ACL allowing some traffic with DENY
Good day all,
I have been trying to apply ACLs to a vlan interface and have not been able to make it work,
I configured them as follows:
Extended IP access list 160
10 deny ip 10.0.0.0 0.0.255.255 10.0.24.0 0.0.0.255
20 permit ip 10.0.24.0 0.0.0.255 host 8.8.8.8 log
30 deny ip 10.0.24.0 0.0.0.255 any
40 deny icmp 10.0.24.0 0.0.0.255 any
50 deny ip any any
Extended IP access list 161
10 deny ip host 4.2.2.2 10.0.24.0 0.0.0.255
20 deny ip host w.x.y.z 10.0.24.0 0.0.0.255 - firewall outside address
30 permit icmp host 10.0.2.3 any
40 deny icmp any any (5 matches)
50 deny ip any any
60 deny udp any any
interface Vlan600
ip address 10.0.24.3 255.255.255.0
ip access-group 161 in
ip access-group 160 out
no ip route-cache cef
no ip route-cache
no ip mroute-cache
end
The problem is that i can still ping 4.2.2.2 and 8.8.8.8 which i only want to limit to 8.8.8.8. I was also able to ping yahoo.com and others The pings from the other subnets fails and any from the 24 subnet to the external address of the firewall fails which are both required results.
I tried to debug the ping test with the debug ip packet command but didnt see anything show up on my log server. I then tried the same lines in a program called acl editor simulator and it comes up as a no match. Can someone please help me figure how to block all web and 4.2.2.2 traffic in and out.
Thanks
Michael
Michael
It looks to me like you have your in and out reversed. VLAN 600 is subnet 10.0.24.0. In access list 160 we find that 10.0.24.x are the source addresses. So this access list should be applied as "inbound". And in access list 161 we find that references to subnet 10.0.24.0 have it as the destination, so it should be applied as "outbound".
So if you change the access-group configurations and apply 160 in and 161 out you should find more hits in the access lists.
But even if you change the direction of the access lists there will not be any successful traffic in and out of the subnet. I note that access list 160 has only a single line with a permit statement and it permits traffic to host 8.8.8.8. I also note that access list 161 has only a single line with a permit statement. And it permits only ICMP packets from host 10.0.2.3. So the amount of traffic permitted will be very small.
HTH
Rick
Similar Messages
-
I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.
ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
Additional permit statements omited.HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
HMidkiff wrote:I created an ACL to allow SNMP traffic through. Once I applied it traffic does not pass. Should be pretty simple. Below is what I used. I am using SNMP v2.ip access-list extended ABC-ACL
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
etc..
Jon -
WAAS IP ACL not matching traffic
Hi,
i'm trying to configure some ip access-lists on a WAAS but it seems that it's not matching the traffic.
interface InlineGroup 1/0 inline vlan all
ip access-group test in exit
ip access-list extended test deny icmp any any
exit
Im still able to ping wherever i want.
Any ideas? Or is it not possible to handle traffic with ACLs like that on WAAS?
Thanks,
MarkusHi Markus,
Interface ACL—Applied on the built-in, port channel, standby, and inline group interfaces. This type of ACL is intended to control management traffic (Telnet, SSH, and Central Manager GUI). The ACL rules apply only to traffic that is destined for the WAE or originates from the WAE, not WCCP transit traffic. Use the
ip access-group interface configuration command to apply an interface ACL.
As explained above the ACL rule apply only to traffic destined to the WAE or originated from the WAE and not for transit traffic. Hope this helps.
Thanks,
Rajesh -
Sshd ignores /etc/hosts.allow and /etc/hosts.deny
Hello everyone,
I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
These are my settings:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
# some nfs daemons: 192.168.1.0/255.255.255.0
sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
mysqld: 192.168.1.0/255.255.255.0
/etc/hosts.evil:
195.113.21.131
60.10.6.53
A simple experiment to verify the settings:
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.131
server: process sshd
matched: hosts.deny line 5
access: denied
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.130
server: process sshd
matched: hosts.allow line 10
access: granted
This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default? My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid. That was users don't have to specify their local IP address. Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug. -
Allow IPSEC traffic thru 871?
I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
How can I allow IPSEC traffic to pass thru the 871?If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
try this on your 871 router.
access-list 101 permit udp any any eq 500 log
access-list 101 permit udp any any eq 4500 log
access-list 101 permit esp any any log
apply acl-101 to your outbound interface
access-group 101 in
HTH
Jorge -
Firewall Allow all traffic on lan
Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.
dtich wrote:
thx dean, yes, i had certainly looked at the log, which shows these entries:
Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
traceroute gives me:
traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
if i allow 169.254.x.x, i still get no joy.
mean anything else to you?
yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external? -
Firewall blocks Airplay (even under 'allow all traffic')
Hi every body,
I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
a) all airplay traffic and
b) 'reading Airport confirguration' requests
even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
Any help would really be appreciated.
Thanks a lot.
Nonresidentalien
P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no successPointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65000 0 0 deny ipv6 from any to any
65535 6 306 allow ipv6 from any to any
As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
reptilehouse:~ sascha$ sudo ip6fw delete 65000
To confirm, show the rule table again and you should see 65000 is gone:
reptilehouse:~ sascha$ sudo ip6fw show
01000 285 96163 allow ipv6 from any to any via lo0
01100 66 5750 allow ipv6 from any to ff02::/16
65535 6 306 allow ipv6 from any to any
Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
What I don't know if whether this is sticky, e.g. survives a reboot. -
Allow external traffic to access internal computers
We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
ASA Version 8.4(3)
hostname ciscoasa
domain-name default.domain.invalid
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 152.18.75.132 255.255.255.240
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object network a-152.18.75.133
host 152.18.75.133
object network a-10.2.1.2
host 10.2.1.2
object-group network ext-servers
network-object host 142.21.53.249
network-object host 142.21.53.251
network-object host 142.21.53.195
object-group network ecomm_servers
network-object 142.21.53.236 255.255.255.255
object-group network internal_subnet
network-object 10.2.1.0 255.255.255.0
access-list extended extended permit ip any any
access-list extended extended permit icmp any any
access-list extended extended permit ip any object-group ext-servers
access-list acl_out extended permit tcp any object-group ecomm_servers eq https
access-list outside_in extended permit ip any host 10.2.1.2
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.2.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 10.2.1.2 255.255.255.255 inside
ssh 122.31.53.0 255.255.255.0 outside
ssh 122.28.75.128 255.255.255.240 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
dhcpd address 10.2.1.2-10.2.1.254 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
: end
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 112
ciscoasa(config)# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
translate_hits = 1, untranslate_hits = 113
ciscoasa(config)#Okay I will bite.
Assuming you have
a. dynamic pat rule for lan users-devices to reach the internet
(missing ???????????????
(should look like a nat rule that makes two entries when you make the one rule)
(with router set at defaults it may make this rule for you already in place)
-object bit
object network obj_any_inside
subnet 0.0.0.0 0.0.0.0
and rule bit
object network obj_any_inside
nat (inside,outside) dynamic interface
b. route rule - tells asa next hop is IP gateway address
route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
c. Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
object bit
object network natforward4server
host 10.2.1.2
Nat bit
object network natforward4server
nat (inside,outside) static interface service tcp 443 443
d. Nat for translated ort.
If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
object bitobject network natfortransl4server
host 10.2.1.2
Nat bit
object network natfortransl4server
nat (inside,outside) static interface service tcp 443 80 -
how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
for example, allow JPEG, MOV, AVI data flow from outside to inside
but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
how to configure?Hi,
The ZBF link sent earlier show how we can inspect URI in http request
parameter-map type regex uri_regex_cm
pattern “.*cmd.exe”
class-map type inspect http uri_check_cm
match request uri regex uri_regex_cm
ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
Thanks -
I am experiencing some major problems with my MacBook Pro. I have had some issues with it turning on/off at random times, but today, when starting, I get the grey start-up screen and a recovery bar. After filling in approx 1/4 of the way, the machine dies. After starting it in recovery mode, it will not allow me to download OS X Mavericks- it says the disk is locked. Any ideas? I do not have a back-up and do not want to erase everything before I have explored my options. Help?
try forcing internet recover, hold 3 keys - command, option, r - you should see a spinning globe
most people will tell you to do both pram and smc resets (google) and if you still have issues, either clean install (easy) or troubleshoot (hard) -
Need some help with a fundamental concept of nat'ing/routing
I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
Here is a snippet of the ruleset:
interface GigabitEthernet0/1.40
description Production Servers Network
vlan 40
nameif Production
security-level 40
ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks coming in via the Production interface will NOT be Nat'ed.
My next question is will that traffic be routed through that interface Production using the original IP addresses, or will that traffic NOT be routed anywhere?
I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.Thanks for responses, but they confuse me more.
It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced from the 192.168.3.0 network to reach the 192.168.20.0 network.
However, this is not what is currently happening in the networks, as far as I have been told.
Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
2. More complete code:
object-group network network_vpn
description VPN IP's
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
nat (Production) 0 access-list Production_nat0_inbound outside
nat (Production) 1 172.20.0.0 255.255.0.0
Use the 3rd last line in the access-list no-nat commands as an example.
As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks. -
I am facing some problem with my ipod videos
I am facing some problem with my ipod videos
Because many apps are not compatible with your old device
To more easily find compatible apps:
iOSSearch - search the iTunes store for compatible apps.
Apple Club - filter apps by iOS version.
Starting when iOS 7 was released, Apple now allows downloading the last compatible version of some apps (iOS 4.2.1 and later only)
App Store: Downloading Older Versions of Apps on iOS - Apple Club
App Store: Install the latest compatible version of an app
You first have to download the non-compatible version on your computer. Then when you try to purchase the version on your iPod you will be offered a compatible version if one exists. -
Not allow any application with ip address login to db
Dear sir,
Is there any way to not allow any application with ip address login to db?
such as not allow from client with ip 192.168.5.xxx and toad .
db version 9.2.0.8
os solaris 9, 64 bit
Thanks for advance
CharaNot sure if there is really a reliable way to restrict Oracle connection based on application name: see following thread:
Denying login via all applications to oracle-server -
Mensagem editada por: Mauricio Galletti
It seens that there´s some problem with the specific date of 19/10/2014? Don´t know why? I just remove this date from the interval and the problem gone.
What´s wrong with 19/10/2014?Hello Galdr,
Welcome to the HP Forums.
I see that after doing some updates, you've lost the use of switchable graphics in your Notebook. I will do my best to help you with this.
You can try is to use the HP Recovery Manager. This will allow you to "recover" the Notebook and reinstall the original drivers. This document: Using Recovery Manager to Restore Software and Drivers (Windows 7), can assist you with that.
Once the drivers are "reverted", then if you wish you can attempt updating.
This first thing I will provide you in regards to updating is this document: Switchable Graphics on Notebooks Configured with Dual AMD GPUs. There is more general information than anything, but you may find it useful.
When going to update you will want to use the website or the HP Support Assistant. These are the recommend ways to update. When using AMD's (or other OEM utilities) they will look for compatible drivers for the component, but not necessarily ones that work with your Notebook. What most likely happened, only one of the two drivers were actually updated.
Here is a link to the newest driver provided by HP: AMD High-Definition (HD) Graphics Driver. Also, here's a link to using the HP Support Assistant: Using HP Support Assistant (Windows 7). (in case you wanted to learn more/use this method).
I hope this is able to help you get back to "state 1", so that you may be able to update correctly and have full functionality of your switchable graphics again. Please let me know how this goes for you. Thank you for posting on the HP Forums.
I worked on behalf of HP. -
Query Designer slows down after working some time with it
Hi all,
the new BEx Query Designer slows down when working some time with it. The longer it remains open, the slower it gets. Especially formula editing slows down extremely.
Did anyone of you encounter the same problem? Do you have an idea, how to fix this. To me it seems as if the Designer allocates more and more RAM and does not free that up.
My version: BI AddOn 7.X, Support Package 13, Revision 467
Kind regards,
PhilippI have seen a similar problem on one of my devices, the 'Samsung A-920'. Every time the system would pop up the 'Will you allow Network Access' screen , the imput from all keypresses from then on would be strangely delayed. It looked like the problem was connected with the switching from my app and the system dialog form. I tried for many many long hours / days to fix this, but just ended up hacking my phone to remove the security questions. After removing the security questions my problem went away.
I don't know if it's an option in your application, but is it possible to do everything using just one Canvas, and not switch between displayables? You may want to do an experiment using a single displayable Canvas, and just change how it draws. I know this will make user input much more complicated, but you may be able to avoid the input delays.
In my case, I think the device wasn't properly releasing / un-registering the input handling from the previous dialogs, so all keypresses still went through the non-current network-security dialog before reaching my app.
Maybe you are looking for
-
Authorization of Order recommendation
Hi all, I am new in this forum, i want to know how i restrict user to add Purchase order and Production order from order recommendation, i just want requirement from order recommendation user manually add PO's from requirement. Thanks Nikhi
-
I installed "The Daily Manager" by mistake. I wish to remove it.??
-
How to raise a TAR with oracle
ive got meta link but dont see anywhere obvious to do this??
-
Aperture 3 with Dual Monitor puzzle
I cannot seem to figure this one out - Two monitors, main window on 1, spilt view. Monitor 2 on Single view. Promlem: I closed the main window on 1, with the X icon - window gone, Monitor 2 still shows the last highlighted photo (on now missing main
-
Forgot my passcode phone is disabled how can I reset it
Help!