Previous 1 2 3 Next 32 Replies Latest reply: Jan 28, 2016 4:05 AM by jalanb
AlpacaSaliva Level 1 Level 1

Hi,  I was getting to know what changed in Lion when I found that Netbiosd is set to Block incomming Connection under my Firewall Advanced Settings.  I don't know what Netbiosd is or if I turned it to Block inadvertently or whether it is supposed to be set to Block.  Could someone knowledgable about such a thing let me know what Netbiosd is? and is it correct or wrong to have it set to Block?  But please do it in laymans terms, I tried searching it on the web but everything is far to technical for me to understand.  Thanks

Reply by wssz on Jul 31, 2011 1:19 PM Helpful

It's installed by Lion. It's a daemon that handles the netbios service, which handles communication across your LAN and has been around for ages.

 

While I don't know for sure how Lion makes use of it, I imagine it might be connected with AirDrop, which is a new sharing service in OS X 10.7. Again, that's just an assumption.

 

Hope that offers some help. You could try using AirDrop with the connection blocked. If it works, then leave it as is.

Reply by gen_ on Jun 20, 2013 2:36 AM Helpful

Network Basic Input/Output System.

 

NetBIOS is a communication protocol, sort of a languace that computeres talk to each other in. What disturbs me is that at least some communications seem to go directly out through this process and not the respective processes that initiated tem.

 

That means NetBIOSd (the process not protocoll) appears to have devolved (from a firewall/net security point of view) to be a method of bypassing your firewall, it seems that certain applications can ask NetBIOS to ping locations on it's behalf... I do not know whether they are actually able to send data or not but according to the specification of the protocol itself they should be able to. Even if they cannot, at the very least they can 'know' that they have been firewalled by using NetBIOS to ping the location other behalf and seeing if it unreacheable too.

 

Due to the fact that NetBIOS is a Unix/BSD method of achieving said way, and was probably left in to make the Network Utility backend and not much else, I am inclined to block it. If any application whatsoever can make a connection via this daemon without the connection being traced back to that application, then a malicious application/user can most probably take advantage of it to contact a remote network once seeded/send out important user information/do any host of malicious things, all whilst looking like a humble part of the OSX system.

 

This is very much the problem that I used to have in Windows with Services all being hosted as multiple svchost processes... very much destroying your ability to destroy them as you see fit in the event of a virus threat... not to mention COM events, which did just this and allowed applications to ask windows to do things on it's behalf. Many a good virus shut your system down using COM (as in locked you out) the moment they got hands on elevated priviledges.

All replies

  • AlpacaSaliva Level 1 Level 1

    I've made note that Netbiosd is a Unix Executable File located in the sbin folder and opens with Terminal and was created on Monday 13 June 2011, so it's fairly new or was reinstalled with something but that's still all meaningless to me since I don't know what it's for.  Any help?

  • wssz Level 1 Level 1

    It's installed by Lion. It's a daemon that handles the netbios service, which handles communication across your LAN and has been around for ages.

     

    While I don't know for sure how Lion makes use of it, I imagine it might be connected with AirDrop, which is a new sharing service in OS X 10.7. Again, that's just an assumption.

     

    Hope that offers some help. You could try using AirDrop with the connection blocked. If it works, then leave it as is.

  • Marc Wilson Level 4 Level 4

    AlpacaSaliva wrote:

    I tried searching it on the web but everything is far to technical for me to understand.

     

    Then why do you think you need to be messing with the firewall in the first place?  Leave it alone, stop twisting knobs randomly.

  • AlpacaSaliva Level 1 Level 1

    I didn't twist any knobs because I never said I touched it, just tried to figure it out.  I like to learn about how my computer functions which is why I am in the firewall preference pane in the first place.  Just because I said what I searched for was too technical for me to understand does not mean I am incapable of ever understanding if I get enough information.

     

    No thanks for your useless reply.

  • Oliver Christmann Level 1 Level 1

    I'm not shure your right.

     

    I'm wondering also. Why did this daemon try to connect to an address like 5.x.x.x?? If it's needed for my LAN, then I would expect only addresses 192.168.x.x. And lots of other unknown adresses!

     

    I'm with AlpacaSalica: what does netbiosd communicate with unknown ip addresses?

    Should I really allow it?

     

    Btw. I have no AirDrop in use.

  • Ackmo Level 1 Level 1

    Oliver Christmann wrote:

     

    Why did this daemon try to connect to an address like 5.x.x.x?

     

    Did you ever find out why netbiosd was connecting to that address?  I am also seeing it connect to a 5.x.x.x address and am trying to track this down.

  • Paul Weustink Level 1 Level 1

    The mentioned address is used by the Hamachi VPN service. So it allows normal networking through a VPN connection across a secure link for instance to your work servers. Seems ok with me. Here is more info on the IP range itself (wikipedia):

     

    "The 5.0.0.0/8 network is used to avoid collisions with private IP networks that might already be in use on the client side, specifically, 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16."

     

    So if you do not have a VPN connection running, and do not have a VPN server listening (most unlikely that you have), everything is just fine.

  • Pilot_Pirx Level 1 Level 1

    On my Mac netbiosd is trying to connect to 82.234.239.180 (UPP Port 2136).

    Does anybody know what netbiosd is suppose to do?

  • Ackmo Level 1 Level 1

    Paul Weustink wrote:

     

    The mentioned address is used by the Hamachi VPN service.

     

    Thanks for the info.  I found out that there is indeed someone running Hamachi VPN on our network and that is causing netbiosd to occasionally try to connect to the 5.x.x.x address.

  • molachai Level 1 Level 1

    Using LittleSnitch I have received 3 alerts from netbiosd in the past week.

    I have denied all of them after a cursory lookup of the IP addresses using various tools (whois, traceroute)

     

    The blocked entries were:

    69.70.43.102, port 137

    82.186.105.146, port 47863

    125.239.135.130, port 53659

     

    Any idea why netbiosd is trying to contact these IP addresses?

     

    Lion 10.7.4, fully updated. MBP/i7 2.6/8GB

  • ClassyMacster Level 1 Level 1

    Intesting that this thread has been active for over a year and not a single word from the Apple Elite.

  • Marc Wilson Level 4 Level 4

    Hardly, since this is a user-to-user forum.

  • Graham Bailey Level 1 Level 1

    As this thread is sorta close.

     

    I have Little Snitch installed, which I find realy useful, every now and then something odd comes up, this: -

     

    "netbiosd wants to connect to 5.60.206.52" port 139 TCP!

     

    Flag went up...

     

    so I g@@gled and came with a location in central CH, and "who is" has it as "plusnet" in Warsaw PL!

     

    What/why in the world does an obscure place in Poland need access via TCP - I am in England

     

    needless to say it shall be perma blocked unless I can get more info?

     

    Graham

Previous 1 2 3 Next