Why does my computer keep opening netbios connections?

molachai wrote:

I was unable to determine inbound/outbound status. How do you do that in Little Snitch?

LS has an icon in the menu bar which lights green/red bars when there is inboud/outbound activity. If you hover the mouse over the bars a window will pop-up listing the processes that were last active and you can cause that window to "stay visable" with a checkbox in the upper right corner or to show automatically on network activity and a few other choices with the gear icon on the upper left.

Thanks!

hi all, fyi, netbiosd is part of apple's implementation of windows filesharing. it's a program that runs in the background and handles requests for access to your files if you're sharing them. for some reason, it runs even when you have windows filesharing turned off; i suppose it just answers requests saying something like, "yes, you contacted the windows filesharing server, but there's nothing here to be shared".

here's the story about the random connections people are describing here: out there on the internet, there are plenty of evil and virus-infected zombie botnet computers that go around randomly trying to break in to peoples' computers. one of the most common things they do is look for openly-accessible windows fileshares, so they can go in there and do whatever they like.

most people are behind various routers and firewalls, so their macs never receive these intrusion attempts. but if you are directly connected to the internet, for example if you run PPPoE directly on your Mac, or your router has port-forwarding or dmz set up to allow incoming requests to your machine, you will.

so what people are seeing with little snitch is that every once in a while an evil computer somewhere on the net tries to connect to your windows filesharing. you don't see the incoming connection, because little snitch only deals with outgoing connections. so you only get notified of the outgoing connection of your netbiosd responding to the request for filesharing access. this should be harmless, since the answer is going to be "no way, buddy", if you have windows filesharing turned off.

still, it's probably best not to be communicating with botnet computers at all! so you have various options, you can deny incoming connections to netbiosd in the Mac firewall, you can set up another firewall (try "waterroof" or "icefloor"), you can get a router instead of using PPPoE directly, you can turn off port-forwarding in your router, you can disable the netbiosd altogether. you can find info about all these things by searching, i just wanted to explain what's going on...

How do you explain that this happens behind a NAT where the router doesn't forward any port and your computer has no VPN connection ?

This can't be caused by an inbound connection because the computer cannot be joined from the Internet.

Good question. Why are the NetBios ports open on some of these routers (the NVG510) by default? And why are we only now getting notified that they are open and it is a security risk?