system to prevent traffic outgoing from your network to the Internet? (You seem to be suggesting this is happening because of Windows Small Business Server -- software with which I have no experience whatever -- but, even with no firewall rules to prevent such outgoing traffic, why would Small Business Server be generating it, and to whom would it be sending it? Are you sure it's not a virus generating this traffic?)

Which model of Netgear router are you using?
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

Im sorry if it read like I was suggesting SBS was causing it.

I have no idea what is causing the traffic on that port at all.

Just F9 recommended blocking outgoing traffic on that port in order to get the redirector on the web surfing removed, as f9 think there is some program using that port.

Just wondered how you shut down a port.

The Netgear router we use is DG814.
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

I thought the router might allow you to do packet filtering, but I can't see any mention of this in the DG814 manual.

So, to the Symantec firewall. I see they do several models, so I'm assuming you're using one of the VPN 100/200/200R range. Again, I was hoping there'd be something on packet filtering, but the closest I can see to this is what is described as "Access Filters" The ideal would have been something which would have allowed you to block outgoing traffic, both TCP and UDP destined for port 135 at any address. "Access Filters" seems to work on the basis of what to allow, however; in other words, if activated, it'll block everything which isn't specifically allowed. A secure way of doing it, but it also means if you get it wrong, there'll be howls of protest from your users, so you need to know exactly what traffic you want to allow out of your network.

Even if that works, you're not really solving the problem, you're just hiding it from the Force9 network. That's a useful first step, and will get Force9 off your back, but you really need to track down the culprit and eliminate it. You could try installing the free version of ZoneAlarm on each PC -- that will pop up an alert at the PC when something attempts to establish an outgoing connection, but you'd have to educate your users to not simply allow the connection request.. Another idea would be to install a package like ethereal which you could use to analyse traffic on your network, in the hope of finding who is generating traffic destined for port 135. You could set it up with a capture filter for port 135 and periodically check to see what it's found.
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

Ta for the help.

The Firewall is VPN 100.

Do I need to stick this ethereal on each machine, or just 1, or just the server?

There is no chance of sticking ZA on all the PCs here, too many people who couldnt cope with it to be honest.

I did lock down the DCOM server as I read that can cause problems with Port135 being "visible".
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

I was going to say you only need to install it on one machine, because it'll sniff what's on the network, but unfortunately, with network switches, life isn't that simple, because they dynamically split the network into lots of different "collision zones", which means it won't get to see traffic other than that which is specifically sent to it.

You could try putting it on just one machine first and see what you get. I assume the offender (or offenders -- there may be more than one) will be pretty indiscriminate about who they send to and so at some point will send traffic to the host you've installed it on, which will enable you to identify them for follow-up work.
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

I noticed your posting and read with interest, as I recently had a similar problem. I used my cisco client to VPN into work from home to pick up my e-mail from the exchange server. I then disconnected the client and was browsing the internet for a while. Why I tried to check my mail a little later I was blocked by F9's 'potential virus' infection page warning me about port 135. After investigating, I found out that Microsofts RPC listens on TCP/IP port 135 when outlook talks to an exchange server. Because I was initially using a VPN and I had not closed outlook, It was still trying to talk on port 135 and F9 blocked this as it was no longer hidden in the tunnel. It might be worth checking to see if any of your mail clients are set to try and connect to an exchange server. I hope this can aid some thinking on your set up and help towards resolving your problem. Best of luck.
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

I sort of understand that.
We have a VPN setup to accomodate the hardware firewall and router, but dont have remote access to emails setup.

We do have an exchange server to deal with the email, and outlook could be turned on one of the client PCs all the time, so closing that isnt possible.

So whereas it maybe an idea of the cause, I still dont kno whow to stop it Smiley

I did read that the DCOM uses port 135, but I locked those down on all the PCs to no avail.
N/A

Locking down Port 135 - NetGear Router/Symantec Firewall

I have now sorted the problem, but there is another problem caused because of it Sad

If I use the packet filters and block ALL access, then allow TCP and UDP access to all ports bar 135, it clears the redirector.

Unfortunatly it also blocks the finger postmaster command and emails stack up!

Any ideas?