To prevent NetBIOS traffic, which firewall ports should be blocked?

NetBIOS communications rely on a few well-known ports, so a firewall can effectively block NetBIOS traffic by closing those channels at the network edge. The ports to block in this context are 135, 139, and 445. Blocking 139 stops the NetBIOS session service, which is the primary way NetBIOS establishes connections. Blocking 445 prevents SMB over TCP, which is a common transport for Windows file and printer sharing that can carry NetBIOS-related traffic even without NetBIOS name resolution. Blocking 135 targets the RPC Endpoint Mapper, reducing RPC-based service discovery that can be involved in NetBIOS-related operations. Together, these blocks shut down the main pathways NetBIOS traffic would use across the network boundary, improving defense against exposure and lateral movement. (Note: NetBIOS name and datagram services use 137 and 138 as well, but the listed set captures the most impactful transport points for NetBIOS-related traffic in many environments.)