Hello all,I wonder whether somebody out there could shed some light on a headache of an issue I have come across at the moment. Basically, I have the firewall switched on with a Windows XP SP3 machine via group policy with exeptions for file and print services among many others. After reviewing the log file I have come across the following "drops" in the log; (The host is 10.70.3.6)(CIFS/SMB)2010-02-25 13:27:56 DROP TCP 101.10.0.1 10.70.3.6 445 1222 40 FA 2636819533 1676067885 65408 - - - RECEIVE(Netbios Session)2010-02-25 13:07:54 DROP TCP 10.70.253.64 10.70.3.6 139 1187 48 SA 2161516396 1622943552 8192 - - - RECEIVENow it is important for me to explain that I am fully aware of what the source IP addreses are and this is not a security issue, but more of a question why protocols are communicating like this as it is impossible to provide firewall exception rules for this behaviour. I have researched the protocols and from my understanding the destination port should be static ie. netbios session tcp 139 not 1187 as above. The source port can be a variable, but the destination not.Just for the record, I have seen trace logs of these protocol sessions working fine within the log, so it does work fine most of the time. Another important note to make is that I have found a pattern to this and it seems that the client is always classed as the "Destination IP" with all the dropped sessions I have seen. So I am wondering whether the source and destination port logs are the wrong way around, but then the local firewall would allow this through and I am not seeing that?, although the official Microsoft technet library states the following; (http://technet.microsoft.com/en-us/library/cc758040(WS.10).aspx) dst-port Displays the port number of the destination computer. Only TCP and UDP display a valid dst-port entry. All other protocols display a dst-port entry of -. src-port Displays the source port number of the sending computer. Only TCP and UDP display a valid src-port entry. All other protocols display a src-port entry of -. Can anyone shed any light on this behavior as I have googled far too much on this one.Thanks1 person needs an answerI do too