Closing open ports - using firewall

Have everything set at the most strict settings at my mac book pro, however, came across this link and they suggested several ports where still open. Can or should they be closed? How?
http://www.whatsmyip.org/ports/security/

The OS X firewall that Apple provides is very basic. If you want the very best Unix IPFW firewall to block most all of ports then use the very powerful IPFW GUI application NoobProof. This application use the built-in IPFW Unix firewall in OS X that is stronger than anything you can buy.

Similar Messages

  • Closing open ports

    Hi,
    $ uname -a
    SunOS kite 5.10 s10_72 i86pc i386 i86pc
    I installed Solaris 10 on an spare Dell box recently. I'm not well versed in Solaris and I wanted a little more exposure to it. Over the past couple of days I've managed to shut down just about every service I don't use/need, but I'm left with a few nagging open ports that I can't seem to close. The only port I want to have open is 22 for ssh.
    Here's a list of currently open ports (as reported by nmap):
    PORT STATE SERVICE VERSION
    22/tcp open ssh SunSSH 1.1 (protocol 2.0)
    111/tcp open rpcbind 2-4 (rpc #100000)
    898/tcp open http Solaris management console server (SunOS 5.10 x86; Java 1.4.2_06; Tomcat 2.1)
    6000/tcp open X11 (access denied)
    Port 111: Stopping bind (hence closing port 111) prevents X from starting upon reboot. The boot process won't start the dtlogin screen, and I end up having to use console mode. Is there a way around this?
    Port 898: This port is opened by the wbem service. If I disable wbem, the Solaris Managment Console won't work anymore. Is there a configuration option for the SMC that allows me to shutdown the listening port but still allows me to use the SMC from the localhost?
    Port 6000: I have no idea how to close this port. I did manage to close port 177 (XDMCP) from the Xconfig file, but I don't know how to close 6000. I don't need any remote X connectivity at all. Any ideas?
    Thanks.

    Thanks for the reply, Bob.
    But you can control wbem (port 898) by changing the
    file /etc/rc2.d/S90wbem to /etc/rc2.d/s90wbem. So on
    reboot it won't start. To turn it off now just enter
    from the root prompt "/etc/rc2.d/S90wbem stop" (w/o
    o the quotes). I'm not sure about rpcbind.Yeah, I was able to stop the wbem service permanently by toying inside rc2.d, but without wbem, the Solaris Mgt Console doesn't work anymore. I kinda like the Console, but in my opinion it shouldn't be listening for remote connections; there should be an option to allow its use only on the localhost.
    >
    I am looking around at how Solaris 10 handles these
    services. If you enter the command "svccfg" you'll
    be dropped a "svc:>" prompt. From here you can enter
    "list" to get a listing of the servcies you can
    manage through this tool. Of course you will want to
    look at the man pages, svccfg(1M). Two other tools
    to look at are svcadm(1M) and smf(5).Let me know if you figure out how to use the svc tools to point to a new daemon. For example, I installed OpenSSH 3.9.p1 at /usr/local/sbin/sshd but couldn't find a way to coax svcadm into starting the new daemon instead of the Sun SSH daemon. I ended up adding an rc2.d script to start OpenSSH, and executing svcadm disable ssh to permanently stop the Sun version. There's gotta be another way...

  • Opening port in Firewall with Script instead of ServerAdmin?

    Hi,
    I tried to google this but didn't find good leads. What is the way to open ports in the OS X Server 10.5 Software Firewall by using a shellscript instead of the GUI ServerAdmin tool?
    thanks a lot
    simon

    At the most basic level:
    #!/bin/bash
    HOST_IP = "123.123.123.123"
    /sbin/ipfw -f add 30000 allow tcp from $HOST_IP to any dst-port 20-21
    This would add a single rule, assigned to rule number 30000. It opens ports 20 and 21 for the specified IP. After installing this rule via script there are various things that will cause your firewall to be flushed and the rule will be lost. For example, just poking around in ServerAdmin can cause an unintentional flush and reloading of the firewall rules - you'll need a way to run your script again when it happens.
    Check the man page and google for info on ipfw.
    David
    Message was edited by: DavidWil

  • Unable to open ports using terminal

    I need to open port 16004 and have attempted to do so via Terminal by entering:
    sudo ipfw add allow tcp from 16004 to 1600.
    However when i run port scan from the Network Utility it does not show up as open.
    Is this the correct syntax? Am I missing something?
    If someone could help please.

    Sorry but can you explain further
    man ipfw tells you everything you need to know (and more) about setting ipfw rules.
    What goes in place of the 'any to any'? anything or is that it?
    The syntax of an ipfw allow rule is:
    allow [protocol] from [souce] to [dest] [port]
    So the statement:
    allow tcp from any to any 16004
    says that any source address is allowed to connect to any destination address on port 16004. To be more secure you might lock down the port so that specific IP addresses can connect, e.g.:
    allow tcp from 192.168.1.0/24 to in 16004
    this says that any machine on the 192.168.1.0/24 network is allowed to connect to any interface on the current machine ('in') on port 16004

  • Opening port in Firewall to allow media sharing with PS3

    What I'm trying to do: Stream media from my G5 to my PlayStation3 using Nullriver's Media Link.
    It would not work and I've determined that it's the Firewall that's the problem. I've read elsewhere that the firewall in my router (Airport extreme) will suffice and that the G5's firewall is redundant. Even if that is true I'm still puzzled as to why I couldn't open a hole in the firewall.
    I turned on Firewall Logging under advanced in the sharing preference panel, then told the PS3 to search for media servers.
    Looking at the ipfw log in Console tells me "...ipfw: 12190 Deny TCP 10.0.1.5..."
    So 12190 must be the port that needs to be open for things to work, right?
    Here's where I must be goofing up... I go to system preferences>>Sharing>>Firewall.
    Then click "New." From the Port Name pop-up, I select Other and then name the hole I intend to open.
    Then in the field "TCP Port Number(s)" I enter 12190.
    My new item now appears in the list on the firewall pane with a check next to it and when the mouse hovers over the item the tag that pops us tells me that all network traffic on port 12190 is being let through.
    Meanwhile in the background, Console reports every minute that the PS3 is being denied access at that port!
    I tried restarting the system.
    It would be nice to know if it is indeed true that the firewall in OSX is redundant.
    But more puzzling is why I can't get this port to open.
    Thanks!

    Still no luck.
    Tried deleting that pref file. Reboot. Created new port opening as before. Still shows that same symptoms.
    Tried WaterRoof. When I call up the static rules, it shows the port in question.
    "allow tcp from any to any dst-port 12190"
    I selected it in the list, clicked the button to edit it, changed nothing, then clicked apply. (I did this in case maybe Waterroof needed to "nudge" things to get them to work right. After this, I was unable to change any settings on the Firewall using System Preferences.
    Maybe I'm not using WaterRoof right.
    Strange that when I used Terminal as you suggested, it shows a firewall deny at 12190, but WaterRoof says the rule is to allow.
    Could there be something wonky going on with the Airport Extreme?
    To my non-network savvy brain that doesn't make sense but I bring it up since it's the only other device involved.
    If I turn off the firewall on my G5 using System Preferences then everything works fine. Would the Airport "know" what the firewall on my computer was doing?
    It's my understanding that the Airport Extreme's firewall protects the network from outside traffic, not that it would protect devices on the network from each other.
    I was going to try opening a port on the Airport, but the fields in the Airport Utility are more complicated than those in System Preferences. Figured I should wait before I did anything stupid.
    The next thing I'll try is running MediaLink on my wife's Intel iMac. She's running 10.4.11, too, but if I can open a port on her machine, that will narrow things down. Will report back tomorrow.
    Thanks.

  • Opening Port in ASA

    Hi Everyone,
    If i need to open specfic port on ASA so that it allow the traffic for that.
    What are different ways to open port using CLI?
    Thanks
    Mahesh

    Hello Mahesh,
    Lets say you have an internal host 192.168.12.2 that neeeds to be access on port 80 from the outside world.
    We will use the outside interface (public IP) to access it
    So configuration on ASA 8.2 will be:
    static (inside,outside) tcp 192.168.12.2 80 interface 80
    access-list outside_in permit tcp any host interface outside eq 80
    access-group outside_in in interface outside
    Now lets see it on a scenario where no nat is need it:
    We have already an internal server with a public ip address 2.2.2.2 and that one needs to be access on port 80
    no nat-control
    access-list outside_in permit tcp any host 2.2.2.2 eq 80
    access-group outside_in in interface outside
    So basically if we already have a routable over the internet IP NAT will not be need it!
    Remember to rate all of the answers that help ( if you need assistance on how to rate a post just let me know)
    Julio

  • How to open port 80 443, 1863

    Hello can anyone help.
    I have a message that I need to open these ports to play online backgammon.
    I have windows 7 home premium how do I open these ports?

    Hi,
    Follow this:
    Open a port in Windows Firewall
    http://windows.microsoft.com/en-in/windows/open-port-windows-firewall#1TC=windows-7
    Karen Hu
    TechNet Community Support

  • What ports need to be opened on my firewall to use apple configurator

    I need to open ports n my corporate environment to Download the current IOS version and activate the certificate when using apple configurator.
    Can someone please advise which ports these are.

    Business & Education - Apple Configurator - Apple Support
    I cannot find any reference to "open port(s)" with JiveSearch or Google Site Search of all of AppleWorld's subdomains
    EDIT = I stand corrected... appears I missed one (see above)
    https://help.apple.com/configurator/mac/1.0/ = the Help File Online
    ÇÇÇ

  • Firewall in 10.5, how to open ports and how to manage?

    I am pulling my hair out with the new firewall in 10.5. In 10.4 I could just set ports as I liked in the control panel, in 10.5 there is no such thing.
    I need to for example open port 49999 to allow PageSender to function in my network.
    I need to open port 5901 to work with JollyFast VNC, as port 5900 is used by Apple Remote Desktop and the conflict if they both use the same port.
    Some of these ports I need permanent open like 59999 and others for one session and than close again, like 5901. Again in 10.4 I made the rule in the pref pane, ticked the box and Bob was your uncle. Now?
    I would like to be able to see what ports are open and active on the machine. I have no idea as to where I could see this.
    And at the same time I would like to keep the firewall as closed as possible as I am often on line in hotels etc.
    So I need help, is there a manual somewhere someone is aware of? Or do you have any answers?

    The new Application Firewall does not work in the same way as IPFW (the main firewall in 10.4).
    Instead of managing ports, it simply controls the access of applications to any port. Thus, if you want PageSender to receive connections, you simply need to switch the firewall to "Set access for specific services and applications", and then add PageSender to the list, with "Allow incoming connections". When you do this, PageSender will be able to receive connections on any port that it needs to.
    If you don't like this method of controlling connections, you can still use IPFW. Apple has removed the GUI, but you can download a GUI application like [NoobProof|http://www.hanynet.com/noobproof> or [WaterRoof|http://www.hanynet.com/waterroof/index.html], and you can then set access for specific ports.
    There are no problems with using both IPFW and Application Firewall.
    Cheers,
    Rodney

  • RDS and Gateway issues: Cannot get remoteapps to run without opening port 3389 on firewall

    I am testing the setup of a small RDweb server to host QuickBooks for some remote sales users (4 users). For the most part, I have everything installed on one virtual server (using 2012r2 "Quick Start" session host deployment with the additional
    Licensing and Gateway server roles added to the same server).
    Everything works excellent with one exception. External clients cannot launch published apps without having port 3389 open on the firewall, even with the gateway role installed and the 'Deployment Properties' set to use the gateway. They can properly connect
    to the RDweb site and view the published apps. The only way it works is open the firewall port (at which time I can disable the gateway or leave it configured and it works either way). Internally, everything works accordingly. I have followed the steps outlined
    on many sites and have combed though the forum here to no avail.
    Error received (summarized but is a well documented error):
    remote desktop can't connect to the remote computer: 1- Your user account is not listed (it actually is) or 2- You might have specified the remote computer in NetBios format . . etc.
    This is an existing SBS 2011 environment with additional virtual servers setup to host QuickBooks as outlined below:
    Current setup:
    Used Quick Start to install Remote Desktop Services in hosted sessions mode
    Installed the additional roles for Licensing and Gateway server on same server
    Configured wild card public certificates on all four services (Connection Broker(2), Web Access and Gateway)
    Configured internal DNS to properly lookup our external FQDN of this server (ex. quickbooks.contoso.com points to quickbooks.contoso.local
    One thing I noticed (just now) when I launch a published app and the firewall has port 3389 closed, a dialog box pops up directly after launching the app that warns about running a RemoteApp program and mentions the Remote Computer and the Gateway Server
    as both the same (which it is); however, I would have assumed one would have listed the internal server's name while, instead, both are listed as the external FQDN. Either way, internal DNS should still allow it to properly route . . no? I don't know . . I'm
    sure I am just missing something in a routing configurations somewhere. The gateway service is not properly looking up the RDweb service and then seeming not routing the encapsulated RDP session through HTTPS. . .. is my guess . .
    I was reading about the "set published name" commandlet; however, I am not experiencing a certificate name mismatch; however, the certificate name does show up as *.contoso.com versus the actual name. I may just be grasping as straws now . . :)

    Ok, while I was in the server and looking over the BPA scans: "The Remote Desktop Gateway (RD Gateway) server Secure Sockets Layer (SSL) certificate may not have a valid certificate subject name." This may be due to it showing up as *.companyname.com
    versus quickbooks.companyname.com. Anyhow. .. on to the list of actions above:
    Changed RD RAP from "Select Active Directory" group to "Allow any network resource" and tested with port 3389 closed on firewall:
    Worked. Initially it did not as I had used a custom shortcut created from earlier; however, after logging into the RDweb site again, the application loaded fine now (after the RD RAP change)
    No error message appeared; however, I did notice that for a split second, the word Error did appear in the browser's tab title, but only very shortly. The app launch does take a bit longer too now (about 10-15 seconds, up from about 4 seconds with the port
    open). This, I could care less about so long as we are properly forwarding the traffic through the gateway.
    As for log entries, I had spend quite a bit of time in there and only had minor issues with loading user profile setting taking too long and policy settings preventing the redirection of USB devices. Looking again, no issues still. Just a bunch of informational
    entries where I would connect before (and disconnect) but only with the port on the firewall open; otherwise, there was not an entry corrolating to when I would receive an error before. Now though, I am connecting after the RD RAP change and logs are showing
    connections even with the port closed. These are in "operational", the "admin" log only shows the update to the RD RAP configuration.
    Yes, the LAN's DNS server does relay the lookup information for my public FQDN as the local LAN address. No need for a local host record.
    I have now added a new rule in our firewall to allow and forward UDP port 3391 traffic to the internal server hosting remote services
    Thank you very much for your assistance on this matter. The RD RAP rule was default built during the creation of this services. Why is the resource not cross-referencing AD security groups? I could have sworn I created a group for that . . .

  • Opening port 51325 on firewall

    Hello,
    In order to get a fast response when the print properties are asked in Office, port 51325 has to be opened on the firewall. After some research on the web I still can't find any reason why...
    Anyone knows what this port is used for? Are there any security issues?
    Thanks in advance!

    Hello,
    In order to get a fast response when the print properties are asked in Office, port 51325 has to be opened on the firewall. After some research on the web I still can't find any reason why...
    Anyone knows what this port is used for? Are there any security issues?
    Thanks in advance!
    Can you provide information, links, etc., where you got this information that Office requires this specific port number? Also, is the port# you're referring to a TCP or UDP port?
    FYI, TCP & UDP 51325 is part of the dynamic port ranges known as the Service Response Ports, or also known as the Ephemeral Ports. They are ports  that are randomly selected (Windows Vista, Windows 2008 and newer operating systems) between
    TCP & UDP 49152 - 65535. In Windows 2000, 2003 and XP, they were 1024-5000. Windows NT used the whole range.
    The initial port may be an attempt for Office or any other app, that needs access to something else, such as a mapped drive, or sending something to a printer. The initial port may more than likely be an RPC call on TCP 135, but the response from the destination
    host will be a randomly generated ephemeral port. And once the session is closed, the port is dissolved.
    Here are more specifics on ports in an AD environment:
    Active Directory Firewall Ports - Let's Try To Make This Simple (RODC, too)
    Published by acefekay on Nov 1, 2011 at 4:31 PM
    http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx
    Windows Vista, Windows 7, Windows 2008 and Windows 2008 R2 Service Response Ports (ephemeral ports) have changed.
    http://support.microsoft.com/?kbid=929851
    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
    This post is provided AS-IS with no warranties or guarantees and confers no rights.

  • How do I open a port using "a shell" (Terminal)?

    There is a question hereabouts that deals with opening a TCP port using "a shell." The response says that this is possible but does not say how. Specifically I need to know this for Yosemite, most recent iteration. The port would be 8101, for Tivo Desktop. Yes I know that TD is no longer supported but I have it and it seems to be working ok
    Thanks, Bob V

    Did you try just adding TD to the Firewall Options list and setting it to allow incoming connections.
    Do you often connect to a public WiFi Network such that you need the Firewall running?

  • RMI firewall issue - opening port 1099 is not enough

    Hello,
    We have a distributed java desktop app that uses RMI with callbacks to communicate amongst the clients. It all works really well at our dev site and at 2 trial sites.
    We are about to deploy out to more customer sites - so I have been doing more testing with firewalls etc and discovered some issues. Our customers are small businesses and typically have between 1 and 10 desktop clients that connect to the server via RMI. These customers are "very NOT technical", so we need to give them set-and-forget firewalls etc.
    This is all on a LAN, with RMI using port 1099. On the firewalls (of the various PCs) we open ports 1099 (RMI) and 5432 (for the Postgres DB).
    Also, I was using "CurrPorts" and "SmartSniff" to monitor the traffic at each PC - so I had a reasonable view of proceedings.
    Basically, opening port 1099 on the server is necessary, but it is NOT ENOUGH. The RMI moves off to ports other than 1099, and the server firewall does not allow the connection.
    Procedure ...
    (1) start the "server" app - which starts the RMI registry - the "localhost" desktop app also starts and it works well to both the database and the RMI.
    (2) start another client - it connects to the DB Server, but NOT the RMI server.
    (3) open the server firewall to all traffic for a few seconds - then the client connects successfully.
    From CurrPort logging I could watch the RMI comms progress over those first few minutes ...
    Initially the comms do include port 1099 on the initial call to the server, but there after there are always 2 or 3 "channels" open, but not to 1099.
    I notice that the Postgres DB keeps using port 5432 for all of its active channels - so it does not have the same firewall issue.
    After we have opened the firewall for a few seconds - to enable the link - then we can turn the client on and off and the client re-connects without issue - so it would seem to be only an issue with the initial connection.
    I am sure that this is all completely standard and correct RMI behavior.
    QUESTIONS:
    1. Can RMI be "forced" to always use port 1099 for connections, and not move to other ports? (like the database uses 5432)
    2. Are there any suggestions for getting around this seemingly standard RMI behaviour?
    Other comments ...
    The firewall lets me open individual ports (say 1099) - BUT I can not justify opening ALL ports.
    The firewall lets me open all ports to an application, say "C:\Program Files\Java\jre6\bin\java.exe", but that app will occasionally change at a customer's site as they will update their java version and suddenly our app will stop working.
    Any guidance is appreciated.
    Many Thanks,
    -Damian

    1. Can RMI be "forced" to always use port 1099 for connectionsYes. Export all your servers on the same port. See UnicastRemoteObject constructor that takes an int, or UnicastRemoteObject.exportObject(int). If the RMI Registry is a separate process you can't re-use 1099 for this purpose, but see below.
    2. Are there any suggestions for getting around this seemingly standard RMI behaviour?Yes. Start the RMI Registry in the same JVM as the code, then you only need to use 1099 for everything.
    If you are using server socket factories, make sure they have an equals() method, or use the same instance for all remote objects.

  • Mac OS X Leopard Firewall/default open ports rpcbind?

    Hi,
    I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
    Also is there any way to run openbsd/freebsd PF firewall?
    Thanks!

    This is what nmap reports:
    Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
    Warning: Unable to open interface vmnet8 -- skipping it.
    Warning: Unable to open interface vmnet1 -- skipping it.
    Interesting ports on localhost (127.0.0.1):
    Not shown: 993 closed ports
    PORT STATE SERVICE
    111/tcp open rpcbind
    631/tcp open ipp
    1021/tcp open unknown
    1022/tcp open unknown
    1023/tcp open netvenuechat
    2049/tcp open nfs
    49152/tcp open unknown
    Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
    nestat -a | grep LISTEN confirms:
    tcp6 0 0 localhost.ipp . LISTEN
    tcp4 0 0 *.49152 . LISTEN
    tcp4 0 0 *.1021 . LISTEN
    tcp4 0 0 *.1022 . LISTEN
    tcp4 0 0 *.sunrpc . LISTEN
    tcp4 0 0 *.nfsd . LISTEN
    tcp4 0 0 *.1023 . LISTEN
    tcp4 0 0 localhost.ipp . LISTEN
    tcp6 0 0 localhost.ipp . LISTEN
    Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
    Any suggested IPFW rules?
    Here is what 'ipfw show' returns:
    3300 36 2160 deny icmp from any to me in icmptypes 8
    65535 866558 351141790 allow ip from any to any
    Thanks,
    Juan

  • IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall

    Hi All
    IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall for our site syatem in DMZ with role MP,sup &DP

    I agree, for IBCM you need SSL.
    But as far as i know your Update Point isn't forced to run on SSL (8531) unless you tick your Update point with "Require SSL" within your update point configuration - which ofcourse is the idael configuration.
    And if that's the case it's running 8530.
    That's true, but for IBCM, as Peter pointed out HTTPS is required. Thus, if you don't configure your WSUS instance to run using SSL, I doubt that it will work simply because the client agent will be "smart" enough to see that you don't have an SSL
    capable WSUS instance and thus won't configure the WUA to use the non-SSL WSUS instance. I can't say I've tested this though, so it's possible that it works, but I doubt it.
    Jason | http://blog.configmgrftw.com | @jasonsandys

Maybe you are looking for

  • Wipe iphone3

    I'd like to wipe my iphone3 and turn it into an ipod touch for my daughter?  Can someone tell me now to do this?

  • How do I re-download MediaAccessibility.dll

    Everytime I download an update for iTunes it is a huge problem because something goes wrong and this time it's saying I'm missing MediaAccessibility.dll and I have to reinstall iTunes because it was installed incorrectly, although I've already redown

  • How to get the XML Payload of called process from calling process?

    I have two SOA processes say process A and process B. Process B is called by process A.In process A I, am using the getRequestMessage() method in Java code to get the XML payload of process A. But i want the XML payload of process B in process A.How

  • How can I create thus a component ...

    I want create a menu bar like the menu bar at the left of WinXP Folder Windows. There is a image, I hope you can view it. http://www.chinajavaworld.net/non-cgi/usr/6/6_3721.gif When I click the main menu item, the sub menu items will be rolled up. At

  • Startup Problems After Upgrade to 10.4.8

    Six weeks ago I upgraded my RAM by adding a 1Gb chip, and after checking to see that the added memory was recognized, I installed OS X 10.4.6 from my purchased DVD. I was then prompted to update to 10.4.8. For the first three weeks I used my iMac G5