DMZ and open ports

Hi all!
This is my first post on this forum I've been tinkering around with honey pots and set one up on my home network. A tutorial I was following mentioned about putting it in the DMZ. So I did. When I was at work I conducted a nmap scan of my home router. SO MANY OPEN PORTS! Of course setting up a DMZ this is to be expected. HH being HH only the honeypot is in it but I'm a little worried that even though I have only put the honey pot in the DMZ, are all the opened ports open to the rest of my network? As I understad it I am wrong but I am concerned just want to double check! Also when I turned of the DMZ and did another scan I found port 4567 to be open. I quick search flagged up a few results. Many people seem to say ignore it but others have said its possible for to be a back door. If I type in my public ip:4567 I get faced with a login page! I have heard that BT install a backdoor on their routers for the NSA and GCHQ normally I'd fob such things off but would be interested to know what is going on with that open port! 
Thanks in advance guys!

When you have anchor/foreign, the web auth traffic always go to the anchor, so  with CWA, the traffic from the anchor to the ISE will need to be permitted . go through the following link this may of help
https://supportforums.cisco.com/docs/DOC-26442

Similar Messages

  • Default LaunchDaemons and open ports?

    I recently have written a port scanner for a project at my university and after running it, I discovered that a large portion of my Macbooks' well known ports was open.
    These were 21 (ftp), 22 (ssh), 23 (telnet), 53 (domain), 79 (finger)!!, 88 (kerberos), 512 (exec)!!, 513 (login), and a bunch of others (see picture below for open ports - afterwards entered @ grc.com).
    I checked, if they are reachable from the internet (see picture below). They were not, but that does not say a lot(?), because if someone wanted to make a bot out of my Mac or collect data from it, this person could contact a C&C server from my machine and start communicating without opening any port of the NAT router, as the router allows bidirectional communication if started by the client(?).
    I checked, if these ports are reachable from within a local network, by requesting the services behind them from another computer running Linux. And they are! Everyone within the Non-VPN networks of my university was and is able to fetch personal information from me over fingerd! To prevent further leakage, I will block any incoming connections from now on.
    > finger user@{Macbook's IP}
    same output as when running locally
    > finger user@localhost
    [localhost]
    Trying ::1...
    Login: MyUserName         Name: MyNameReplaced
    Directory: /Users/MyUserName            Shell: /usr/local/bin/fish
    On since Sun Oct 26 13:02 (CET) on console, idle 7:52 (messages off)
    On since Sun Oct 26 17:15 (CET) on ttys000
    On since Sun Oct 26 20:25 (CET) on ttys001, idle 0:05
    No Mail.
    No Plan.
    I am able to login to the Mac via telnet over the LAN, etc.
    I checked the configuration of my firewall. It is/was activated. Signed software is allowed to accept incoming connections. Cloaking is not activated and I am not blocking every incoming connection. There are five services in the list below, they are all from Apple. I can not remove them. The minus button is grayed out.
    When I ticked 'Block all incoming connections', the services behind the ports were no longer detectable/reachable from the LAN, but the daemons are still running on the Mac!
    So my question is, why are these daemons running?! Why on earth is the fingerd running or exec?! This seems not normal. Who has started them (software or person)? I strongly limit access to my computer. I always lock it, when leaving it unattended. I use NoScript in Firefox. Never do I open attachments from mails.
    I checked the Mac of a friend with my PortScanner (in his LAN and on his Mac) and his has none of the ports open mine has.
    I have not checked my ports/firewall for a long time, so I can't remember if those ports were closed at any time before.
    Meanwhile I will read something about launchd, to gather more information.

    I'm not an expert on this, but I'm not certain what you are concerned about. All messaging in unix systems is done through ports, and so a variety of ports need to be open for normal system operations. OS X out-of-the-box probably strikes a balance between convenience and paranoia - ports that might be more secure closed left open by default so that novice users aren't driven out of their wits - but I can't imagine that it leaves open anything that constitutes a true vulnerability. Or if it does, you should file a bug report.
    I'm told every med student suffers from hypochondria at one point or another, and I know that every comp sci student will sooner or later have a short freak-out over security. So take a deep breath...

  • Need some direction on FW Redundancy and opening ports

    I would appreciate any advice on the current ways of connecting 2 Firewalls directly for redundancy and also the best practice for allowing data through the firewall. Do firewalls have a stacking technology similar to StackWise or FlexStack? I need to allow specific ports through my network into another private network. Although this won't be connected to the internet the same type of security as if it were, is important. Sorry if this is a generic question but what methods would be best for allowing data to and from through my network firewall? I would grealty appreciate any sample configurations (I don't plan on configuring zones) or documentation on the current way of allowing these functions. Thanks for your help!

    Hi,
    There are 2 different options to my knowledge to have firewall redundancy with Cisco firewalls.
    The most common one is Active/Standby Failover which you have 2 identical (hardware & software) Cisco firewalls connected by a Failover link. One of the the firewalls is the Active unit and handles traffic while the other unit is Standby monitoring the state of the Active device (and vice versa). When the Active unit fails the Standby unit will take the Active role.
    Another option is Active/Active which basically means that you would be running multiple virtual Firewalls inside the actual hardware firewall. Some virtual firewalls would be Active on hardware unit 1 and some virtual firewalls would be Active unit would be Active on hardware unit 2. Hence the term Active/Active, both firewalls would be handling traffic.
    ASA 9.0 Configuration Guide section on Failover
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_overview.html
    The second and new option is Cluster setup where you essentially combine multiple identical firewalls together. This is a subject though that I have not gotten to test myself so my knowledge is very limited. Though to my understanding this is available only with high end ASA5585-X units so it might not be an option for most.
    ASA 9.0 Configuration Guide section on Cluster
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html
    So most likely you will be using Active/Standby Failover with 2 identical Cisco firewalls.
    Their configuration format compared to a standalone firewall doesnt differ much.
    You will configure a "standby" IP address also on the ASA that will be the IP address that the Standby unit uses
    You will configure the actual Failover interface
    You will configure general Failover related settings
    You can tune the Failover settings and define which interfaces are monitored (and can effect the Failover) and set some other additional parameters
    So there is not that much to configure compared to the standalone Cisco firewall setup.
    Your post seems to indicate that this firewall or firewall pair would be used for Internal network usage. I mean a firewall between 2 LAN/DMZ networks. This would in turn mean that unless you specifically need NAT between these network segments, you could actually leave the NAT configuration of the firewall completely blank and only configure the Routing&Firewalling related settings.
    How you would configure access between the 2 different network segments would naturally depend on your own setup.
    From what I understood from your above post it would seem to me that you should configure ACLs on both interfaces connected to their own network segments. These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked.
    I am not really sure what kind of example configuration we could give you as we dont really know what the whole setup is going to be.
    Hope this helps
    - Jouni

  • NIO and open ports not showing up during portscan

    Hi
    I have an application that binds port 4444 and 4445 default. I can establish an conection to both ports with telnet for example and when I just portscan those ports they are detected:
    $ nmap -p 4444-4445 localhost
    Interesting ports on localhost.localdomain (127.0.0.1):
    PORT STATE SERVICE
    4444/tcp open krb524
    4445/tcp open unknown
    but when I try to scan the whole range 4445 disappears. Here is the output:
    $ nmap localhost
    Interesting ports on localhost.localdomain (127.0.0.1):
    PORT STATE SERVICE
    22/tcp open ssh
    25/tcp open smtp
    113/tcp open auth
    1024/tcp open kdm
    4444/tcp open krb524
    5432/tcp open postgres
    I reccon that this means that I will lose some connections during high load.
    Does this have anything to do with the timeouts I specify for select() or is it a problem deaper down in nio?.

    All this means is that there is something seriously wrong with nmap.

  • Need help with ASA 5512 and SQL port between DMZ and inside

    Hello everyone,
    Inside is on gigabitEthernet0/1 ip 192.9.200.254
    I have a dmz on gigabitEthernet2 ip 192.168.100.254
    I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network. 
    I believe this will work for port 443:
    object network dmz
    subnet 192.168.100.0 255.255.255.0
    object network webserver
    host 192.168.100.80
    object network webserver
    nat (dmz,outside) static interface service tcp 443 443
    access-list Outside_access_in extended permit tcp any object webserver eq 443
    access-group Outside_access_in in interface Outside
    However...How would I open only port 1433 from dmz to inside?
    At the bottom of this message is my config if it helps.
    Thanks,
    John Clausen
    Config:
    : Saved
    ASA Version 9.1(2) 
    hostname ciscoasa-gcs
    domain-name router.local
    enable password f4yhsdf.4sadf977 encrypted
    passwd f4yhsdf.4sadf977 encrypted
    names
    ip local pool vpnpool 192.168.201.10-192.168.201.50
    interface GigabitEthernet0/0
     nameif outside
     security-level 0
     ip address 123.222.222.212 255.255.255.224 
    interface GigabitEthernet0/1
     nameif inside
     security-level 100
     ip address 192.9.200.254 255.255.255.0 
    interface GigabitEthernet0/2
     nameif dmz
     security-level 100
     ip address 192.168.100.254 255.255.255.0 
    interface GigabitEthernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/4
     shutdown
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/5
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     management-only
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0 
    ftp mode passive
    dns server-group DefaultDNS
     domain-name router.local
    object network inside-subnet
     subnet 192.9.200.0 255.255.255.0
    object network netmotion
     host 192.9.200.6
    object network inside-network
     subnet 192.9.200.0 255.255.255.0
    object network vpnpool
     subnet 192.168.201.0 255.255.255.192
    object network NETWORK_OBJ_192.168.201.0_26
     subnet 192.168.201.0 255.255.255.192
    object network NETWORK_OBJ_192.9.200.0_24
     subnet 192.9.200.0 255.255.255.0
    access-list outside_access_in extended permit icmp any4 any4 log disable 
    access-list Outside_access_in extended permit udp any object netmotion eq 5020 
    access-list split standard permit 192.9.200.0 255.255.255.0 
    access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0 
    pager lines 24
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    mtu dmz 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
    nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
    object network netmotion
     nat (inside,outside) static interface service udp 5020 5020 
    nat (inside,outside) after-auto source dynamic any interface
    access-group Outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.9.200.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec security-association pmtu-aging infinite
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpool policy
    crypto ikev1 enable outside
    crypto ikev1 policy 10
     authentication crack
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 20
     authentication rsa-sig
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 30
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 40
     authentication crack
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 50
     authentication rsa-sig
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 60
     authentication pre-share
     encryption aes-192
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 70
     authentication crack
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 80
     authentication rsa-sig
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 90
     authentication pre-share
     encryption aes
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 100
     authentication crack
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 110
     authentication rsa-sig
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 120
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 130
     authentication crack
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 140
     authentication rsa-sig
     encryption des
     hash sha
     group 2
     lifetime 86400
    crypto ikev1 policy 150
     authentication pre-share
     encryption des
     hash sha
     group 2
     lifetime 86400
    telnet 192.9.200.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ssl encryption aes128-sha1 3des-sha1
    webvpn
     enable outside
     anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
     anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
     anyconnect enable
     tunnel-group-list enable
    group-policy SSLVPN internal
    group-policy SSLVPN attributes
     dns-server value 192.9.200.13
     vpn-tunnel-protocol ssl-client 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split
     default-domain value router.local
    group-policy VPNT internal
    group-policy VPNT attributes
     dns-server value 192.9.200.13
     vpn-tunnel-protocol ikev1 l2tp-ipsec 
     split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPNT_splitTunnelAcl
     default-domain value router.local
    username grimesvpn password 7.wersfhyt encrypted
    username grimesvpn attributes
     service-type remote-access
    tunnel-group SSLVPN type remote-access
    tunnel-group SSLVPN general-attributes
     address-pool vpnpool
     default-group-policy SSLVPN
    tunnel-group SSLVPN webvpn-attributes
     group-alias SSLVPN enable
    tunnel-group VPNT type remote-access
    tunnel-group VPNT general-attributes
     address-pool vpnpool
     default-group-policy VPNT
    tunnel-group VPNT ipsec-attributes
     ikev1 pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect rsh 
      inspect rtsp 
      inspect esmtp 
      inspect sqlnet 
      inspect skinny  
      inspect sunrpc 
      inspect xdmcp 
      inspect sip  
      inspect netbios 
      inspect tftp 
      inspect ip-options 
      inspect icmp 
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
    : end

    Hi Vibor. Apologies if my comment was misunderstood.  What I meant to say was that the security level of the dmz interface should probably be less than 100. 
    And therefore traffic could be controlled between DMZ and inside networks. 
    As per thr security level on the DMZ interface. ....... that command is correct. :-)

  • Default Host (DMZ) and Port Mapping together

    Hi all,
    I have the G5 set as a default host for all my web services through the Airport Extreme.
    In the Airport Extreme's Port Mapping tab, a user is not prevented from using the port mapping tab even when the Default host is set. I want to serve video through another port not on the G5.
    Does this mean I can set up port mapping for ports I do not want to go to the default host? (my G5 in this case)
    I asked this on the airport forum and never got an answer, maybe you G5 folks might know. (Or maybe there is a setting that will redirect from the G5.)
    Thanks in advance,
    Jamy

    I figured it out. I can't have a DMZ and separately port mapping on the Airport.

  • Use iptables on DMZ server to port forward

    Hello!
    My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
    The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
    Here is my network setup:
    1. Combined router, modem and wireless AP.
    2. Apple AirPort Express connected to the Wifi
    3. switch connected to the AirPort Express with ethernet.
    4. two servers connected to the switch(also with ethernet).
    the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
    How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?

    hunterthomson wrote:
    Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall  Super well commented and written very well. It covers all your bases.
    You will want to use the updated package listed in the comments.
    http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz
    You will also want the SystemD Unit file
    https://aur.archlinux.org/packages/syst … -firewall/
    To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.
    But really, you just need to change these things.
    /etc/arno-iptables-firewall/firewall.conf
    Line #41, put your Internet facing interfaces here.
    Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
    Line #87, Put your LAN facing interfaces here
    Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
    Line #140, Change this to '1' to enable NAT for your LAN
    Line #162, Change this to '1' to enable Port-Forwarding
    Line #193-195, Here is where you define your port-forwards,
    Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
    --> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"
    Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
    Line #1170, OPEN_TCP="22 80"
    You should also check out the config's in the plugins directory. This is where you get your moneys worth...
    ssh-brute-force-protection.conf
    ids-protection.conf
    traffic-shaper.conf
    ipv6-over-ipv4.conf
    traffic-accounting.conf
    transparent-proxy.conf
    multiroute.conf
    ipsec-vpn.conf
    And More !!!
    Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet.

  • Lion server doesn't delete open port service once added in time capsule mgmt from server app.

    I was trying to set a specific port to avoid file sharing conflict using time capsule as main router with lion server.
    I added a new public service in Server.app in time capsule section where you can manage Airport setting and open ports for mail cal vpn etc. I  assigned a port and given a name as requested. In my case a named "test"  and gave port number 5678 to try.
    Once I decided to delete this public service I noticed that anytime I make a changes in Server.app in Time capsule settings Server.app perform a refresh and the deleted servirce appear again and again with the same name and same setting in airport utility (ports management)
    The only way to delet it is to go in airport utility and delete that from there. But in the chance you want to make another change in TC managemnet from Server.app you.ll see the service deleted from everywhere magically appearing again in your airport device in my case a TC.
    Callled Apple and they said to investigate the forum.
    Now if I maje a change in Server app. TC section to add or remouve public service I have 10 usefull open ports (not enabled) in Airport ( TC)
    Any Help?
    Thx
    Jo

    I have been having this same problem, except that I cannot open basic ports through either app. I've tried opening the standard web services port on 80, but neither app (Server or Airport Utility) will open it. Apple support has been worthless.

  • How to open ports 119 and 443 in my Mac?

    I've been trying to use the UseNeXT software with my Mac with no success. I called their support and they told me I need to open the ports 119 and 443. I contact Apple support and they told me that is beyond their scope (???).
    Can somebody help me with that? I tried to find it online, but all tutorials that i tried didn't work or are outdated.
    Thanks

    Hi Drew,
    It probably depends on the router as to the method used to open the ports.
    As I have said elsewhere in the thread the first 1024 ports are open in most router to allow things to work Out of the Box such as Mail (110, 25, 567, 569, 995, 996 and many more ) and web Browsing (port 80 mostly but secure site can use 443) FTP (21 and 22) to name some.
    Port Forwarding is one way to open some of the ports for One IP (computer).
    Most routers have  table for doing this and this can be limited as to the number of ports included.
    This Linksys pic shows how to do it for some as it allows groups based on Start and end ports. However it restricts it to one IP
    DMZ is a form of Extreme Port Forwarding that opens all 65535 ports to one IP (Computer)
    In both the above cases other computers (IP addresses) are excluded from using the ports.
    Port Triggering doe allow multiple computers to access the same Port but requires that you know the lead  - Trigger - port involved for each app.
    It is limited by the table size for your particular router.
    Same Router in Trigger ports for iChat 3
    Most router come with UPnP nowadays.
    It is an ON/Off setting that allows the apps on the computer to say which ports are needed and when.
    On some you can reduce the time to live  and the Hop amounts.
    The ports stay open from a period of normally 30 mins after non use.
    This can be changed.
    It also tends to list the number of Hops (the number of devices beyond the UPnP device) that it can be heard.
    My Sky Hub
    I have no other router on my network but I do sometimes use Internet Sharing between two computers hence the 2 Hops.
    Every other device is only one Hop away from the the router.
    There are concerns that the "Advertisement" is seen upstream (internet side) as well as device downstream.
    The Concern is that this could be Up to your ISP and then down to the "next" IP end user on the particular router/server at the ISP end.
    I have seen no evidence of this being the case.
    Hope this helps.
    8:45 pm      Monday; May 5, 2014
    ​  iMac 2.5Ghz i5 2011 (Mavericks 10.9)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
     Couple of iPhones and an iPad

  • Open Port 80, 16384-16482, and 5060-5061

    How do I open ports 80, 16384-16482, and 5060-5061 and forward them to more than one IP address and still keep my network secure?
    I have2 VOIP phones that I would like to get working. I can get the one working by using Port Forwarding and forwarding all these ports to its private ip address. However I believe I need to duplicate this for my second VOIP phone but you can't have the same port forwarded to different ip addresses under Port Forwarding.
    I have a WRT54GS.
    Thank you,
    Brandon
    Message Edited by 2fast4u on 02-20-2009 07:01 PM

    For your 2nd VOIP phone i think you can Do is Port Triggering or you can use DMZ for your 2nd VOIP as your VOIP phone will have a Static IP.

  • HH2 and HH3 not opening ports

    Hi Guys
    This is more of an FYI post rather than a oh dear whats wrong post.
    We've had the HH2 for about a 2 years or so now and lately have been having some interesting, shall we say, personality traits with our HH2.
    Often, for no reason, the HH2 will drop all wireless signals and will not allow anyone to connect, new devices, old devices or ethernet devices. Only a press of the restart button will resolve this.
    Now thats not too annoying apart from the hassle but another (major) issue we're having is port opening/gaming.
    Last week i decided to start playing a game i hadnt played it years, upon completion of downloading and installation i tried to connect, may i note weve never had any problems with gaming whatsoever with the HH2 in the 2 years weve had it, unfortunately i kept getting connection errors. So being an IT guy myself i decided to pull up the ports for the game and proceeded to open them up in the HH2's manager and assign them to my device.
    Tried to reconnect and still got the error.. i was a bit crosseyed here so i thought well i shall try a port scanner and check to make sure my ports have been opened. They hadnt.. i checked the hub again, ports were listed as open and available in the application sharing section and also assigned to my device.
    I proceeded to disable firewalls and DMZ my laptop, risky i know but i  am an IT guy and know what i am doing. Anyways i restarted the HH2 again to make sure the firewall selection and DMZ applied. I waited and checked the HH2 was up and rechecked the settings all ok.
    I ran the port scan again, the ports were still NOT open. Now this is quite annoying. I went to work and tested the game there on a bog standard ADSL line and the game worked fine. Take it home and not a peep.
    I have spoken to BT and we're getting a HH3 free of charge to fix the problem but i just wanted you all to know that there could be some serious issues with the HH2 and it not opening ports, nor allowing DMZ to function correctly!
    Thanks everyone, have a nice day and apologies on my wall of text.

    Ok i think this thread is going to turn into a help me thread... in fact i dont think.. i know...
    HELP ME!!!
    I have received the new HH3 and with furvour decided to get into the hub, setup the wireless and put the ports in the forward list... i excitedly restarted the hub and connected...
    and guess what.. still no joy.. ports are ALL closed... i have even DMZ'd my laptop and that isnt working.. im not getting the IP address im still getting an internal 192 address...
    Can anyone give me a clue as to whats going on here? pulling my hair out now!

  • I have a game on my xbox one that is telling me I need to open ports in order to play it I am not all that tech savvy and have no idea how to do this

    I have an airport extreme and I am trying to play a new game on my xbox one and it keeps kicking me I have comcast internet that is more than fast enough so I went to the games site and it says I need to either create a static ip or to open ports no idea how to do either of these or what that does any help would be appreciated.

    There are heaps of posts here about how to open ports on apple routers specifically for xboxes.
    AirPort Extreme and xbox 360

  • Firewall in 10.5, how to open ports and how to manage?

    I am pulling my hair out with the new firewall in 10.5. In 10.4 I could just set ports as I liked in the control panel, in 10.5 there is no such thing.
    I need to for example open port 49999 to allow PageSender to function in my network.
    I need to open port 5901 to work with JollyFast VNC, as port 5900 is used by Apple Remote Desktop and the conflict if they both use the same port.
    Some of these ports I need permanent open like 59999 and others for one session and than close again, like 5901. Again in 10.4 I made the rule in the pref pane, ticked the box and Bob was your uncle. Now?
    I would like to be able to see what ports are open and active on the machine. I have no idea as to where I could see this.
    And at the same time I would like to keep the firewall as closed as possible as I am often on line in hotels etc.
    So I need help, is there a manual somewhere someone is aware of? Or do you have any answers?

    The new Application Firewall does not work in the same way as IPFW (the main firewall in 10.4).
    Instead of managing ports, it simply controls the access of applications to any port. Thus, if you want PageSender to receive connections, you simply need to switch the firewall to "Set access for specific services and applications", and then add PageSender to the list, with "Allow incoming connections". When you do this, PageSender will be able to receive connections on any port that it needs to.
    If you don't like this method of controlling connections, you can still use IPFW. Apple has removed the GUI, but you can download a GUI application like [NoobProof|http://www.hanynet.com/noobproof> or [WaterRoof|http://www.hanynet.com/waterroof/index.html], and you can then set access for specific ports.
    There are no problems with using both IPFW and Application Firewall.
    Cheers,
    Rodney

  • How do I open ports on my airport extreme and assign a fixed IP Address for a device connected to my network?

    I recently had a security system installed in my house.  One of the features is an EPAD which enables me to have a virtual keypad on my iphone, and computer to operate the alarm system.  The technician was not familiar with Mac's and Airports.  How do I open port 80 to 80 in my airport and assign a fixed IP address for the EPAD?  Apparently this is what is needed to make this work.

    There are three ranges of "strictly local" IP addresses reserved for local Network use:
    192.168.xxx.yyy
    172.16.xxx.yyy
    10.xxx.yyy.zzz
    What your Router does for you is to act as your agent on the Internet.Your requests are packaged up and forwarded on your behalf, and only when a response is expected is the response returned to your local IP address.
    Directing Network Traffic to a Specific Computer on Your
    Network (Port Mapping)
    AirPort Extreme uses Network Address Translation (NAT) to share a single IP address with the computers that join the AirPort Extreme network. To provide Internet access to several computers with one IP address, NAT assigns private IP addresses to each computer on the AirPort Extreme network, and then matches these addresses with port numbers. The wireless device creates a port-to-private IP address table entry when a computer on your AirPort (private) network sends a request for information to the Internet.
    If you’re using a web, AppleShare, or FTP server on your AirPort Extreme network, other computers initiate communication with your server. Because the Apple wireless device has no table entries for these requests, it has no way of directing the information to the appropriate computer on your AirPort network.
    To ensure that requests are properly routed to your web, AppleShare, or FTP server, you need to establish a permanent IP address for your server and provide inbound port mapping information to your Apple wireless device.
    To set up inbound port mapping:
    1) Open AirPort Utility, select your wireless device, and then choose Base Station > Manual Setup, or double-click the device icon to open its configuration in a separate window. Enter the password if necessary.
    2) Click the Advanced button, and then click Port Mapping.
    3) Click the Add button and choose a service, such as Personal File Sharing, from the Service pop-up menu.

  • I have a dvr and I want to monitor from my phone.  this worked when I had a Belkin router that let me open ports.  I use "canyouseeme" and it can't see 80, 9000 or 1025. How do I make them available?

    I have a Lorex DVR that I want to monitor from my IPhone and IPad.  I used to be able to do this when I had a Belkin router (easy to open ports) but I bought the AirPort Extreme router and no longer have that capability.  When I use "canyouseeme" they can NOT see 80, 9000 or 1025.  Lorex says I need them all available in order to access.  Help!  And all the help I see refers to a earlier version of the AirPort Utility so I cant use those to look at anything, I cant find the same screens, I have version 6.1 (610.31).  I also don't really understand how ports work, so I need a pretty basic explanation.

    Well...I went to the modem (Westell, WireSpeed), found the NAT settings, once again, I'm WAY over my head, I am assuming this is a TCP connection (as opposed to a UDP) and per Lorex my mobile devices will use port 1025.  So I gave it a "global port range" of 1-10 and I indicated that the "base host port" was 80, 1025, & 9000 (ports 1,2,3).  When I selected the 'enable' it asked for a "host devise" my choices are my IPhone, IMac and the IP address for the dvr, so I choose the dvr.  I still cannot connect and canyouseeme still can NOT find these open ports.  This is taking up my whole day! I don't know how people figure this stuff out.

Maybe you are looking for

  • Could a setting on Thunderbird have changed on Saturday A.M.? My emails from my server are no longer coming thru to my desktop. Help!

    I've checked my server. I've checked my Internet connection. The only other culprit is Thunderbird. Has something changed? Do I need different settings? This is the same problem on two different accounts. And both stopped working at the same time. (I

  • Nokia 501 not recognising in windows 7 as mass sto...

    I have two models if Asha 501 Dual sim. Both the phones were working good in windows 8, but recently i shifted back to windows 7 ( Note: Service Pack 1 is not yet installed). Now one of my phone gets recognised as modem automatically but not as mass

  • Get skype out of my outlook NOW!

    Here's the deal: I want skype OUT of my outlook account, i'm sick and tired of being logged on forever because of the MORON who had the sad ideia to link skype account to outlook account, and to make things more lame, skype and microcrapsoft don't al

  • Change country code in address

    So ... a moment's inattention while setting up my profile and I find I'm in Belorussia instead of Belgium <g> The forum mechanism is bright enough to spot a discrepancy here, and suggests I go back and edit it: but when I dutifully go back to correct

  • "Catching" a java.lang.NoSuchMethodError

    Hi all, Currently developing a number of different versions of the same system at the same time and I have a problem with NoSuchMethodError. Background: The system consist of a number of jar files: - a.jar - b.jar - c.jar Each jar-file is version han