ACL allowing some traffic with DENY

Similar Messages

• ACL to allow SNMP traffic

  I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
  ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
  Additional permit statements omited.

  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
  Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
  Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
  permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
  etc..
  Jon

• WAAS IP ACL not matching traffic

  Hi,
  i'm trying to configure some ip access-lists on a WAAS but it seems that it's not matching the traffic.
  interface InlineGroup 1/0 inline vlan all
  ip access-group test in exit
  ip access-list extended test deny icmp any any
  exit
  Im still able to ping wherever i want.
  Any ideas? Or is it not possible to handle traffic with ACLs like that on WAAS?
  Thanks,
  Markus

  Hi Markus,
  Interface ACL—Applied on the built-in, port channel, standby, and inline group interfaces. This type of ACL is intended to control management traffic (Telnet, SSH, and Central Manager GUI). The ACL rules apply only to traffic that is destined for the WAE or originates from the WAE, not WCCP transit traffic. Use the
  ip access-group interface configuration command to apply an interface ACL.
  As explained above the ACL rule apply only to traffic destined to the WAE or originated from the WAE and not for transit traffic. Hope this helps.
  Thanks,
  Rajesh

• Sshd ignores /etc/hosts.allow and /etc/hosts.deny

  Hello everyone,
  I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
  These are my settings:
  /etc/hosts.deny:
  ALL: ALL
  /etc/hosts.allow:
  # some nfs daemons: 192.168.1.0/255.255.255.0
  sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
  mysqld: 192.168.1.0/255.255.255.0
  /etc/hosts.evil:
  195.113.21.131
  60.10.6.53
  A simple experiment to verify the settings:
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.131
  server: process sshd
  matched: hosts.deny line 5
  access: denied
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.130
  server: process sshd
  matched: hosts.allow line 10
  access: granted
  This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
  This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• Allow IPSEC traffic thru 871?

  I am using Cisco 871's with Advanced IP Sec IOS for remote offices. I need to allow IPSEC traffic to pass thru the 871 to establish a client IPSEC tunnel. The client VPN software is Nortel's Contivity VPN.
  How can I allow IPSEC traffic to pass thru the 871?

  If you are initiating vpn client connectivity from behind the 871 to outside you need to allow through the IPsec ports udp 500, udp 4500 and protocol 50 esp. I don't know Nortel's vpn client but Im sure they follow the Ipsec security standards.
  try this on your 871 router.
  access-list 101 permit udp any any eq 500 log
  access-list 101 permit udp any any eq 4500 log
  access-list 101 permit esp any any log
  apply acl-101 to your outbound interface
  access-group 101 in
  HTH
  Jorge

• Firewall Allow all traffic on lan

  Is there a way to make a firewall rule to allow all traffic on en1? I have my ip ranges set to allow all traffic, but I still have to turn the firewall off for DHCP to give IP addresses to new devices on the network.

  dtich wrote:
  thx dean, yes, i had certainly looked at the log, which shows these entries:
  Nov 11 21:49:25 north-knoll-server ipfw[8789]: 65534 Deny UDP 169.254.14.242:138 169.254.255.255:138 in via en0
  but i have no idea where 169xxx is, nothing on my lan... if the port is 65534, that's an ftp passive port, tried opening that, doesn't solve the problem. if the port is 138, that's netbios, which would be odd, but i tried opening that too. nothing doing. can't figure it out. and the log really isn't helping too much.
  traceroute gives me:
  traceroute to 169.254.14.242 (169.254.14.242), 64 hops max, 40 byte packets
  1 169.254.14.242 (169.254.14.242) 0.593 ms 0.504 ms 0.195 ms
  so, i guess that's some internal address that my router uses or something..?? wacky. i'm out of my depth here.
  if i allow 169.254.x.x, i still get no joy.
  mean anything else to you?
  yeah, 169.254.x.x is part of the zeroconf net address range. (See http://en.wikipedia.org/wiki/Zeroconf for more details)
  Not sure why the device in particular is trying port 138 unless it's Windows box maybe? Is en0 on your local network or external?

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• Allow external traffic to access internal computers

  We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 152.18.75.132 255.255.255.240
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network a-152.18.75.133
  host 152.18.75.133
  object network a-10.2.1.2
  host 10.2.1.2
  object-group network ext-servers
  network-object host 142.21.53.249
  network-object host 142.21.53.251
  network-object host 142.21.53.195
  object-group network ecomm_servers
  network-object 142.21.53.236 255.255.255.255
  object-group network internal_subnet
  network-object 10.2.1.0 255.255.255.0
  access-list extended extended permit ip any any
  access-list extended extended permit icmp any any
  access-list extended extended permit ip any object-group ext-servers
  access-list acl_out extended permit tcp any object-group ecomm_servers eq https
  access-list outside_in extended permit ip any host 10.2.1.2
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any echo-reply inside
  icmp permit 10.2.1.0 255.255.255.0 inside
  icmp permit any echo-reply outside
  icmp permit any outside
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.2.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 10.2.1.2 255.255.255.255 inside
  ssh 122.31.53.0 255.255.255.0 outside
  ssh 122.28.75.128 255.255.255.240 outside
  ssh timeout 30
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.2.1.2-10.2.1.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
  : end
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 112
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 113
  ciscoasa(config)#

  Okay I will bite.
  Assuming you have
  a.  dynamic pat rule for lan users-devices to reach the internet
  (missing ???????????????
  (should look like a nat rule that makes two entries when you make the one rule)
  (with router set at defaults it may make this rule for you already in place)
  -object bit  
  object network obj_any_inside
  subnet 0.0.0.0 0.0.0.0
  and rule bit
  object network obj_any_inside
  nat (inside,outside) dynamic interface
  b.  route rule - tells asa next hop is IP gateway address
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  c.  Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
  object bit
  object network natforward4server
  host 10.2.1.2
  Nat bit
  object network natforward4server
  nat (inside,outside) static interface service tcp 443 443
  d. Nat for translated ort.
  If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
  object bitobject network natfortransl4server
  host 10.2.1.2
  Nat bit
  object network natfortransl4server
  nat (inside,outside) static interface service tcp 443 80

• How to allow some fixed extension go in from outside to inside but not allow go from inside to outside

  how to allow some fixed extension go in from outside to inside but not allow go from inside to outside
  for example, allow JPEG, MOV, AVI data flow from outside to inside
  but not allow JPEG, MOV, AVI files access or upload or get by outside, in another words not from inside to outside
  how to configure?

  Hi,
  The ZBF link sent earlier show how we can inspect URI in http request
  parameter-map type regex uri_regex_cm
     pattern “.*cmd.exe”
  class-map type inspect http uri_check_cm
     match request uri regex uri_regex_cm
  ZBf is the feature on Cisco routers and ASA though concepts are little same but works differently. However it is important that you can be more granular with the protocol (layer 7) inspection only. Like on ASA if you will try to restrict .exe file from a p2p application that won't be possible, But on router you have some application for p2p in NBAR and you can use it file filtering. Please check configuartion example for both devices.
  Thanks

• I am experiencing some major problems with my MacBook Pro. I have had some issues with it turning on/off at random times, but today, when starting, I get the grey start-up screen and a recovery bar. After filling in approx 1/4 of the way, the machine dies

  I am experiencing some major problems with my MacBook Pro. I have had some issues with it turning on/off at random times, but today, when starting, I get the grey start-up screen and a recovery bar. After filling in approx 1/4 of the way, the machine dies. After starting it in recovery mode, it will not allow me to download OS X Mavericks- it says the disk is locked. Any ideas? I do not have a back-up and do not want to erase everything before I have explored my options. Help?

  try forcing internet recover, hold 3 keys - command, option, r - you should see a spinning globe
  most people will tell you to do both pram and smc resets (google) and if you still have issues, either clean install (easy) or troubleshoot (hard)

• Need some help with a fundamental concept of nat'ing/routing

  I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
  Here is a snippet of the ruleset:
  interface GigabitEthernet0/1.40
  description Production Servers Network
  vlan 40
  nameif Production
  security-level 40
  ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
  nat (Production) 0 access-list no-nat
  Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks  coming in via the Production interface will NOT be Nat'ed.
  My next question is will that traffic be routed through that interface Production using  the original IP addresses, or will that traffic NOT be routed anywhere?
  I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

  Thanks for responses, but they confuse me more.
  It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
  From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced  from the 192.168.3.0 network to reach the 192.168.20.0 network.
  However, this is not what is currently happening in the networks, as far as I have been told.
  Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
  1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
  2. More complete code:
  object-group network network_vpn
  description VPN IP's
  network-object 192.168.2.0 255.255.255.0
  network-object 192.168.3.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.2.0  255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
  access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
  access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
  access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
  nat (Production) 0 access-list no-nat
  nat (Production) 0 access-list Production_nat0_inbound outside
  nat (Production) 1 172.20.0.0 255.255.0.0
  Use the 3rd last line in the access-list no-nat commands as an example.
  As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
  3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

• I am facing some problem with my ipod videos

  I am facing some problem with my ipod videos

  Because many apps are not compatible with your old device
  To more easily find compatible apps:
  iOSSearch - search the iTunes store for compatible apps.
  Apple Club - filter apps by iOS version.
  Starting when iOS 7 was released, Apple now allows downloading the last compatible version of some apps (iOS 4.2.1 and later only)
  App Store: Downloading Older Versions of Apps on iOS - Apple Club
  App Store: Install the latest compatible version of an app
  You first have to download the non-compatible version on your computer. Then when you try to purchase the version on your iPod you will be offered a compatible version if one exists.

• Not allow any application with ip address login to db

  Dear sir,
  Is there any way to not allow any application with ip address login to db?
  such as not allow from client with ip 192.168.5.xxx and toad .
  db version 9.2.0.8
  os solaris 9, 64 bit
  Thanks for advance
  Chara

  Not sure if there is really a reliable way to restrict Oracle connection based on application name: see following thread:
  Denying login via all applications to oracle-server

• I´m having some problems with dates intervals. It´s not working well. I inserted the correct date between the right interval but the system refers to incorrect date? What shoul I do?

  Mensagem editada por: Mauricio Galletti
  It seens that there´s some problem with the specific date of 19/10/2014? Don´t know why? I just remove this date from the interval and the problem gone.
  What´s wrong with 19/10/2014?

  Hello Galdr,
  Welcome to the HP Forums.
  I see that after doing some updates, you've lost the use of switchable graphics in your Notebook. I will do my best to help you with this.
  You can try is to use the HP Recovery Manager. This will allow you to "recover" the Notebook and reinstall the original drivers. This document: Using Recovery Manager to Restore Software and Drivers (Windows 7), can assist you with that.
  Once the drivers are "reverted", then if you wish you can attempt updating.
  This first thing I will provide you in regards to updating is this document: Switchable Graphics on Notebooks Configured with Dual AMD GPUs. There is more general information than anything, but you may find it useful.
  When going to update you will want to use the website or the HP Support Assistant. These are the recommend ways to update. When using AMD's (or other OEM utilities) they will look for compatible drivers for the component, but not necessarily ones that work with your Notebook. What most likely happened, only one of the two drivers were actually updated.
  Here is a link to the newest driver provided by HP: AMD High-Definition (HD) Graphics Driver. Also, here's a link to using the HP Support Assistant: Using HP Support Assistant (Windows 7). (in case you wanted to learn more/use this method).
  I hope this is able to help you get back to "state 1", so that you may be able to update correctly and have full functionality of your switchable graphics again. Please let me know how this goes for you. Thank you for posting on the HP Forums.
  I worked on behalf of HP.

• Query Designer slows down after working some time with it

  Hi all,
  the new BEx Query Designer slows down when working some time with it. The longer it remains open, the slower it gets. Especially formula editing slows down extremely.
  Did anyone of you encounter the same problem? Do you have an idea, how to fix this. To me it seems as if the Designer allocates more and more RAM and does not free that up.
  My version: BI AddOn 7.X, Support Package 13, Revision 467
  Kind regards,
  Philipp

  I have seen a similar problem on one of my devices, the 'Samsung A-920'. Every time the system would pop up the 'Will you allow Network Access' screen , the imput from all keypresses from then on would be strangely delayed. It looked like the problem was connected with the switching from my app and the system dialog form. I tried for many many long hours / days to fix this, but just ended up hacking my phone to remove the security questions. After removing the security questions my problem went away.
  I don't know if it's an option in your application, but is it possible to do everything using just one Canvas, and not switch between displayables? You may want to do an experiment using a single displayable Canvas, and just change how it draws. I know this will make user input much more complicated, but you may be able to avoid the input delays.
  In my case, I think the device wasn't properly releasing / un-registering the input handling from the previous dialogs, so all keypresses still went through the non-current network-security dialog before reaching my app.