IPv6 Firewall on CPEs - Default on or off

Christopher Palmer Christopher.Palmer at microsoft.com
Thu Dec 6 07:47:50 CET 2012 

NetBios is still alive and kicking (UDP 138). If you turn on file and print sharing, it'll sit there and listen for link-local traffic. We also support LLMNR for name resolution, and WSD. And SSDP. You can see the firewall rules in the Windows Firewall with Advanced Security panel, though most are deactivated unless you use the feature.

Network firewalls are a complex topic. I'll say, that the number of times I encounter someone saying "I love my home router's in-box firewall capability" is pretty low. As the number of situations where a network firewall was the primary defense for a consumer Windows device (since Windows 7 at least). There are a reasonable number of warning messages you have to go through to open up an anonymous file share these days.  To open a file share BEYOND link-local traffic, requires even more configuration. 

The number of times I've encountered a home router breaking a scenario or service that the user cares about, like gaming, is plentiful.


-----Original Message-----
From: ipv6-ops-bounces+christopher.palmer=microsoft.com at lists.cluenet.de [mailto:ipv6-ops-bounces+christopher.palmer=microsoft.com at lists.cluenet.de] On Behalf Of Eric Vyncke (evyncke)
Sent: Wednesday, December 5, 2012 12:42 PM
To: Phil Mayers
Cc: ipv6-ops at lists.cluenet.de
Subject: Re: IPv6 Firewall on CPEs - Default on or off

Good point for the NAS indeed (even if I am not sure whether they support IPv6...)

But, I have just checked on my Win7 VM and there is nothing on ports 137-139

Anyway, we agree that this is mostly a detail anyway ;-)




Le 5 déc. 2012 à 12:31, "Phil Mayers" <p.mayers at imperial.ac.uk> a écrit :

> On 12/05/2012 07:05 PM, Eric Vyncke (evyncke) wrote:
>> OTOH, AFAIK Microsoft does not run netbios anymore (so no netbios 
>> over IPv6 hence no need to block 137-139)
>> 
> 
> Are you sure about this? The windows 7 machine I have here at home says the same thing windows has said since w2k for "NetBIOS over TCP" in the IP->adapter bindings - to honour the DHCP-supplied config for NetBIOS-over-tcp, and to enable it if no setting is given or using static IPs.
> 
> Certainly a windows 7 machine here at home listens on port 135 by default. There's no port 139 listener, but I think that's because I've got no shares published.
> 
> There are, of course, lots of devices that listen on 139 that aren't windows machines (e.g. NASes) so I'd argue that 139 & 445 should be treated equivalently.

More information about the ipv6-ops mailing list