samba - Nov 2007 - blocked ports 445 and 139 make printer-shares very slow

Hi,

do ports 445 and 139 (incoming) have to be open for the samba server's
IP on WinXP client side (all WinXP clients are using netbios over
TCP/IP)? F-Secure 7.10 blocks all incoming microsoft-ds (445) and
netbios-ssn (139) by default, which ends up in very slow printer-shares
behaviour (for example opening the properties or the spool window of a
samba-printer takes up to 30 seconds).

For testing I opened ports 445 and 139 in the F-Secure firewall for the
IP of the samba server. This pushes the samba-print shares to a very
good speed at WinXP client side. Could someone explain that to me
please?

Thanks,
Marcus

Marcus Sobchak <lists@localguru.de> wrote:
> Hi,
> 
> do ports 445 and 139 (incoming) have to be open for the samba server's
> IP on WinXP client side (all WinXP clients are using netbios over
> TCP/IP)? F-Secure 7.10 blocks all incoming microsoft-ds (445) and
> netbios-ssn (139) by default, which ends up in very slow printer-shares
> behaviour (for example opening the properties or the spool window of a
> samba-printer takes up to 30 seconds).
> 
> For testing I opened ports 445 and 139 in the F-Secure firewall for the
> IP of the samba server. This pushes the samba-print shares to a very
> good speed at WinXP client side. Could someone explain that to me
> please?
> 
> Thanks,
> Marcus
> 
Marcus,

(1)  You don't want to open file sharing from the internet, you should
really restrict either to the local IP range on your private-network or
rethink your plan.  Either get a hardware firewall or a good hardware
router to help restrict your network from the outside.

(2)  You need to have at least one of those ports open 139 or 445 on
your network.  You can have both as well.  139 and 445 are the back ends
for the NETBIOS protocol.  I'm sure someone will correct me here, but
basically without it things will get very sluggish.

Good Luck,
-James
-- 
Scanned by ClamAV - http://www.clamav.net

Am Freitag, den 30.11.2007, 17:58 +0100 schrieb Marcus Sobchak
:
> Hi,
> 
> do ports 445 and 139 (incoming) have to be open for the samba server's
> IP on WinXP client side (all WinXP clients are using netbios over
> TCP/IP)? F-Secure 7.10 blocks all incoming microsoft-ds (445) and
> netbios-ssn (139) by default, which ends up in very slow printer-shares
> behaviour (for example opening the properties or the spool window of a
> samba-printer takes up to 30 seconds).
> 
> For testing I opened ports 445 and 139 in the F-Secure firewall for the
> IP of the samba server. This pushes the samba-print shares to a very
> good speed at WinXP client side. Could someone explain that to me
> please?
here is a part of the samba log for the connecting WinXP client to the
local samba domain, trying to open the spool for a print share. Port 445
is blocked by the WinXP client, so samba can't connect, which seems to
be the reason for aboved slow behavior at client side.

--------
[2007/11/30 23:07:49, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.239)
[2007/11/30 23:07:49, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.239)
[2007/11/30 23:07:57, 1] lib/util_sock.c:open_socket_out(896)
  timeout connecting to 192.168.239:445
[2007/11/30 23:08:06, 1] lib/util_sock.c:open_socket_out(896)
  timeout connecting to 192.168.239:139
[2007/11/30 23:08:06, 1] libsmb/cliconnect.c:cli_connect(1369)
  Error connecting to 192.168.239 (Die Operation wird bereits ausgef
[2007/11/30 23:08:06, 1] libsmb/cliconnect.c:cli_start_connection(1430)
  cli_start_connection: failed to connect to VM-RC01<20> (192.168.239)
[2007/11/30 23:08:06, 2]
rpc_server/srv_spoolss_nt.c:spoolss_connect_to_client(2551)
  spoolss_connect_to_client: connection to [VM-RC01] failed!
--------