BT HH 2.0 - Blocking Ports / Firewall

Similar Messages

• Can a port be blocked if Firewall is turned off?

  I'm trying to configure a Retrospect Server running on a OS X 10.3.9 Server, and for some reason the server is not connecting to clients outside it's same subnet. I'm able to connect directly to the client using their IP, but Retrospect's subnet broadcasting is not working. One possible problem suggested by Dantz is that my Firewall is blocking port 497. My Firewall Service is not runnin, but I was just wanted to know if the port could still be blocked even if the Service is turned off. The other problem may be our Switch not set to multicast, but I wanted to verify this possible problem first.
  Thank you in advance.
  G4s, G5s   Mac OS X (10.4.8)  

  If the firewall isn't on, the port isn't blocked. It may be that no application is listening on port 497, but it isn't blocked.

• Cannot sync; receiving a message that firewall is blocking port 3689

  I am receiving an error message when I try to sync my Apple TV. The error message says that a firewall is blocking port 3689. I have checked the settings I can find, but have been unable to find the source of the problem. Has anyone had this problem and if so, how did you resolve this?

  Thanks Chenks! At least I know I'm not nuts. I have done exactly what you suggest. Itunes is in the list and I went the extra step and added port 3689. Still no luck. I've checked my McAfee settings and anything else I can find. I am at the point of resetting everything to the defaults to see if I can get around this. This is so odd as the Apple TV has been working beautifully, then, BAM! An error code and I can't synce.

• IP Blocking / Port Restrictions

  For someone not from a networking background, can someone help me with a query I have about IP BLocking on the Listener port?
  I have read the best practices for securing Oracle, which state it is best practice to specify a list of allowed ip addresses that can connect to the port which the oracle listener is listening on - and deny access from untrusted clients. I get the logic behind that. I am also aware Oracle itself doesnt do the port blocking, a firewall does. But which firewall typically will do this IP Blocking? Are we talking a firewall installed on the Database Server, or some sort of permiter firewall that can also prevent connections to specific Servers such as an Oracle Database Server? Excuse my ignorance on Firewalls.

  user599292 wrote:
  Thanks, So its not uncommon to have a firewall just for the sole purpose of protecting the Database Server? Or is it more likely in most setups to find a single corporate firewall will be used to restrict access from specific clients to specific servers?I agree that a firewall is by far a better option - the Listener is not really suited to deal with IP blocking and it cannot really restrict ports (this needs to be done lower down in the IP stack).
  An Oracle Listener is no different than a Mail Server Listener, a Web Server or most any other TCP server. All these have listener processes. They bind a TCP socket to a port number, and then call the listen() socket command to listen for connect() requests from clients.
  It's more sensible to deal with network security for these servers in a single firewall implementation and configuration, than to deal with each server separately where there is no consistency in how they support network level security.
  A firewall can be software and can be local - one of the better ones is an Open Source application called iptables. This runs as a kernel module and provides a rich feature set of network access and control. From blocking protocols, IPs, subnets to IP masquerading (NAT).
  So you do not need an expensive and separate and dedicated firewall to protect a server - it can also be a local firewall on that server that is configured to protect the network services on that server.
  I would not use the Oracle Listener to deny access from certain IPs or subnets. Instead, I will use something like iptables, and configure and execute the applicable blocking rule.
  But if you go down this route, half measures do not make sense. You should also harden your IP stack. There are a number of config changes that can be done to ensure a robust IP stack, like disabling IP spoof attacks, ignoring broadcast pings (used in some DoS attacks), block source routing, not accept redirects, making sure that the dynamic port range is sane, etc.

• Verizon blocks ports?

  I have DSL & Actiontec GT704-WG. I opened a port to host online game, but when I use a port scanner found here: http://www.canyouseeme.org/
  It tells me my port is closed even though I forwarded everything correctly. Does verizon block any ports besides 80? I only use windows firewall so i know its not a firewall problem. Anyone with same router can help me?
  Thanks
  heres a snapshot of my router
  http://i45.tinypic.com/105edd5.jpg

  Verizon itself doesn't block ports at the head end besides port 25 for smtp outgoing email.  they basically don't let spammers bounce messages off their smtp servers to send emails.   Port 80 is questionably blocked by region - I have seen a lot of users in the forums that have port 80 unblocked.  and then sporadically a user forum member will say its blocked but most people say its unblocked now.  VZ made that decision middle of last year.
  The router that verizon provides has a firewall and like all firewalls it blocks a BUNCH of stuff.  that's what firewalls do.  it's kinda their gig.
  If you port forward, try to use portforward.com for a good guide.
  Basically this is stuff you probably know, but I'll recap just in case.
  Set your pc to have it's own IP address   - you'll configure that on your PC nic settings under tcpip v4
  then go into the router, and open the proper ports.  I don't know what ports your game wants, but make sure the source port is set to any, and do not specify a number in that section.
  make sure its pointed to the IP you gave your PC, and apply the changes and try again.
  if that doesn't work there may be one or two users here that will pop up that may have additional info, but you can also reach out on the portforward.com forums and see if you can get some answers there,   DSL Tech support won't help with any port forward configurations.  they consider it advanced and out of their boundaries.

• Blocked port 80?

  hello, i dont know is im in right topic.
  we have astaro SG 110/120
  we have 2 servers
  1.AD/DNS/DHCP win serv 2003
  2.MSQL/files/programs  serv 2003
  the main problem is that on 1 server is blocked port 80.
  cmd>ping google.com <this working fine there is connection
  but when i want to connect by browser to google.com by IE there is no answer
  i cant log in to astaro too by 192.168.1.1:4444
  i cant upgrade antivirsu virusbase becouse as support guy told me this connection is on 80 port.
  mby its not a 80 port only cos i cant even get to router by :4444 port

  On Wed, 23 Apr 2014 07:07:57 +0000, endriucontec wrote:
  hello, i dont know is im in right topic.
  we have astaro SG 110/120
  we have 2 servers
  1.AD/DNS/DHCP win serv 2003
  2.MSQL/files/programs  serv 2003
  the main problem is that on 1 server is blocked port 80.
  cmd>ping google.com <this working fine there is connection
  but when i want to connect by browser to google.com by IE there is no answer
  i cant log in to astaro too by 192.168.1.1:4444
  i cant upgrade antivirsu virusbase becouse as support guy told me this connection is on 80 port.
  mby its not a 80 port only cos i cant even get to router by :4444 port
  This is not a Windows Server issue, it is an issue with your firewall
  configuration. You'll need to contact Astaro for support.
  Paul Adare - FIM CM MVP
  On two occasions I have been asked [by members of Parliament], 'Pray, Mr.
  Babbage, if you put into the machine wrong figures, will the right answers
  come out?' I am not able rightly to apprehend the kind of confusion of
  ideas
  that could provoke such a question. -- Charles Babbage

• Does Verizon FiOS block Port 5900?

  Okay, so I've got a computer with absolutely no ports blocked, I've shut off the firewall, the thing is behind a router, but set as DMZ. I still can't control/observe. I can use every other feature of ARD except control/observe, and screen sharing. I've confirmed that port 5900 is not responding on the computer in question, despite the above extreme trouble-shooting measures. The computer in question is not on my local network, it's in another state with Verizon FiOS internet. Does Verizon block port 5900, or should I suspect there is something else going on with the router or ARD?
  If port 5900 is being blocked by the ISP, can I use router/ARD magic to change what port actually gets used, while still making ARD happy?
  I'm kind of going crazy here...

  Welcome to the Discussions,
  You will have to check with Verizon to see if they pass port 5900 or not. I suspect that may be the case.
  While I can't tell you how to change the port, I can tell you that many administrators use port 80 tools like gotoassist.com or logmein.com for system on networks out of their control. Of course you won't be using ARD, but it is much easier than changing the default port settings on every machine.

• 3-port firewall DMZ using single Expressway-E LAN interface

  Hello Experts !
                       I have a query , if the firewall does not support nat reflection than how can i install expressway solution in 3 port firewall scenario . ?
  Regards;
  KV

  Sorry if I wasn't clear. Please see the attached updated network diagram. I created a firewall rule that allows all traffic from any WAN1 source to my 71.123.123.11 destination. Thus if I'm sitting at Outside computer S, I can connect (via SSH) to DMZ computer C using the address (71.123.123.11). Likewise, if I'm sitting at LAN computer A, I can connect (via SSH) to DMZ computer C using the address (71.123.123.11). So far so good. I'd like to add a firewall rule that blocks all connections "from the outside" except for port 80. (Basically I want to lock down the DMZ computer C so that it only serves web pages to the outside.) Thus SSH connections from computer Outside computer S to DMZ computer C need to be blocked, but HTTP requests (port 80) from S to C need to still work. I can add this firewall rule to implement the block using the WAN IP 71.123.123.11, and that works fine. But doing that will also prevent LAN computer A from being able to SSH into DMZ computer C. That's my problem. I was thinking that if I could use a "local address" (e.g. 10.4.20.x) for DMZ computer C, then I could set up a different firewall rule for that and allow the SSH connection. Is this possible? Or is there a better way to do this?

• How can I use Back to my Mac when my ISP blocks port 1900?

  I was just forced to switch ISPs (don't ask...) and it turns out that my new ISP (Astound) lied to me and actually does block port 1900, which means that Back to my Mac (on which I rely) does not work.
  Has anyone seen this and found a viable workaround? Preferably one that is easy for my non-technical family to use also, but all suggestions are welcome.
  Thank you!

  So, I convinced my ISP to open port 1900 and they did, but it's still not working.
  I get two messages that make no sense to me, but I hope indicated something that someone here can help me undertstand...
  When I open the iCloud preference pane in System Preferences, It says just below the Back to my Mac setting "Configure Router for better performance" - My Airport Extreme is configured with  Back to my Mac and it looks like my account shows a green indicator.
  Second, next to the Back to my Mac setting in the iCloud preference pane, there is a button labeled "Details..." When I click that it tells me that "Back to my Mac is not working properly because the DNS server isnt' responding" and suggests I contact my ISP for a different DNS server.
  All other internet services - including iCloud services - are working fine. I even tried changing my DNS servers to Google's public DNS servers and nothing changed.
  Any suggestions are very much appreciated! Thank you!

• How to check  wether local system has blocked by firewall  from program.

  i am a user in my LAN area. i don't have admin rights. in our LAN few system has blocked by firewall others not blocked .
  how can i check wether local host is blocked or not by firewall from java network program ?.

  You can execute some kind of firewall util (if any) and parse output to receive configuration and check is address blocked or no. But if you have no admin rights - it will not help you.
  Actually there is no clear way to detect was packet blocked by FW or just lost somethere.

• Possible Blocked Port Halting MSN Messenger Connection?

  Hi everyone,
  I have been running MSN Messenger for months on my Macbook Pro without any problems. The other day at work it was connected as always and I got disconnected. When I tried to reconnect, I kept getting an odd message saying that my sign in details were wrong (they're not). Other people in the same room are still able to access MSN Messenger, just not me. The problem is that even at home now on my home network, I'm not able to connect to it there either. I still get the same error message. Around the same time I did download AIM to use also, so I'm wondering if this has caused a problem or if it's something else. I've looked around online and a lot of people seem to think it's a blocked port 1863. Does anyone have any ideas how to fix this so I can get MSN up and running again? Thanks in advance.
  xx

  Hi,
  Is good to know that you were able to find the workaround. Actually I was on the lab testing this due that I noticed that you had 2671 bypassed requests. Definitely bypassing authenticated traffic is going to resolve the issue, but I also wanted to recommend you to try another solution.
  Add these commands to the CE:
  - http cache-authenticated all
  - http cache-cookies
  and remove the bypass auth-traffic command.
  This would allow the CE to cache as much as possible of the transaction. I tested and it works just fine and the CE is seeing cache hits.
  As a side note, I noticed that the messenger goes on port 80 so you don't have to worry about the port 1863.
  Thanks & Regards,
  Jose.

• Blocking Port 192

  The company that processes credit card transactions is insisting we block port 192. How is this done? I have hear similar issues from other companies.

  I see from your other posts that you do have an Airport Extreme base station.
  As I indicated, this is not something I know much about either. I'm not even sure that the AEBS is the problem, though it seems to be according to the post I listed. I guess you could temporarily connect your Mac directly to your broadband modem, to see if the claimed vulnerability is still there.
  Assuming the AEBS is the problem, one thing you could try is to disable outside SNMP access - I found another post suggesting that [here|http://forums.macrumors.com/showthread.php?t=602839]. I have an older AEBS, which uses Airport Admin Utility for configuration. It's help section includes
  Protecting your AirPort network from denial-of-service attacks
  Networks managed by Simple Network Management Protocol (SNMP) may be vulnerable to denial-of-service attacks. (SNMP is turned on by default in AirPort Admin Utility.) Similarly, if you allow your base station to be configured remotely over the wide area network (WAN) port, unauthorized users may be able to change network settings.
  To help protect your network and base station:
  Open AirPort Admin Utility, located in Applications/Utilities.
  Select your base station and click Configure. Enter the base station password if necessary.
  Click AirPort, and click Base Station Options. Make sure the Enable SNMP Access and the Enable Remote Configuration checkboxes are not selected.
  If the Enable SNMP Access and Enable Remote Configuration checkboxes are deselected, you must configure the base station using only the local area network (LAN) or the AirPort wireless network.
  The newer Airport Utility may do this differently.
  Hopefully you can also get more help from others who are more knowledgeable about networks. As a last resort you could ask the security company to recommend a wireless router that they know will pass their test.

• Configuring socket policy for flex apps(with blocked port 843)?

  We have built several flex-based ecommerce apps for a fortune 500 customer of ours, that for various reasons, we need to use sockets to a different domain and requires a socket policy file, but were having trouble configuring our flex apps for deployment in thier enviornment where they are blocking virtually everything except port 80 . The current documentation in in regards to socket policy files and crossdomain files in a non-standard configuration not using port 843 is not providing any useful help to us.
  Here is the scenario:
  Flex apps are served from domain www.a.com in  to users browsers via http. The apps then make socket connections to domain www.b.com:80 where there are php scripts serving json data to the flex apps via port 80 using http(we use sockets because we need to set and read back http headers). The problem is the flex apps cannot make socket connections to the www.b.com domain without errors like below(unless we setup a socket policy server on port 843 of www.b.com, in which case everything works):
  Warning: Timeout on xmlsocket://www.b.com:80 (at 3 seconds) while waiting for socket policy file.  This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Error: Request for resource at xmlsocket://www.b.com:80 by requestor from http://www.a.com.us/bin-debug/DownloadManagerFlex.swf is denied due to lack of policy file permissions.
  Since we cannot use port  843 for the socket policy file server, we setup the socket policy server on a different ip in the same domain: spf.b.com:80 (using the sample perl code Adobe provides), and per the docs(cited below), use Security.loadPolicyFile("xmlsocket://spf.b.com:80") before we invoke "socket.connect", to supposedly tell the flash player to check there for the socket policy file. The problem, as you can see from the error log, is that the  loadPolicyFile("xmlsocket://spf.b.com:80") is ignored.
  No matter what we do or how we set things up, we cannot get the flash player to recognize the loadPolicyFile(), it always wants to go to the port were making the socket connection on. It is unclear how to properly configure the flex app, socket policy file and crossdomain file for the above scenario. The docs allude to being able to serve  the socket policy file from a different port 80 in the same domain as the socket connection were trying to make, but were having no luck with that.
  ->Can anyone shed some light on how to make this work or what are we  missing/doing wrong? Also, if we can get this to work, are we  stuck with a 3 second delay because this(very large) customer is blocking port 843?
  As an aside,  the documentation for all this is a bit scattered, unclear and contrdictory:
  One document says:(http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_07.html)
  "This warning usually means one of two things: first, that you need to set up a
              socket policy file server on port 843, which is the first location that Flash
              Player checks by default; or second, that you need to provide more explicit
              guidance to Flash Player from ActionScript by calling loadPolicyFile to indicate the location
              of a socket policy file. When you call loadPolicyFile rather than allowing Flash Player to check
              locations by default, Flash Player will wait as long as necessary for a
              response from a socket policy file server, rather than timing out after 3
              seconds."
  Another document says(http://www.adobe.com/devnet/flashplayer/articles/socket_policy_files.html):
  "If an ActionScript Security.loadPolicyFile() command exists within               the SWF file, then the Flash Player runtime checks that location. Flash Player checks               the destination of the loadPolicyFile() only after it has checked the               master policy file on port 843 for permission to acknowledge other policy               files. If the developer has not specified a loadPolicyFile() command,               then Flash Player checks the destination port of the connection."

  I found the reason why the Flex application was ignoring the socket policy (crossdomain.XML). I have a policy server that listens to port 843 and submits the policy to the Flex client. My policy was getting ignored by the Flex application and I was getting the sandbox security error you were getting. The solution to this problem isto write a null byte right after the policy server sends the policy. I'm using Apache Mina that is wrtten is Java and the null byte is written as follows:
  public void sessionCreated (IoSession session)
          throws Exception
          session.write(_policy);  -- > policy string
          session.write("\u0000"); --> null byte
           //session.close(true); ---> No need to close the session because it is closed by the Flex client after it receives the null byte.
  Now my Flex application can read and accept the policy from port 843 and I'm not getting more security violations.
  Thanks for your reply,
  Alberto

• Block port on Value Exception

  Hi,
  Whenever there is a Value or Import exception,port is not blocked but now customer wants to block the port in case of Value Exception as there can be scenario where a record is updated in the source system but due to some issue it failed under value exception. A different user updates the same record in source system and it pass through MDM correctly. Now some one will check the value exception and process the record manually which will overwrite the changes .
  Kindly suggest if there is some method to block port in case of value and import exception.
  Thanks and Regards,
  Neethu Joy

  Hi Neethu
  As rightly explained blocking the port for Value and Import exceptions is not possible.
  Now coming to the initial requirement- *there can be scenario where a record is updated in the source system but due to some issue it failed under value exception. A different user updates the same record in source system and it pass through MDM correctly. Now some one will check the value exception and process the record manually which will overwrite the changes .
  Why should this happen- For the lookup values how are you refreshing MDM from the source system? If this is not automated the above makes a scenario for automatically refreshing the lookup values from the source system to MDM.
  Also if the User1 is wrongly editing a record in source system MDM by design is not allowing to import that record. User2 edits(corrects) the record in source system again which is reflected in MDM correctly. Here if the client needs to see the changes made at record level (by user1/all incorrect updates) then the change tracking or logs should be seen/developed in the source system itself- since MDM has been designed to filter correct records flow only.
  Hope this helps-Ravi

• SSH Tunelling to bypass blocked ports

  Hi. I'm living in a boarding school where they block the online "gaming" part of PSN. I can connect to a network and sign into PSN just fine. However, when I click "test internet connection" when it is determining my NAT type, it gives me error NW-31374-8 (NAT type failed). I am connecting to internet via a router which I set up by sharing the internet connection from my Mac (wifi into mac, Ethernet out of mac into router, router wifi out into PS4). I can do any online function other than game, E.g: watch netflix, watch youtube, add friends. Therefore, if I set up SSH tunelling would I be able to bypass these blocked ports or not? Cheers

  Don't think you can. I've posted the question in other forums, and have seen other people's similar questions posted in other forums. "ssh -D {port number}" is supposed to let the client forward a proxy port, and the ssh daemon (on what would be the proxy machine) is supposed to support SOCKS 4 and SOCKS 5 proxy, which are both purportedly options in iChat. But it doesn't work. I hope somebody can call me a liar and tell me how they have successfully done it....