We are using HIPS 7 Firewall to block NetBIOS requests between workstations on the same subnet, which will theoretically slow the spread of malware. We use the trusted network list to exempt the servers. Today, I had a user complaining that he couldn't open up a mapped network drive. After investigating, I found that the HIPS log from his workstation was recording the traffic as coming from source port 0. Since the rule allowing access to the servers only accounted for high-numbered source ports, he was being blocked.
Port 0 traffic is unusual, and I suspect that there is a difference in the configuration of his workstation. It also occurred that might be a quirk of HIPS. Has anyone seen this problem before? I would appreciate any advice that anyone has for me.
Source Port 0 might indicate unsupported protocol traffic. Do you have the Firewall Option "Allow traffic for unsupported Protocols" enabled? This option will allow unsupported protcol traffic through the Firewall/NDIS drivers, instead of being blocked.
Thanks for the response. Actually HIPS is saying that it is TCP. The log entry looks like this:
"Blocked Outgoing TCP - Source xx.xx.xx.xx : (0) Destination xx.xx.xx.xx : netbios-ssn (139)"