IBM Power Ideas Portal
This portal is to open public enhancement requests against IBM Power Systems products, including IBM i. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post an idea.
Get feedback from the IBM team and other customers to refine your idea.
Follow the idea through the IBM Ideas process.
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
.This function is included with IBM i 7.4 release, which will be generally available on June 21, 2019.
The support provided allows NetServer to start while the NetBIOS ports are restricted with the TCP/IP port restriction function. With this environment, NetServer will only accept connections over port 445.
The following commands will restrict the NetBIOS ports:
ADDTCPPORT PORT(137 139) PROTOCOL(*UDP) USRPRF(QSECOFR)
ADDTCPPORT PORT(137 139) PROTOCOL(*TCP) USRPRF(QSECOFR)
This support has also been made available in 7.2 and 7.3 with the following PTFs.
7.2 -- SI69106
7.3 -- SI69107
The text of the PTF cover letters is as follows. Please read carefully to understand the impacts.
OSP-INCORROUT Allow IBM i NetServer to start without NetBIOS
DESCRIPTION OF PROBLEM FIXED FOR APAR 'SE70621' :
-------------------------------------------------
IBM i NetServer requires NetBIOS support for the server to
start. NetBIOS is often flagged as a security vulnerability in
network security scans. If the user blocks NetBIOS ports
137-139 with port restrictions, NetServer will not start.
CORRECTION FOR APAR 'SE70621' :
-------------------------------
IBM i NetServer has been updated to allow the server to start
when ports 137-139 are blocked with port restrictions.
NetServer will send a warning message to the QSYSOPR message
queue to indicate that NetBIOS services are not available, but
the server job will start and accept TCP connections on port
445.
The IBM i NetClient file system (QNTC) relies on NetBIOS
services to auto-populate the /QNTC path with servers. Server
names will not be automatically added to the /QNTC path if the
NetBIOS ports are restricted. Servers can be added to the /QNTC
path manually with the Create Directory (MKDIR) command after
each system IPL. For example, MKDIR DIR('/QNTC/MyServer').
It is recommended that NetServer browse announcement support is
disabled when NetBIOS is blocked to prevent periodic LIC log
entries related to browse announcements.
Hi,
Goodnews: I believe you can disable Netbios whilst leaving CIFS running by following the following IBM guidance
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020677
Badnews: If you are still running IBM i 7.1 and using Netserver, you have a much bigger problem, namely you have to have SMBv1 supported on your network! Whilst I do not believe IBM i is not vulnerable to SMBv1 exploits like ExternalBlue (https://en.wikipedia.org/wiki/EternalBlue) I believe that most every other Operating System you have connecting to it is.
If this is the case, I believe you would be well advised to move to 7.2 or greater of IBM i (I know not of this OS/400 of which you speak ;->) where the same guidance given to disable Netbios applies but you can also disable SMBv1
Hope that helps. Steve
Due to processing by IBM, this request was reassigned to have the following updated attributes:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - IFS (Integrated File System) and Servers
Operating system - IBM i
Source - None
For recording keeping, the previous attributes were:
Brand - Servers and Systems Software
Product family - Power Systems
Product - IBM i
Component - Networking
Operating system - IBM i
Source - None
You could use the build-in OS/400 firewall for doing so.