IPv6 Firewall on CPEs - Default on or off

Eric Vyncke (evyncke) evyncke at cisco.com
Thu Dec 6 15:13:17 CET 2012


I stand corrected about NetBIOS, thanks for correcting me.

Else, I share your point of view about the 'firewall'

> -----Original Message-----
> From: Christopher Palmer [mailto:Christopher.Palmer at microsoft.com]
> Sent: mercredi 5 décembre 2012 22:48
> To: Eric Vyncke (evyncke); Phil Mayers
> Cc: ipv6-ops at lists.cluenet.de
> Subject: RE: IPv6 Firewall on CPEs - Default on or off
> 
> NetBios is still alive and kicking (UDP 138). If you turn on file and print
> sharing, it'll sit there and listen for link-local traffic. We also support
> LLMNR for name resolution, and WSD. And SSDP. You can see the firewall rules
> in the Windows Firewall with Advanced Security panel, though most are
> deactivated unless you use the feature.
> 
> Network firewalls are a complex topic. I'll say, that the number of times I
> encounter someone saying "I love my home router's in-box firewall capability"
> is pretty low. As the number of situations where a network firewall was the
> primary defense for a consumer Windows device (since Windows 7 at least).
> There are a reasonable number of warning messages you have to go through to
> open up an anonymous file share these days.  To open a file share BEYOND
> link-local traffic, requires even more configuration.
> 
> The number of times I've encountered a home router breaking a scenario or
> service that the user cares about, like gaming, is plentiful.
> 
> 
> -----Original Message-----
> From: ipv6-ops-bounces+christopher.palmer=microsoft.com at lists.cluenet.de
> [mailto:ipv6-ops-bounces+christopher.palmer=microsoft.com at lists.cluenet.de]
> On Behalf Of Eric Vyncke (evyncke)
> Sent: Wednesday, December 5, 2012 12:42 PM
> To: Phil Mayers
> Cc: ipv6-ops at lists.cluenet.de
> Subject: Re: IPv6 Firewall on CPEs - Default on or off
> 
> Good point for the NAS indeed (even if I am not sure whether they support
> IPv6...)
> 
> But, I have just checked on my Win7 VM and there is nothing on ports 137-139
> 
> Anyway, we agree that this is mostly a detail anyway ;-)
> 
> 
> 
> 
> Le 5 déc. 2012 à 12:31, "Phil Mayers" <p.mayers at imperial.ac.uk> a écrit :
> 
> > On 12/05/2012 07:05 PM, Eric Vyncke (evyncke) wrote:
> >> OTOH, AFAIK Microsoft does not run netbios anymore (so no netbios
> >> over IPv6 hence no need to block 137-139)
> >>
> >
> > Are you sure about this? The windows 7 machine I have here at home says the
> same thing windows has said since w2k for "NetBIOS over TCP" in the IP-
> >adapter bindings - to honour the DHCP-supplied config for NetBIOS-over-tcp,
> and to enable it if no setting is given or using static IPs.
> >
> > Certainly a windows 7 machine here at home listens on port 135 by default.
> There's no port 139 listener, but I think that's because I've got no shares
> published.
> >
> > There are, of course, lots of devices that listen on 139 that aren't
> windows machines (e.g. NASes) so I'd argue that 139 & 445 should be treated
> equivalently.



More information about the ipv6-ops mailing list