Allowing dns udp port 53

I am running dns on a fileserver.
I want to allow only dns lookups on port 53 for the UDP protocol.
However this is not possible with Bordermanager VPN (maybe a lack in the
tcp-ip stack?).
Now I need to authorize the udp protocol for the whole server, which I do
not like. Issues occur for example in documents, where a nasty login
dialog of the Novell Client sometimes pops up. The client tries to
authorize to edirectory, because of the printers being defined as ndps
printers. net stop spooler is the only way so far I know to get rid of the
login dialog, but this is a nasty workaround.
We are running bm38sp5 on nw65sp5.
Any one knows if this is possible in the near future to restrict udp by
portnumber?
regards,
Herbert

In article <7FCpi.4115$[email protected]>, Herbert
wrote:
> Any one knows if this is possible in the near future to restrict udp by
> portnumber?
>
Do you mean in terms of traffic rules? As far as I know, that was only
planned for TCP protocol, though I don't know why there would be a
limitation.
However, you could enable filtering on the DNS server, and restrict access
to it from the VPN subnet, except UDP 53.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Similar Messages

TCP/UDP Ports and site used by FEP to download updates - needed to allow on perimeter firewall

Can some one point me with information like what TCP/UDP ports are utilized by FEP and what DNS / site Name it uses to download FEP Updates. This is needed to tighten perimeter FireWall policies
Thank you

It should be the same as the documentation for all Software Updates:
https://technet.microsoft.com/en-us/library/bcf8ed65-3bea-4bec-8bc5-22d9e54f5a6d#BKMK_ConfigureFirewalls
Make sure to expand the "restrict access to specific domains" section to see the update related URLs.

Our IT Director will not allow the appropriate TCP and UDP ports to be opened on the district WAN

I have about 30 Apple TV Units and our IT Director will not allow the appropriate TCP and UDP ports to be opened on the district WAN. When our teachers try to log on to Apple TV to broadcast lessons, websites, etc., they are booted off the network after about 20 minutes.
Any ideas for how I might solve this without having to hard-wire the Apple TV Units?

Honestly, you do not.
Either the IT director will cave and allow the appropriate ports or it doesn't work.
Hard wiring the ATVs will not rectify the problem.

HT4814 TCP and UDP ports on router firewall to allow server to server administration running mavericks and server app 3.0?

What TCP or UDP ports do I need to open on my router firewall to allow server to server administration running maverics and server app 3.0?

Also you may want to open tcp port 625 so that you can update the server's OD master.
More info can be found here: http://support.apple.com/kb/ts1629 Well known TCP/UDP ports used by Apple Products.
HTH
- Leland

Noticed that my MAC Mini is sending traffic to 70.38.54.77 on sequential UDP ports (port scanning?)

Hi,
I noticed in my home router logs that my MAC Mini "scans" UDP ports in the 33xxx range to an address 70.38.54.77 ... a quick search shows others complains but not result or explanation. I am looking to see if this is some piece of sw installed in my MAC or perhaps how to block traffic to/from that IP (or its subnet).
See below - .149 is my MAC mini IP address at home.
Outgoing log
LAN IP address
|
Destination URL or IP address
|
Service or port number
192.168.2.149
70.38.54.77
33495
192.168.2.149
70.38.54.77
33494
192.168.2.149
70.38.54.77
33493
192.168.2.149
70.38.54.77
33492
192.168.2.149
70.38.54.77
33491
192.168.2.149
70.38.54.77
33490
192.168.2.149
70.38.54.77
33489
192.168.2.149
70.38.54.77
33488
192.168.2.149
70.38.54.77
33487
192.168.2.149
70.38.54.77
33486
192.168.2.149
70.38.54.77
33485
192.168.2.149
70.38.54.77
33484
192.168.2.149
70.38.54.77
33483
192.168.2.149
70.38.54.77
33482
192.168.2.149
70.38.54.77
33481
192.168.2.149
70.38.54.77
33480
192.168.2.149
70.38.54.77
33479
192.168.2.149
70.38.54.77
33478
192.168.2.149
70.38.54.77
33477
192.168.2.149
70.38.54.77
33476
192.168.2.149
70.38.54.77
33475
192.168.2.149
70.38.54.77
33474
192.168.2.149
70.38.54.77
33473
192.168.2.149
70.38.54.77
33472
192.168.2.149
70.38.54.77
33471
192.168.2.149
70.38.54.77
33470
192.168.2.149
70.38.54.77
33469
192.168.2.149
70.38.54.77
33468
192.168.2.149
70.38.54.77
33467
Thanks in advance.

Is that your IP & ISP?
NetRange:       70.38.54.64 - 70.38.54.95
CIDR:           70.38.54.64/27
OriginAS:
NetName:        IWEB-CL-T140-02SH
To see if it's you/your provider, What's my ip...
http://www.whatismyipaddress.com/
Little Snitch, stops/alerts outgoing stuff...
http://www.obdev.at/products/littlesnitch/index.html
And will tell you what wants to use that port, then you can choose to allow or deny.

Identify Ports for AD - External UDP port scanner

Greetings all,
I am trying to figure out which UDP port is alarming on the "AD - External UDP port scanners (13005)" signature. By default, the signature is set to summarize which looks something like this "NumDestIps=100; currentTHreshold=100. protocol=1".
From the "Protocol = 1" line I am assuming all scanning is hitting up on a single destination protocol - I need to know which protocol / port number.
I've already attempted to turn on "log attacker, pair, and victim" packets. Verbose is not an option for this signature. I have also tried changing alert Frequency to "fire all" or just uncheck the "Summary Mode" box. None of this tells me the destination/victim port. I do see under a protocol field "ICMP" but i don't believe that pertains to the source port. Any ideas on how I might find this information?

TCP/445 is used by Microsoft file sharing (CIFS), and by default that port is opened on all Microsoft PC basically to allow file sharing.
If you open up DOS prompt, and type: netstat -na, you would see that your PC is by default listening on TCP/445.
Here is more information on Microsoft-DS (TCP/445):
http://www.linklogger.com/TCP445.htm
http://en.wikipedia.org/wiki/Server_Message_Block
So it really depends on your corporate security policy, whether to allow file sharing or not within the network. IPS is picking that up because it is an easier way of exploiting a PC since the port is opened by default.

Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

Hi Experts,
Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.
Regards
Krishna

Krishna,
"NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."
Reference
So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.
If one adds an ACL with specific ports, then unexpected results may be expected.
My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.
Thanks.
Portu.
Please rate any helpful posts

10.6.5 firewall blocking udp ports used by ethernet MFC printer

Hi All, is there any way to apply a custom rule to allow access through the 10.6.5 firewall for a couple of UDP ports? I am trying to enable scanning from the front panel on a Brother MFC990CW with static IP on our local net (adsl router) and the printer docs specify up to 3 ports to be opened. Have played with IPFW via term but my rule attempts are not having any impact. Also unable to find log location where firewall activity is logged.
Would appreciate any tips.
Happy New Year

HI Michalien,
happy new years eve
have you tried adding the Image Capture Utility to the firewall? It Should open the port for you.
system preferences, security, advanced button, + button
navigate to Macintosh HD, Applications, Image Capture (witch handles most scanning in 10.6)
You may also need to add the cannon scan utility as well.

How to unblock UDP ports from the firewall of the Time Capsule

Hello i just bought a time capsule and i am trying am using it as a router. I am trying to use Shakespeer
that is like a server where you share files within the University,it runs with Dtella. However, when y try to get online a message tells me that the firewall of the router is blocking the UDP ports needed....how do i unblock those UDP ports so i can get online?
Here is the message:
In order for Dtella to communicate properly, it needs to receive UDP traffic
[19:14] <*Dtella> from the Internet. Dtella is currently listening on UDP port 4000, but the
[19:14] <*Dtella> packets appear to be getting blocked, most likely by a firewall or a router. If
[19:14] <*Dtella> this is the case, then you will have to configure your firewall or router to
[19:14] <*Dtella> allow UDP traffic through on this port. You may tell Dtella to use a different
[19:14] <*Dtella> port from now on by typing !UDP followed by a number.

Hello albertoPeralta. Welcome to the Apple Discussions!
To open ports on the Time Capsule, you would use the AirPort Utility to configure Port Mapping.
AEBSn - Port Mapping Setup
To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
1. Reserve a DHCP-provided IP address for the Shakespeer host device.
Internet > DHCP tab
o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
o Description: <enter the desired description of the host device>
o Reserve address by: MAC Address
o Click Continue.
o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
o IPv4 Address: <enter the desired IP address>
o Click Done.
2. Setup Port Mapping on the AEBSn.
Advanced > Port Mapping tab
o Click the "+" (Add) button
o Public UDP Port(s): 4000
o Private IP Address: <enter the IP address of the host server>
o Private UDP Port(s): 4000
o Click "Continue"

Change UDP ports used by SVE

Hello all,
I have recently installed a piece of hardware which transmits information to UDP port 6001 on my computer. Some software then runs on the computer listens to this port in order to detect the hardware.
However, LabVIEW shared variable engine seems to use the same port. On the computer in question the port is used by NITaggerService (National Instruments Variable Engine).
One solution is to stop this service - this works and allows the software to detect the hardware. However, eventually, I want to run this hardware alongside LabVIEW (indeed, LabVIEW will communicate with the hardware), so this is not a desirable solution.
http://www.ni.com/white-paper/12402/en suggestst that UDP ports 6000-6010 are used by Shared Variables and Network Streams, which is consistant with the service identified above. It suggests that these ports are fixed, however, I have noticed that on different computers, port 6001 is used by a different NI Service (e.g. on another computer, it is used by lkTimeSync (National Instruements Time Synchronization) ), suggesting that there is /some/ flexibility. In addition, not all the ports from 6000-6010 are used in practice, suggesting that it might be possible to use another port in the range 6000-6010 rather than 6001.
Does anyone know how to force NI SVE to use a different range of UDP port, or at least to not use 6001?
All the best
James Polyblank

Hi James,
It is not possible to pre-define which ports the NI services should use. One way to get around this would be to have these services not auto start on windows launch and manually start it once your other software has established communication with the hardware through UDP port 6001.
You have taken the first step in this direction by stopping the service. After the hardware has been detected (on port 6001), restart the NITaggerService that you stopped. This will automatically start the service on a port that is free and available.
Try this and see if it works. You can also try starting the service automatically from your labview application using 'System Exec.vi' .
Thanks and Regards,
Supreeth.K
Applications Engineer
NIUK

OS/X unresponsive while broadcasting to UDP port 2223

At least once a week I have to power-cycle the iMac my kids use for their homework, because they cannot wait the few hours it takes to recover by itself.
During that time all we get from the iMac is the rainbow wheel of death,
and on the network I can see it is sending broadcasts to UDP port 2223 (rockwell-csp3). It also insists on sending NetBIOS name lookups - (despite nothing in the system preferences saying to use anything but DNS), installing a samba server on the network at least provides something to answer those lookups (but it shouldn't be necessary).
I'm guessing that the Microsoft Office (2008) installed on the machine is somehow responsible - but a computer that is catatonic for hours at a time is useless.
Anyone know of anything I can do to stop this, or something I can put on the network (other than a windows machine), that might make it happy?

Is there a chance that someone has installed some kind of
software on the computer that is trying to "call home?"
The app known as Little Snitch can tell what may be in there
and if it is responsible for these odd network calls out.
How is the port security set up in the Mac? And why would
those ports need to be open unless there was a real purpose?
With my Macs, all of the ports in Firewall are closed to access
except for the Network Time Server to keep the clock correct.
{Some are used to share files between computers, & to chat; etc.}
Do you have more than two user accounts in the computer, and
if so, is your Admin account only used to update and maintain
the OS X & to install apps for other users? The levels of security
in Mac OS X can be controlled; and such odd port calls if or when
there is no need, are signs that something is not quite right.
Have you looked into the Console utility to see what is causing the
hang at those time intervals you know this has happened? There
are several different logs and reports in there; some won't apply.
Do the children who use the computer, have access to or know the
Admin account's password? A second user, from their account, can
install software and do other things, if that password is available.
I noticed you had a similar post last month that appeared to go without
a reply; now it is locked and can't be replied to anyway. So this issue
has been going on for some time. What may have happened in the past
year or so, to start this issue in that computer? Something, for certain.
Good luck & happy computing!

A single UDP port in a multithreaded server

I'm trying to write a server application that creates a thread for every client. The server/client communication is a combination of TCP and UDP, and I want to use a fixed TCP/UDP port on the server side to make it easier to use behind NAT routers. Here's a summary of what I have done and what I want to achieve:
- The server creates a TCP and UDP channel (I'm using the NIO interface) on the specified ports
- The server waits for incoming clients by calling accept() on the TCP channel
- The server creates a new thread for the new client, and gives the TCP and UDP channels as arguments
- The client informs the server about its UDP port over the TCP connection
- The new server thread connect()s the UDP channel to the IP:port pair received over the TCP connection
I believed that connecting the UDP socket to the IP:port of the client in each thread would make it possible to use a single UDP port for the multithreaded application, but it seems that the connect() call affects the parent thread as well. The next client that tries to connect() gets a "Connect already invoked" error. I tried calling clone() on the UDP channel argument I passed to the new thread, but was not allowed to call clone() because it's protected.
Can someone tell me if what I'm trying to do is possible, and if so, how to achieve it?

Peter__Lawrey wrote:It sounds like you want to bind a UDP socket to a listening port and the sender as well. So you can have a thread per sending IP:port. (Not sure why you would want to...)
To my knowledge you can only bind a socket based on the listening port. You could have a dispatcher thread which passes these packets to the thread for that sender.
To me, client/server means a request/response based interaction with a request from the client and the response from the server back to the client. This interaction is typically point to point and lossless.-I wanted one thread per client because it's the simplest thing to implement. For example, I don't have to create data structures for storing state information for each individual client (e.g., bitrate, block size, duration, etc), since each thread has only one single client. Still, I don't want to use hacks like having a dispatcher thread, so if it is correct that UDP ports can't be used in the same way as TCP ports, I guess I'll just have to implement the server as a single-threaded process. :(
As for client/server, a better description would be master/slave (and that's what I'm using in my program), but I thought I'd make it simple and use the more common client/server terms in this thread since it doesn't matter for the question I'm asking.

TS1629 Apple destination ip addresses for well known TCP and UDP ports used by Apple software products

I work for a large enterprise organisation with dual layer firewalls. The Apple article titled "allowing well known ports through the firewall "does not provide enough information on what the destination ip addresses of Apple servers are which host Apple ICloud services.
Does anyone have information on the destination Apple Ip addresses? So that I can lock down my firewall rules, just so that Apple devices, access Apple services on the Internet.
Many thanks

One option is to use "connection-reuse" cli under sip-ua configuration mode.
sip-ua
connection-reuse
This will enable the 7200 to create a connection with source and destination udp port number set to 5060. This feature is available in IOS 12.4(25d) which requires minimum of 256 / 512MB DRAM (depends on the feature set) and flash of 48 MB.

Allow DNS Traffic

Hi!
We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
Thanks.

access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
access-list 101 extended permit udp net_lan sub net_wan sub eq 53
access-list 101 extended deny any any
interface Serial 0/0
ip access-group 101 out
N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny

How do you block or filter traffic to udp port 192?

We are a company trying to stay an "apple office". We use an airport express for our networking and have recently been trying to become PCI "Payment Card Industry" Compliant for our credit card terminal that uses our wireless network. A company hired by the credit card processing company is running scans on our system and we keep failing because of UDP port 192. The specific message they are sending us is:
"Synopsis : The remote host is a wireless access point. Description : The remote host is an Airport, Airport Extreme or Airport Express wireless access point. It is possible to gather information about the remote base station (such as its connection type or connection time) by sending packets to UDP port 192. An attacker connected to this network may also use this protocol to force the base station to disconnect from the network if it is using PPPoE, thus causing a denial of service for the other users. Solution: Filter incoming traffic to this port and make sure only authorized hosts can connect to the wireless network this base station listens on."
I have tried changing all the settings using the Airport Utility including creating a closed network; un-checking allow setup over WAN, un-checking allow SNMP; using 128 bit encryption. I looked all over apple discussions and the internet and can't find a solution. The testing company told me that I need to find out how to filter traffic to udp port 192 or block the port altogether. Any help or guidance is greatly appreciated as we keep failing these scans.

Hi All. I am having the exact same problem with my PCI payment card industry compliance - where I will now be charged a monthly fee because I cannot alleviate this port 192 problem with my airport extreme base station. They very much consider it a security risk and won't budge. They want me to filter/block incoming traffic on this 192 port, I don't know what to do to satisfy their requirements. I have searched and read all the main discussions but, none actually offer a solution - just folks like us looking for help. I also closed network by un-allowing all options in airport utility. I also de-selected automatic date and time stamp. I would very much appreciate any possible suggestions as prefer to remain a long time loyal mac user but cannot afford the monthly fee to be imposed. There's gotta be a solution. I thought mac was ahead of the game in this (and all) areas. Thanks.

Allowing dns udp port 53

Similar Messages

Maybe you are looking for