Arno's firewall - blocking ICMP?

Hey all, I'm trying to block my computer from responding to ping requests.
I've found what appears to be the relevant syntax for iptables, but I can't use it with Arno' firewall script, which obviously is what I'm using for the rest of the firewall.
I've tried adding the iptables commands to /etc/firewall-custom-rules, with no luck
Does anyone else use this script, and have any ideas?
Thanks,
THom

# iptables -A INPUT -i $EXT_IF -p icmp --icmp-type echo-request -j DROP
Never used Arno's script, but that should drop icmp echo requests (pings).

Similar Messages

  • Should I block icmp on my edge router or my firewall?

    Originally, we were blocking icmp traffic on our edge router (2811), but recently we changed this to block on the firewall (ASA) instead. I've been told that blocking on the router would cause too much overhead on the router, since it's now having to inspect all traffic, and the firewall was better equipped for this.
    What is industry standard? What does Cisco recommend?

    Something like this, although I would recommend posting this to the firewall forum for confirmation.
    ! deny non-initial ICMP Fragments
    access-list 101 deny icmp any any fragments
    ! permit "dest unreachable" messages
    access-list 101 permit icmp any any 3
    ! permit "Time exceeded" message
    access-list 101 permit icmp any any 11
    ! permit "source quench" message
    access-list 101 permit icmp any any 4
    ! permit "parameter problem" message
    access-list 101 permit icmp any any 12
    ! permit "echo reply" messages
    access-list 101 permit icmp any any 0
    ! deny all other icmp
    access-list 101 deny icmp any any
    You might consider tightening up the destination unreachables too. They would look something like this for each type and code you want to allow:
    ! permit "dest unreach - port unreach" messages
    acccess-list 101 permit icmp any any 3 3
    see here:
    http://www.iana.org/assignments/icmp-parameters

  • Arno-iptables-firewall and CUPS

    Hello everyone.
    I'm having a problem with my firewall and CUPS. The thing is, when I try to print when the firewall is active the programs (kword, kcontrol, etc) can't contact cups daemon. But when the firewall is stopped I can print normally. The problem is obviously something with the firewall configuration.
    So, the question is, does anyone know how should I configure the firewall (Arno's iptables firewall) in order to solve this problem?. I thought about opening the cups port (631) but this wouldn't be the best solution. I don't want to open a port that shouldn't be open.
    The weird thing is that I can access cups thru localhost:631 using konqueror but incredibly slowly. I don't know why the firewall is blocking cups.
    I almost forget. Before you ask the printer is connected direcly to my computer. Is not a network printer. I have the needed module loaded (usblp) and the cups server is running.
    Thanks in advance,
    Gonza
    Last edited by Gonzakpo (2008-06-20 20:16:20)

    Hello.
    I tried the command iptables -F but nothing. The cups server is still unreacheable by kcontrol.
    After running arno's firewall, the iptables -vL output is:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    15 2568 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
    0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
    0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
    8 1515 HOST_BLOCK all -- any any anywhere anywhere
    8 1515 SPOOF_CHK all -- any any anywhere anywhere
    8 1515 VALID_CHK all -- eth0 any anywhere anywhere
    8 1515 EXT_INPUT_CHAIN !icmp -- eth0 any anywhere anywhere state NEW
    0 0 EXT_INPUT_CHAIN icmp -- eth0 any anywhere anywhere state NEW limit: avg 60/sec burst 100
    0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 any anywhere anywhere state NEW
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
    0 0 DROP all -- any any anywhere anywhere
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
    0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
    0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
    0 0 HOST_BLOCK all -- any any anywhere anywhere
    0 0 UPNP_FORWARD all -- eth0 !eth0 anywhere anywhere
    0 0 SPOOF_CHK all -- any any anywhere anywhere
    0 0 VALID_CHK all -- eth0 any anywhere anywhere
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 3 LOG level info prefix `Dropped FORWARD packet: '
    0 0 DROP all -- any any anywhere anywhere
    Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes)
    pkts bytes target prot opt in out source destination
    0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    7 340 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    8 552 HOST_BLOCK all -- any any anywhere anywhere
    0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
    0 0 DROP all -f any any anywhere anywhere
    8 552 EXT_OUTPUT_CHAIN all -- any eth0 anywhere anywhere
    Chain DMZ_INET_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain DMZ_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain DMZ_LAN_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain EXT_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain EXT_ICMP_FLOOD_CHAIN (1 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
    0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
    0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP-request(ping) flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-reply limit: avg 12/hour burst 1 LOG level info prefix `ICMP-reply(pong) flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
    0 0 LOG icmp -- any any anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp source-quench
    0 0 LOG icmp -- any any anywhere anywhere limit: avg 12/hour burst 1 LOG level info prefix `ICMP(other) flood: '
    0 0 DROP icmp -- any any anywhere anywhere
    Chain EXT_INPUT_CHAIN (2 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG tcp -- any any anywhere anywhere tcp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `TCP port 0 OS fingerprint: '
    0 0 LOG udp -- any any anywhere anywhere udp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `UDP port 0 OS fingerprint: '
    0 0 DROP tcp -- any any anywhere anywhere tcp dpt:0
    0 0 DROP udp -- any any anywhere anywhere udp dpt:0
    0 0 LOG tcp -- any any anywhere anywhere tcp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `TCP source port 0: '
    0 0 LOG udp -- any any anywhere anywhere udp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `UDP source port 0: '
    0 0 DROP tcp -- any any anywhere anywhere tcp spt:0
    0 0 DROP udp -- any any anywhere anywhere udp spt:0
    4 1314 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
    0 0 ACCEPT tcp -- + any anywhere anywhere tcp dpt:4872
    0 0 ACCEPT udp -- + any anywhere anywhere udp dpt:4875
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
    0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable: '
    0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded: '
    0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem: '
    0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
    0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
    0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (UNPRIV)?: '
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (PRIV)?: '
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
    0 0 LOG udp -- any any anywhere anywhere udp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
    2 96 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
    1 57 LOG udp -- any any anywhere anywhere udp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
    3 144 DROP tcp -- any any anywhere anywhere
    1 57 DROP udp -- any any anywhere anywhere
    0 0 DROP icmp -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
    0 0 DROP all -- any any anywhere anywhere
    Chain EXT_OUTPUT_CHAIN (1 references)
    pkts bytes target prot opt in out source destination
    Chain HOST_BLOCK (3 references)
    pkts bytes target prot opt in out source destination
    Chain INET_DMZ_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain LAN_INET_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain LAN_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain MAC_FILTER (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_OUTPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain RESERVED_NET_CHK (0 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG all -- any any 10.0.0.0/8 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class A address: '
    0 0 LOG all -- any any 172.16.0.0/12 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class B address: '
    0 0 LOG all -- any any 192.168.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class C address: '
    0 0 LOG all -- any any 169.254.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class M$ address: '
    0 0 DROP all -- any any 10.0.0.0/8 anywhere
    0 0 DROP all -- any any 172.16.0.0/12 anywhere
    0 0 DROP all -- any any 192.168.0.0/16 anywhere
    0 0 DROP all -- any any 169.254.0.0/16 anywhere
    Chain SPOOF_CHK (2 references)
    pkts bytes target prot opt in out source destination
    8 1515 RETURN all -- any any anywhere anywhere
    Chain UPNP_FORWARD (1 references)
    pkts bytes target prot opt in out source destination
    Chain VALID_CHK (2 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-PSH scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level info prefix `Stealth FIN scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/RST scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/FIN scan(?): '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level info prefix `Stealth Null scan: '
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0 0 LOG tcp -- any any anywhere anywhere tcp option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(64): '
    0 0 LOG tcp -- any any anywhere anywhere tcp option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(128): '
    0 0 DROP tcp -- any any anywhere anywhere tcp option=64
    0 0 DROP tcp -- any any anywhere anywhere tcp option=128
    0 0 DROP all -- any any anywhere anywhere state INVALID
    0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 1 LOG level warning prefix `Fragmented packet: '
    0 0 DROP all -f any any anywhere anywhere

  • 10.6 Server's Firewall Blocks It's Own Internet Connection

    I had this problem about two years ago when I was trying to run 10.6 on my home server (Mac mini) for the first time. Eventually I gave up, reverted the mini back to 10.5, and ram problem-free for years. When 10.7 came out, I tried to upgrade the mini to that. That didn't go well either, but mostly due to Lion missing many many features (suprise!). So I figured that 10.6's problems were fixed by now, and gave it another shot. It went fine and I've been running for about a month problem free (or so I thought). But now it's offline again. I finally found one other person on another forum that had the EXACT same problem as me. And reading this description, I realize that I have been having problems all long, I just assumed they were my ISP's problems, not my own.
    So here's what happens. The firewall in 10.6 server will "freak out". It will be running normally, then suddenly it will go haywire and block everything. And I mean everything. My computer won't even be able to get an IP via DHCP. Everything is blocked. But as soon as you stop the firewall, everything works normally. You can even modify the firewall rules, and set it up so there are NO deny rules, and EVERY connection to and from every host is set to allow. And the firewall still blocks everything. This is the same exact thing that happened 2 years ago when I first tried to run 10.6 Server on my mini. The difference is that back then, this would happen either immediatly, or within a day. This time around, with 10.6.8, it took about a month before suddenly, without any provocation, all internet connections stopped.
    I've had this happen on multiple computers. I don't do anything special, I just set up a basic firewall scheme where everything in the LAN range is allowed, and everything from "any" is allowed only to service ports I'm running. The basic gateway setup. Now I was running 10.6 Server on my laptop (for netbooting) and it would do the same thing. But because my laptop wasn't acting as a gateway, I could just turn the firewall off (you need the firewall for NAT). My mini server IS acting as a gateway, as was another mini I set up for a client of mine (that eventualy I changed over so they were running off an airport, and the mini server was just a client. But I don't want that setup at home, I want my mini to be the router).
    I have verizon Fios internet. 25/25, it's great. The ONT is in my basement, and it's plugged into the same fused outlet as our freezer. From time to time, when the power goes out, it trips that breaker and the outlet goes dead. My itnernet is gone and I have to go reset the outlet. Once I do, my mini won't get an IP from Verizon until I reboot the mini. Not once. Not twice. Usually 5-10 reboots, and suddenly it will get an IP. I always assumed this was a verizon problem. Until I read someone else's post about this same problem. Turns out, that's the firewall blocking DHCP again! If you turn the firewall off, you don't have to keep rebooting, it will grab an IP right away.
    At least I'm not crazy! So what is going on here? Does anyone have any idea what is going on with my firewall, or how I can fix it?
    Lastly, after 4.5 hours of complete inability to get an internet connection with the firewall on, it just started working again. I now have fully functional, normal internet. I find it hard to believe 10.6 has a firewall that is simply broken. I find it even harder to believe I'm imagining things, or that I've had fluke after fluke. Something is going on with 10.6 Server.

    The DNS skapegoat just doesn't make sense.
    Why would "improper" DNS cause OS X's firewall to block all network connections? Even the server's ability to make it's own DHCP connection?
    As far as a router, I don't want to use a cheap unreliable residential router. I have a home file server that, aside from running 10.6, makes a super reliable router. And port mapping aside, OS X Server's DHCP server is great to use. Rock solid. It makes no sense to run a cheap residential router when I have a home server. Then every 6-18 months, I get to deal with that router slowly failing, as my internet connection gets slower and slower. No thanks.
    So back to this firewall issue. I've talked to Apple aobut this before, and they give the same generic "DNS has to be right" answer to basically every problem I've ever had with 10.6 Server (hinting at endless CalDAV problems). But no one has every explained what that specifically means, or how something like wrong DNS (whatever that even means) can cause the firewall to block everything. This just makes no sense to me. And this especially does not explain why, after 10 reboots or so, everything just magically starts running normally.
    I just had an incedent today where I woke up to no internet. I rebooted 3 times. Each time, I either got a self-assigned IP address, or the ethernet interface would toggled between "unplugged" and "no-ip". I could turn the firewall off and the server would INSTANTLY start functioning normally. I'd happily run without a firewall, and just turn all services I'm not using off. However NAT needs the firewall, so without the firewall, the Server is the only Mac on the network that has an internet connection. So I kept rebooting and rebooting, and I think about 8 reboots later, like magic, the server came up, grabbed an IP, and everything started working normally.
    Also my IP through my ISP is dynamic, and that isn't going to change. So yes, I am trying to use OS X Server as my router on a dynamic internet connection. I've been doing this since the days of Mac OS X Server 10.1. Only 10.6 has had any problems at all.
    So really, "10.6 is more picky about DNS" isn't an answer to this problem. Or, at least, it's not a sufficient answer. I need much more information than that.

  • Firewall blocks web sharing

    2 computers, laptop with Snow Leopard, large web site in ~/Sites/htdocs, with .shtml files and an SSI file to add text common to all .shtml files. I'd like to see this on the desktop computer as it appears to others , but Firewall blocks web sharing on laptop. How do I  fix Firewall?

    System Preferences>Sharing.  Is File Sharing selected? 

  • OS X firewall blocks iTMS

    I've spent about two hours trying to figure out why OS X personal firewall blocks the Music Store, with no luck. Unless the firewall is turned off, the other computers (all Macs) on the network cannot log in. The sympton is the "Accessing the store" and eventually timing out.
    There are a lot of Windows-specific posts about firewall problems, but none that I could find about the Mac firewall.

    I have an additional Ethernet card in my Mac, and share the Internet access via that card. The built in port is connected to a cable modem.
    The Ethernet out (from the second card) goes to a sixteen port GigE switch, which lights up various ports around the house.
    I don't use any wireless in the house.
    Andrew

  • Firewall blocking video chat connection

    I tried to video chat with my wife today from work on my PlayBook. Got a message about a firewall blocking it when it tried to connect us. It gave no further info so it's kind of hard for me to figure out whether this is my work wifi or my own router at home causing this.
    Where can I find more info on this?
    Staff UI Prototyper (read: full-time hacker)
    My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

    Hello TheMarco,
    Do you know if porting forwarding has been enabled for the firewall settings?
    -HMthePirate
    Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
    Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

  • Firewall blocks DHCP after Logic Board Change

    I had my computer in repair and they changed the logic board. Since then "Set access to specific services" setting misbehaves and blocks DHCP configuration.
    After the repair it asked me to allow incoming connections for configd. I denied because I did not know it.
    Problem: configd is not listed in Preferences so it cannot be unblocked!!!
    How can I completely reset the rules table and start over?
    Firewall[41]: Deny configd data in from 10.37.129.1:67 uid = 0 proto=17
    Firewall[41]: Deny mDNSResponder data in from 169.254.203.40:5353 uid = 0 proto=17

    I give up. This is a horrible issue. Now, the Firewall blocks internet access to configd and mDNSResponder after wakeup from suspend despite being on the "Allow all incoming" list of the System Preferences panel.
    The firewall has become useless.
    Jul 17 14:22:13 garfield2 Firewall[42]: Deny configd data in from 10.37.129.1:67 uid = 0 proto=17
    Jul 17 14:22:15 garfield2 Firewall[42]: Deny configd data in from 10.211.55.1:67 uid = 0 proto=17
    Jul 17 14:22:22 garfield2 Firewall[42]: Deny configd data in from 10.37.129.1:67 uid = 0 proto=17
    Jul 17 14:22:24 garfield2 Firewall[42]: Deny configd data in from 10.211.55.1:67 uid = 0 proto=17
    Jul 17 14:22:30 garfield2 Firewall[42]: Deny configd data in from 10.37.129.1:67 uid = 0 proto=17
    Jul 20 09:18:58 garfield2 Firewall[42]: Deny mDNSResponder data in from fe80::21b:63ff:fe9b:37d4:5353 uid = 0 proto=17
    Jul 20 09:18:58 garfield2 Firewall[42]: Deny mDNSResponder data in from fe80::21c:42ff:fe00:0:5353 uid = 0 proto=17
    Jul 20 09:18:58 garfield2 Firewall[42]: Deny mDNSResponder data in from fe80::21c:42ff:fe00:1:5353 uid = 0 proto=17
    Jul 20 09:18:58 garfield2 Firewall[42]: Deny mDNSResponder data in from fe80::21b:63ff:fe9b:37d4:5353 uid = 0 proto=17

  • Firewall blocks afp even though enabled!?

    This relates to a G5 running 10.4.11 and a mac pro running 10.5.5
    We are having a nightmare with file sharing between two machines. We can connect fine from the mac pro to the g5 via a ethernet router. We can't however connect from the g5 -we can however connect to the internet and pinging the mac pro works. We have tried connecting with the bonjour adress and the ip addres - no results. The personal file sharing tabs in system preferences on both machines are ticked. The firewall is set to allow essential services, and below are listed printer sharing, file sharing etc. However i opened the log and saw that a few afp connections had just been denied - turn the firewall off and we can connect to the macpro. Surely we should be able to connect on a local area network without the firewall blocking it? It also denies cupsd (we have a printer networked to the g5) but also less frequently nmbd, which seems weird as to my limited knowledge this is to do with windows file sharing - and we do not have a windows machine on the network.
    Weirdly I enabled the firewalls on both machines fairly recently after noticing they were off - however my client (i am a retoucher) has confirmed that filesharing was always like this - even when firewall off which I seem to recollect as correct. In theory if we have a router with firewall enabled do we need the firewall on on the macs?
    Please help I have reached the limit of my knowledge on this one! Many thanks

    On the MacPro > System Preferences > Sharing > File Sharing, is the list of shared folders what you expect and for each shared folder, are the authorized users and permissions set up as you would expect? Clicking on the options button underneath that panel, is AFP checked, and if desired or necessary, SMB and/or FTP?
    In theory, I would say yes, if you have full faith in the personal integrity of all the local users on the LAN, and you believe them to be cautious enough that they won't have inadvertently downloaded and installed some sort of malware onto their machines, and you believe that your LAN is adequately secured (e.g., using WPA2 for the WLAN), then it is true, you should only need to maintain the firewall at the internet-facing router.

  • Firewall blocks Airplay (even under 'allow all traffic')

    Hi every body,
    I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
    a) all airplay traffic and
    b) 'reading Airport confirguration' requests
    even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
    Any help would really be appreciated.
    Thanks a lot.
    Nonresidentalien
    P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

    Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
    There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
    First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65000          0          0 deny ipv6 from any to any
    65535          6        306 allow ipv6 from any to any
    As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
    reptilehouse:~ sascha$ sudo ip6fw delete 65000
    To confirm, show the rule table again and you should see 65000 is gone:
    reptilehouse:~ sascha$ sudo ip6fw show
    01000        285      96163 allow ipv6 from any to any via lo0
    01100         66       5750 allow ipv6 from any to ff02::/16
    65535          6        306 allow ipv6 from any to any
    Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
    What I don't know if whether this is sticky, e.g. survives a reboot.

  • Firewall blocking access to app store

    Anyone know how to circumvent a firewall blocking app store access (same for itunes) - I can confirm access  when on a different network.

    found http://support.apple.com/kb/TS1629 which give port number etc for itunes - which I assume as the same for app store

  • Firewall blocking access to Hyper-V Virtual Machine. Please hep!

    Hi there, I hope this is the right spot for this. Allow me to explain the setup we have. We have a server with Hyper-V installed and a VC made for a DC  for a small domain we have.  I was able to remote into the new DC, and our exchange server
    was picking it up as a DC. So far so good.....
    Now, here's where we seem to have a problem. We Installed 'Symantec Endpoint Protection' As we have this on a few servers, we had a set of settings for servers. (I didn't set this part up) Now. the problem we are having is that it seems the end point protection
     on the Hyper-C  Host is blocking connections from Exchange/other computers (access shared folders and logging in). What  can i do to resolve this?  Connections seem to be fine, (Exchange will pick up the the DC, and i can access shared
    folders) when i  disable the firewall and network threat protection on the Hyper-V Host.  
    Our Exchange server is 2010
    We are using Server 08 R2
    Can someone please advise me on how i can get this resolved, so i don't have to leave the server with Hyper not behind a firewall or network threat protection. 

    Hi,
    I am Chetan Savade from Symantec Technical Support Team.
    There was a known issue between SEP and Hyper-V traffic. It's been resolved in the latest release of SEP. If not using the latest version upgrade to the latest version can be a possible solution.
    SEP 12.1 RU4 MP1a (12.1.4104.4130) is the latest verison. 
    HyperV traffic was blocked with Symantec Endpoint Protection Firewall enabled
    Fix ID: 3181006
    Symptom: The Symantec Endpoint Protection firewall blocks HyperV traffic.
    Solution: Modified the loopback packet processing in the Teefer driver.
    Reference: http://www.symantec.com/docs/TECH216262 
    Best Regards,
    CHETAN

  • Firewall blocks ssh since Sept 12 update

    I have a Mac Pro Early 2008 running Lion 10.7.1 (11826). Since the "Security Update 2011-005" yesterday morning (Sept 12), the firewall does not allow incoming ssh connections, even though "remote login" is enabled in the "Sharing" preferences pane, and the firewall config page under "Security & Privacy" shows that "Remote Login (SSH)" is set to "Allow incoming connections". I do this all the time, and the behavior definitely changed with yesterday's update.
    To be clear, with the firewall turned off, I am able to ssh into the machine from another machine on the local network. When I turn the firewall on, despite the options set as described above, I am unable to make an ssh connection. This worked before yesterday's update. I think that Apple broke something with the update.

    Okay, I just found out you have to query anchor rules with a special switch (-a).
    I just found out there is no entry for SSH which should read something like
    "pass in on inet proto tcp from any to any port ssh keep state"
    euler:~ dr$ sudo pfctl -a "com.apple/100.InternetSharing" -vvvsr
    No ALTQ support in kernel
    ALTQ related functions disabled
    euler:~ dr$ sudo pfctl -a "com.apple/250.ApplicationFirewall" -vvvsr
    No ALTQ support in kernel
    ALTQ related functions disabled
    @0 block drop in inet proto icmp all icmp-type echoreq
      [ Evaluations: 306       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 33285 ]
    @1 block drop in inet6 proto ipv6-icmp all icmp6-type echoreq
      [ Evaluations: 228       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 33285 ]

  • Confused with Firewall Blocking

    I have my Firewall configured to "set access for specific applications and services". Now, my understanding here is that if I set an application to "Block Incoming Connections", that application should not be able to receive any data from the network or internet. However, when I actually try this, the blocked application seems to have no trouble at all receiving data (for example, checking for updates over the internet). Can anyone explain this feature to me?

    {quote}
    Ok, try this, Another user named Noisyboy2006 posted for me...
    "Apple have dumbed down the terminal to make osx more secure. As you've discovered you can no longer open a port from preferences. You can however use terminal.
    The synatax of the command is:
    sudo ipfw add allow udp or tcp from port to port
    For example to open port 80 for TCP you would type:
    sudo ipfw add allow tcp from 80 to 80
    to see a list of open ports type:
    sudo ipfw list
    you'll see something like this:
    33300 deny icmp from any to me in icmptypes 8
    33400 allow udp from 0.0.0.80 to 0.0.0.80
    33500 allow tcp from 0.0.0.80 to 0.0.0.80
    What a useless tool for the average user. Try to explain this to your Mom or an out of state client, over the phone. Even if they get it right, it doesn't fix or configure the NAT firewall in the router.
    Any program or system that requires Terminal is not for prime time on MacOS. System administrators will eat this up, but end users would and should just tell Apple to fix this mess. The Vista firewall and the 25 page "white page" description is the same mess.
    Just get a good effective firewall like Little Snitch, turn off the Apple firewalls and get some work done. If you're lucky, you will be able to open the required ports in your router and deal with rule based programs with a decent interface and the ability to block out-going ports.

  • Windows Firewall indound icmp packets drop

    Hi, we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops.  Is there another value somewhere that we could disable in our setup.  It seems like a protection coming from the windows
    server 2008 and for no specific reason it blocks the traffic.
    The ping comes from a load balancer linux base machine.  We have created another test rule that is opening all ports and all protocol coming from that ip address and we get the same behaviour. 
    We know if we restart the server it will let the ping go through again with no problem but for a relatively short period of time.
    Carl R.
    Thanks

    Hi Carl,
    >>we have enabled icmpv4 traffic with a local firewall inbound rule in a gpo and we still having ping drops.
    Before going further, we can cmd command gpresult/h gpreport.html with admin privileges to collect group policy result to check if the policy setting was applied successfully.
    Regarding how to allow inbound Internet Control Message Protocol (ICMP) network traffic, the following article can be referred for more information.
    Create an Inbound ICMP Rule on Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2
    http://technet.microsoft.com/en-us/library/cc972926(v=ws.10).aspx
    Besides, for this is related to network, in order to get more and better help, we can also ask for suggestions in the following network forum.
    Network Access Protection
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverNAP
    Best regards,
    Frank Shen 

Maybe you are looking for

  • Trying to download Photoshop CS6 on a new HP convertible laptop with Windows 8.1

    Hi, I purchased Photoshop CS6 a couple years back before CC was released. I just had to get a new computer because Best Buy majorly screwed up a simple repair on mine, and they junked my old computer and gave me a new one. It's a convertible HP runni

  • USB Power Issue

    Suddenly my MacBook Pro won't charge my iPhone. It says there isn't enough power: "Because a USB device was drawing too much power from your computer, one or more of your USB devices have been disabled." I get that message even when there is NOTHING

  • I'm Getting Lost in this Upgrade

    I did an SL upgrade yesterday and got a bit lost. I had 2 goals in mind: (1) Upgrade to SL and (2) remove the bootcamp partition, create a larger one and reinstall windows. I deleted the Windows partition previously created by Bootcamp and backed up

  • Smart Sharpen taking forever to load after PS 2014.2 update with only 16 bit images?

    Hello, I am using Photoshop 2014.2.0 20140926.r.236 and I have attached the fill info on the current settings within Photoshop. I am using Nvidia Titan as video card and the problem occurs whenever I am trying to perform a custom sharpen Photoshop wi

  • Macbook Pro 17" memory install upgrade problem

    I have just installed 2 4GB RAM chips into my Macbook Pro 17" mid 2009 2.8GHz; Checking system info I am seeing Bank 0 with 4GB DDR3 1067 MHz and Bank 1 shows 2GB DDR3 1067 MHz. Both chips are seated properly & MacBK operates fine how do I correct th