How to block netbiosd?

[takoateli]

I've tried the built in rules for blocking local ipv4 and ipv6 networks, I put in rules for blocking ports 137-139 and 445 and even a rule blocking netbiosd and still I can't block Netbios activity emanating from netbiosd. How can I stop that?

What I'd really like to do is make my computer invisible to other Mac OS X users. I know I can't hide from someone sniffing traffic.

Can anyone tell me how to block Netbios as well as other protocols used by Mac OS X to announce it's presence and share resources?

Greg

[hagen]

Here are a few things you can try. See if they do what you want.

If you have a default rule for nmblookup, allowing connections to port 137 (netbios-ns), disable it and substitute a "deny any connection" rule for nmblookup.

See this page from Apple about setting mDNSresponder to not advertise services. http://support.apple.com/kb/HT3789

You can also disable the default "allow any connection" rule for mDNSresponder, and then allow only connections you need. Connections to your ISP's DNS servers, for example.

[takoateli]

Thanks so much! That's a great start!

I'll post my findings

Greg

[takoateli]

Here are a few things you can try. See if they do what you want.

If you have a default rule for nmblookup, allowing connections to port 137 (netbios-ns), disable it and substitute a "deny any connection" rule for nmblookup.

See this page from Apple about setting mDNSresponder to not advertise services. http://support.apple.com/kb/HT3789

You can also disable the default "allow any connection" rule for mDNSresponder, and then allow only connections you need. Connections to your ISP's DNS servers, for example.

Hagen,

Thanks again! It's all quiet on the Western front now. I did set mDNSResponder not to advertise, and I had no rules for nmblookup, but I did have the default mDNSResponder allow-all rule which I disabled and I made a new rule for it to only allow our router's IP address since that's caching our DNS queries, it's that address that's given out for DNS in our DHCP leases.

Thanks!
Greg

[hagen]

I'm glad it worked!

BTW, are you running Lion or Snow Leopard? This is what I do on Snow Leopard, and I'm curious if Lion works the same way.

[takoateli]

I'm using Lion.

I'm not sure it's working as I'd like. I'm seeing a lot of mDNSResponder traffic to and/or from local network addresses. I only see incoming traffic on LS's traffic indicator but I know you don't always see low volume traffic on LS's traffic indicator.

If mDNSResponder was blocked completely would I still see incoming traffic?

Thanks!
Greg

[hagen]

I don't think you can completely block mDNSResponder. It does DNS, and has something to do with local network traffic. But I don't have a network, or Lion, so I don't really know the details. Try it and see what happens.

LS preferences has a setting where you can choose to not show local network activity.

[manfred]

If mDNSResponder was blocked completely would I still see incoming traffic?

Yes, because Little Snitch filters outgoing connections only. Be aware if you completely block mDNSResponder you will most likely end up with an unusable operating system.