Editing protocol on existing policy

I have an existing policy that allows 'Any' protocol from one computer to another.
But I want to only allow certain ports, but I don't see a way to edit 'Any'

I only want it to allow ports for file share
https://superuser.com/questions/764623/what-port-or-ports-are-used-for-file-sharing-in-windows

Comments

  • edited February 2023

    There is no way to modify a policy the way you are hopping to.

    Normally all you need for Windows file sharing is a SMB policy. There is a predefined one you can use.
    Otherwise you need to create a Custom Packet Filter with the desired ports.
    Then create a policy using the predefined SMB Packet Filter or the new custom packet filter and remove the Any policy.

  • So there's no way to modify the current policy, so I have to delete this and use the SMB policy?

  • ok thank you, is there a reason why its not possible to edit the policy? It would be easier right vs having to delete and recreate.

  • It has been this way for as long as I know - prior to 1998.
    Just is.

  • You can modify a policy which uses a Custom Packet Filter, by modifying the Custom Packet Filter, which will in turn modify the policy which uses it.

  • ok thanks

  • edited August 2023

    Sorry for reopening this old post

    I tried the default SMB protocol, but when I do that the machine lost connection to the file share. I looked at netstat -bn on the file share, and I'm showing this below.

    10.0.0.240 is the file share server and 10.0.4.75 is the machine, and it looks like its using port 53889 (I have Any for policy type now). So am I correct in assuming the correct port the machine is using for file share is port 53889?
    And if that's correct, I could take out the Any policy and just add 53889 port.

    When I google port 53889, this is what I get

    Port: 53889/TCP53889/TCP - Known port assignments (2 records found)ServiceDetailsSource Dynamic and/or Private PortsIANA Xsan. Xsan Filesystem AccessApple

  • TCP port 445 is the SMB port here.

  • Correct, port 445 is the SMB port on the file share server, but what does 53889 mean. I thought that's what the machine is using to access the file share.

  • edited August 2023

    I assume that it is the source port of the packet.

  • ok, thanks again for the feed back. I wonder why then when I allow SMB policy, its not working. I'll look at traffic monitor.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If the connection is establishing (as your screenshot is showing) the firewall is likely allowing the connection and your issue is happening elsewhere.

    -James Carson
    WatchGuard Customer Support

  • The connection is establishing because I have Any policy on the firewall, so its allowing everything. But if I allow only SMB policy, the machine can't access the files (it can ping the file share, but can't access any files). The folder becomes blank.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @tantony Are there any deny logs on the firewall's traffic monitor? If the firewall is denying traffic it should show up there.

    -James Carson
    WatchGuard Customer Support

  • @james.carson ,

    This is the firewall policy I have set now [6]. I had [5] originally but it was not allowing access.

    There's a deny for blocking internet, and that's working. I don't see a deny for blocking SMB access. I'll disable 5, and reenable 6 may be I'll see what's blocking in traffic monitor then.

  • When I did that, I don't see the policy name now, and there are a bunch of Unhandled Internal Packet-00

  • edited August 2023

    I know the screenshots are hard to see,

    When it was working it showed this in Green

    Member2 Allow 10.0.4.75 10.0.0.240 icmp CNC WiFi Trusted Allowed 60 254 (DMG Machines access to Ridge-Storage-01-00)

    When its not working, this showed in Red

    Member2 Deny 10.0.4.75 10.0.0.240 icmp CNC WiFi Trusted Denied 60 254 (Unhandled Internal Packet-00)

  • I also tried turning off the windows firewall on the file share server, but same result. Only Any policy gives access to network share, but not SMB.

  • FYI - TCP port 8000 is in the Default Blocked Ports list.
    ICMP is probably Ping. One really needs to know the ICMP Type to know for sure.

Sign In to comment.