XPe Firewall not blocking WINS traffic

  • Thread starter Thread starter Smedly Tonker
  • Start date Start date
S

Smedly Tonker

I recently decided to audit what internet traffic was being sent & received
by my embedded XP system. While capturing packets with Ethereal I noticed
that I was receiving WINS traffic thought the XPe firewall (port scans from
various IPs from across the globe). I only have two exception in my firewall
rules - TCP port 7000 & UDP port 7000. Why am I getting WINS traffic through
my firewall?
 
Smedly Tonker said:
I recently decided to audit what internet traffic was being sent &
received by my embedded XP system. While capturing packets with
Ethereal I noticed that I was receiving WINS traffic thought the XPe
firewall (port scans from various IPs from across the globe). I only
have two exception in my firewall rules - TCP port 7000 & UDP port
7000. Why am I getting WINS traffic through my firewall?
Click to expand...

Because Windows knows best? Seriously, there are a number of ports that
the SP2 Firewall leaves open by default but hides in the firewall
configuration UI. Check out
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
and you'll see a number of open ports that you don't see in the UI. On
my machines, I see UDP 137, UDP 138, TCP 139 and TCP 3389 open by
default. (Also, the same ports are open by default in
...\FirewallPolicy\DomainProfile\.. so if you connect to a domain you
might want to check those out as well.)

Most of the ports are restricted to the LocalSubNet, but TCP 3389
(Remote Desktop Protocol) is not, so be aware.

Regards,

Dave
 
Dave R. said:
Because Windows knows best? Seriously, there are a number of ports
that the SP2 Firewall leaves open by default but hides in the firewall
configuration UI. Check out
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
and you'll see a number of open ports that you don't see in the UI.
On my machines, I see UDP 137, UDP 138, TCP 139 and TCP 3389 open by
default. (Also, the same ports are open by default in
..\FirewallPolicy\DomainProfile\.. so if you connect to a domain you
might want to check those out as well.)

Most of the ports are restricted to the LocalSubNet, but TCP 3389
(Remote Desktop Protocol) is not, so be aware.
Click to expand...

I inadvertently left out TCP 445 as one of the hidden default open ports
in my original reply.

Regards,

Dave
 
Back
Top