DMZ and open ports
Hi all!
This is my first post on this forum I've been tinkering around with honey pots and set one up on my home network. A tutorial I was following mentioned about putting it in the DMZ. So I did. When I was at work I conducted a nmap scan of my home router. SO MANY OPEN PORTS! Of course setting up a DMZ this is to be expected. HH being HH only the honeypot is in it but I'm a little worried that even though I have only put the honey pot in the DMZ, are all the opened ports open to the rest of my network? As I understad it I am wrong but I am concerned just want to double check! Also when I turned of the DMZ and did another scan I found port 4567 to be open. I quick search flagged up a few results. Many people seem to say ignore it but others have said its possible for to be a back door. If I type in my public ip:4567 I get faced with a login page! I have heard that BT install a backdoor on their routers for the NSA and GCHQ normally I'd fob such things off but would be interested to know what is going on with that open port!
Thanks in advance guys!
When you have anchor/foreign, the web auth traffic always go to the anchor, so with CWA, the traffic from the anchor to the ISE will need to be permitted . go through the following link this may of help
https://supportforums.cisco.com/docs/DOC-26442
Similar Messages
-
Default LaunchDaemons and open ports?
I recently have written a port scanner for a project at my university and after running it, I discovered that a large portion of my Macbooks' well known ports was open.
These were 21 (ftp), 22 (ssh), 23 (telnet), 53 (domain), 79 (finger)!!, 88 (kerberos), 512 (exec)!!, 513 (login), and a bunch of others (see picture below for open ports - afterwards entered @ grc.com).
I checked, if they are reachable from the internet (see picture below). They were not, but that does not say a lot(?), because if someone wanted to make a bot out of my Mac or collect data from it, this person could contact a C&C server from my machine and start communicating without opening any port of the NAT router, as the router allows bidirectional communication if started by the client(?).
I checked, if these ports are reachable from within a local network, by requesting the services behind them from another computer running Linux. And they are! Everyone within the Non-VPN networks of my university was and is able to fetch personal information from me over fingerd! To prevent further leakage, I will block any incoming connections from now on.
> finger user@{Macbook's IP}
same output as when running locally
> finger user@localhost
[localhost]
Trying ::1...
Login: MyUserName Name: MyNameReplaced
Directory: /Users/MyUserName Shell: /usr/local/bin/fish
On since Sun Oct 26 13:02 (CET) on console, idle 7:52 (messages off)
On since Sun Oct 26 17:15 (CET) on ttys000
On since Sun Oct 26 20:25 (CET) on ttys001, idle 0:05
No Mail.
No Plan.
I am able to login to the Mac via telnet over the LAN, etc.
I checked the configuration of my firewall. It is/was activated. Signed software is allowed to accept incoming connections. Cloaking is not activated and I am not blocking every incoming connection. There are five services in the list below, they are all from Apple. I can not remove them. The minus button is grayed out.
When I ticked 'Block all incoming connections', the services behind the ports were no longer detectable/reachable from the LAN, but the daemons are still running on the Mac!
So my question is, why are these daemons running?! Why on earth is the fingerd running or exec?! This seems not normal. Who has started them (software or person)? I strongly limit access to my computer. I always lock it, when leaving it unattended. I use NoScript in Firefox. Never do I open attachments from mails.
I checked the Mac of a friend with my PortScanner (in his LAN and on his Mac) and his has none of the ports open mine has.
I have not checked my ports/firewall for a long time, so I can't remember if those ports were closed at any time before.
Meanwhile I will read something about launchd, to gather more information.I'm not an expert on this, but I'm not certain what you are concerned about. All messaging in unix systems is done through ports, and so a variety of ports need to be open for normal system operations. OS X out-of-the-box probably strikes a balance between convenience and paranoia - ports that might be more secure closed left open by default so that novice users aren't driven out of their wits - but I can't imagine that it leaves open anything that constitutes a true vulnerability. Or if it does, you should file a bug report.
I'm told every med student suffers from hypochondria at one point or another, and I know that every comp sci student will sooner or later have a short freak-out over security. So take a deep breath... -
Need some direction on FW Redundancy and opening ports
I would appreciate any advice on the current ways of connecting 2 Firewalls directly for redundancy and also the best practice for allowing data through the firewall. Do firewalls have a stacking technology similar to StackWise or FlexStack? I need to allow specific ports through my network into another private network. Although this won't be connected to the internet the same type of security as if it were, is important. Sorry if this is a generic question but what methods would be best for allowing data to and from through my network firewall? I would grealty appreciate any sample configurations (I don't plan on configuring zones) or documentation on the current way of allowing these functions. Thanks for your help!
Hi,
There are 2 different options to my knowledge to have firewall redundancy with Cisco firewalls.
The most common one is Active/Standby Failover which you have 2 identical (hardware & software) Cisco firewalls connected by a Failover link. One of the the firewalls is the Active unit and handles traffic while the other unit is Standby monitoring the state of the Active device (and vice versa). When the Active unit fails the Standby unit will take the Active role.
Another option is Active/Active which basically means that you would be running multiple virtual Firewalls inside the actual hardware firewall. Some virtual firewalls would be Active on hardware unit 1 and some virtual firewalls would be Active unit would be Active on hardware unit 2. Hence the term Active/Active, both firewalls would be handling traffic.
ASA 9.0 Configuration Guide section on Failover
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_overview.html
The second and new option is Cluster setup where you essentially combine multiple identical firewalls together. This is a subject though that I have not gotten to test myself so my knowledge is very limited. Though to my understanding this is available only with high end ASA5585-X units so it might not be an option for most.
ASA 9.0 Configuration Guide section on Cluster
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html
So most likely you will be using Active/Standby Failover with 2 identical Cisco firewalls.
Their configuration format compared to a standalone firewall doesnt differ much.
You will configure a "standby" IP address also on the ASA that will be the IP address that the Standby unit uses
You will configure the actual Failover interface
You will configure general Failover related settings
You can tune the Failover settings and define which interfaces are monitored (and can effect the Failover) and set some other additional parameters
So there is not that much to configure compared to the standalone Cisco firewall setup.
Your post seems to indicate that this firewall or firewall pair would be used for Internal network usage. I mean a firewall between 2 LAN/DMZ networks. This would in turn mean that unless you specifically need NAT between these network segments, you could actually leave the NAT configuration of the firewall completely blank and only configure the Routing&Firewalling related settings.
How you would configure access between the 2 different network segments would naturally depend on your own setup.
From what I understood from your above post it would seem to me that you should configure ACLs on both interfaces connected to their own network segments. These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked.
I am not really sure what kind of example configuration we could give you as we dont really know what the whole setup is going to be.
Hope this helps
- Jouni -
NIO and open ports not showing up during portscan
Hi
I have an application that binds port 4444 and 4445 default. I can establish an conection to both ports with telnet for example and when I just portscan those ports they are detected:
$ nmap -p 4444-4445 localhost
Interesting ports on localhost.localdomain (127.0.0.1):
PORT STATE SERVICE
4444/tcp open krb524
4445/tcp open unknown
but when I try to scan the whole range 4445 disappears. Here is the output:
$ nmap localhost
Interesting ports on localhost.localdomain (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
113/tcp open auth
1024/tcp open kdm
4444/tcp open krb524
5432/tcp open postgres
I reccon that this means that I will lose some connections during high load.
Does this have anything to do with the timeouts I specify for select() or is it a problem deaper down in nio?.All this means is that there is something seriously wrong with nmap.
-
Need help with ASA 5512 and SQL port between DMZ and inside
Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: endHi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-) -
Default Host (DMZ) and Port Mapping together
Hi all,
I have the G5 set as a default host for all my web services through the Airport Extreme.
In the Airport Extreme's Port Mapping tab, a user is not prevented from using the port mapping tab even when the Default host is set. I want to serve video through another port not on the G5.
Does this mean I can set up port mapping for ports I do not want to go to the default host? (my G5 in this case)
I asked this on the airport forum and never got an answer, maybe you G5 folks might know. (Or maybe there is a setting that will redirect from the G5.)
Thanks in advance,
JamyI figured it out. I can't have a DMZ and separately port mapping on the Airport.
-
Use iptables on DMZ server to port forward
Hello!
My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
Here is my network setup:
1. Combined router, modem and wireless AP.
2. Apple AirPort Express connected to the Wifi
3. switch connected to the AirPort Express with ethernet.
4. two servers connected to the switch(also with ethernet).
the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?hunterthomson wrote:
Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall Super well commented and written very well. It covers all your bases.
You will want to use the updated package listed in the comments.
http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz
You will also want the SystemD Unit file
https://aur.archlinux.org/packages/syst … -firewall/
To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.
But really, you just need to change these things.
/etc/arno-iptables-firewall/firewall.conf
Line #41, put your Internet facing interfaces here.
Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
Line #87, Put your LAN facing interfaces here
Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
Line #140, Change this to '1' to enable NAT for your LAN
Line #162, Change this to '1' to enable Port-Forwarding
Line #193-195, Here is where you define your port-forwards,
Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
--> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"
Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
Line #1170, OPEN_TCP="22 80"
You should also check out the config's in the plugins directory. This is where you get your moneys worth...
ssh-brute-force-protection.conf
ids-protection.conf
traffic-shaper.conf
ipv6-over-ipv4.conf
traffic-accounting.conf
transparent-proxy.conf
multiroute.conf
ipsec-vpn.conf
And More !!!
Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet. -
Lion server doesn't delete open port service once added in time capsule mgmt from server app.
I was trying to set a specific port to avoid file sharing conflict using time capsule as main router with lion server.
I added a new public service in Server.app in time capsule section where you can manage Airport setting and open ports for mail cal vpn etc. I assigned a port and given a name as requested. In my case a named "test" and gave port number 5678 to try.
Once I decided to delete this public service I noticed that anytime I make a changes in Server.app in Time capsule settings Server.app perform a refresh and the deleted servirce appear again and again with the same name and same setting in airport utility (ports management)
The only way to delet it is to go in airport utility and delete that from there. But in the chance you want to make another change in TC managemnet from Server.app you.ll see the service deleted from everywhere magically appearing again in your airport device in my case a TC.
Callled Apple and they said to investigate the forum.
Now if I maje a change in Server app. TC section to add or remouve public service I have 10 usefull open ports (not enabled) in Airport ( TC)
Any Help?
Thx
JoI have been having this same problem, except that I cannot open basic ports through either app. I've tried opening the standard web services port on 80, but neither app (Server or Airport Utility) will open it. Apple support has been worthless.
-
How to open ports 119 and 443 in my Mac?
I've been trying to use the UseNeXT software with my Mac with no success. I called their support and they told me I need to open the ports 119 and 443. I contact Apple support and they told me that is beyond their scope (???).
Can somebody help me with that? I tried to find it online, but all tutorials that i tried didn't work or are outdated.
ThanksHi Drew,
It probably depends on the router as to the method used to open the ports.
As I have said elsewhere in the thread the first 1024 ports are open in most router to allow things to work Out of the Box such as Mail (110, 25, 567, 569, 995, 996 and many more ) and web Browsing (port 80 mostly but secure site can use 443) FTP (21 and 22) to name some.
Port Forwarding is one way to open some of the ports for One IP (computer).
Most routers have table for doing this and this can be limited as to the number of ports included.
This Linksys pic shows how to do it for some as it allows groups based on Start and end ports. However it restricts it to one IP
DMZ is a form of Extreme Port Forwarding that opens all 65535 ports to one IP (Computer)
In both the above cases other computers (IP addresses) are excluded from using the ports.
Port Triggering doe allow multiple computers to access the same Port but requires that you know the lead - Trigger - port involved for each app.
It is limited by the table size for your particular router.
Same Router in Trigger ports for iChat 3
Most router come with UPnP nowadays.
It is an ON/Off setting that allows the apps on the computer to say which ports are needed and when.
On some you can reduce the time to live and the Hop amounts.
The ports stay open from a period of normally 30 mins after non use.
This can be changed.
It also tends to list the number of Hops (the number of devices beyond the UPnP device) that it can be heard.
My Sky Hub
I have no other router on my network but I do sometimes use Internet Sharing between two computers hence the 2 Hops.
Every other device is only one Hop away from the the router.
There are concerns that the "Advertisement" is seen upstream (internet side) as well as device downstream.
The Concern is that this could be Up to your ISP and then down to the "next" IP end user on the particular router/server at the ISP end.
I have seen no evidence of this being the case.
Hope this helps.
8:45 pm Monday; May 5, 2014
iMac 2.5Ghz i5 2011 (Mavericks 10.9)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad -
Open Port 80, 16384-16482, and 5060-5061
How do I open ports 80, 16384-16482, and 5060-5061 and forward them to more than one IP address and still keep my network secure?
I have2 VOIP phones that I would like to get working. I can get the one working by using Port Forwarding and forwarding all these ports to its private ip address. However I believe I need to duplicate this for my second VOIP phone but you can't have the same port forwarded to different ip addresses under Port Forwarding.
I have a WRT54GS.
Thank you,
Brandon
Message Edited by 2fast4u on 02-20-2009 07:01 PMFor your 2nd VOIP phone i think you can Do is Port Triggering or you can use DMZ for your 2nd VOIP as your VOIP phone will have a Static IP.
-
Hi Guys
This is more of an FYI post rather than a oh dear whats wrong post.
We've had the HH2 for about a 2 years or so now and lately have been having some interesting, shall we say, personality traits with our HH2.
Often, for no reason, the HH2 will drop all wireless signals and will not allow anyone to connect, new devices, old devices or ethernet devices. Only a press of the restart button will resolve this.
Now thats not too annoying apart from the hassle but another (major) issue we're having is port opening/gaming.
Last week i decided to start playing a game i hadnt played it years, upon completion of downloading and installation i tried to connect, may i note weve never had any problems with gaming whatsoever with the HH2 in the 2 years weve had it, unfortunately i kept getting connection errors. So being an IT guy myself i decided to pull up the ports for the game and proceeded to open them up in the HH2's manager and assign them to my device.
Tried to reconnect and still got the error.. i was a bit crosseyed here so i thought well i shall try a port scanner and check to make sure my ports have been opened. They hadnt.. i checked the hub again, ports were listed as open and available in the application sharing section and also assigned to my device.
I proceeded to disable firewalls and DMZ my laptop, risky i know but i am an IT guy and know what i am doing. Anyways i restarted the HH2 again to make sure the firewall selection and DMZ applied. I waited and checked the HH2 was up and rechecked the settings all ok.
I ran the port scan again, the ports were still NOT open. Now this is quite annoying. I went to work and tested the game there on a bog standard ADSL line and the game worked fine. Take it home and not a peep.
I have spoken to BT and we're getting a HH3 free of charge to fix the problem but i just wanted you all to know that there could be some serious issues with the HH2 and it not opening ports, nor allowing DMZ to function correctly!
Thanks everyone, have a nice day and apologies on my wall of text.Ok i think this thread is going to turn into a help me thread... in fact i dont think.. i know...
HELP ME!!!
I have received the new HH3 and with furvour decided to get into the hub, setup the wireless and put the ports in the forward list... i excitedly restarted the hub and connected...
and guess what.. still no joy.. ports are ALL closed... i have even DMZ'd my laptop and that isnt working.. im not getting the IP address im still getting an internal 192 address...
Can anyone give me a clue as to whats going on here? pulling my hair out now! -
I have an airport extreme and I am trying to play a new game on my xbox one and it keeps kicking me I have comcast internet that is more than fast enough so I went to the games site and it says I need to either create a static ip or to open ports no idea how to do either of these or what that does any help would be appreciated.
There are heaps of posts here about how to open ports on apple routers specifically for xboxes.
AirPort Extreme and xbox 360 -
Firewall in 10.5, how to open ports and how to manage?
I am pulling my hair out with the new firewall in 10.5. In 10.4 I could just set ports as I liked in the control panel, in 10.5 there is no such thing.
I need to for example open port 49999 to allow PageSender to function in my network.
I need to open port 5901 to work with JollyFast VNC, as port 5900 is used by Apple Remote Desktop and the conflict if they both use the same port.
Some of these ports I need permanent open like 59999 and others for one session and than close again, like 5901. Again in 10.4 I made the rule in the pref pane, ticked the box and Bob was your uncle. Now?
I would like to be able to see what ports are open and active on the machine. I have no idea as to where I could see this.
And at the same time I would like to keep the firewall as closed as possible as I am often on line in hotels etc.
So I need help, is there a manual somewhere someone is aware of? Or do you have any answers?The new Application Firewall does not work in the same way as IPFW (the main firewall in 10.4).
Instead of managing ports, it simply controls the access of applications to any port. Thus, if you want PageSender to receive connections, you simply need to switch the firewall to "Set access for specific services and applications", and then add PageSender to the list, with "Allow incoming connections". When you do this, PageSender will be able to receive connections on any port that it needs to.
If you don't like this method of controlling connections, you can still use IPFW. Apple has removed the GUI, but you can download a GUI application like [NoobProof|http://www.hanynet.com/noobproof> or [WaterRoof|http://www.hanynet.com/waterroof/index.html], and you can then set access for specific ports.
There are no problems with using both IPFW and Application Firewall.
Cheers,
Rodney -
I recently had a security system installed in my house. One of the features is an EPAD which enables me to have a virtual keypad on my iphone, and computer to operate the alarm system. The technician was not familiar with Mac's and Airports. How do I open port 80 to 80 in my airport and assign a fixed IP address for the EPAD? Apparently this is what is needed to make this work.
There are three ranges of "strictly local" IP addresses reserved for local Network use:
192.168.xxx.yyy
172.16.xxx.yyy
10.xxx.yyy.zzz
What your Router does for you is to act as your agent on the Internet.Your requests are packaged up and forwarded on your behalf, and only when a response is expected is the response returned to your local IP address.
Directing Network Traffic to a Specific Computer on Your
Network (Port Mapping)
AirPort Extreme uses Network Address Translation (NAT) to share a single IP address with the computers that join the AirPort Extreme network. To provide Internet access to several computers with one IP address, NAT assigns private IP addresses to each computer on the AirPort Extreme network, and then matches these addresses with port numbers. The wireless device creates a port-to-private IP address table entry when a computer on your AirPort (private) network sends a request for information to the Internet.
If you’re using a web, AppleShare, or FTP server on your AirPort Extreme network, other computers initiate communication with your server. Because the Apple wireless device has no table entries for these requests, it has no way of directing the information to the appropriate computer on your AirPort network.
To ensure that requests are properly routed to your web, AppleShare, or FTP server, you need to establish a permanent IP address for your server and provide inbound port mapping information to your Apple wireless device.
To set up inbound port mapping:
1) Open AirPort Utility, select your wireless device, and then choose Base Station > Manual Setup, or double-click the device icon to open its configuration in a separate window. Enter the password if necessary.
2) Click the Advanced button, and then click Port Mapping.
3) Click the Add button and choose a service, such as Personal File Sharing, from the Service pop-up menu. -
I have a Lorex DVR that I want to monitor from my IPhone and IPad. I used to be able to do this when I had a Belkin router (easy to open ports) but I bought the AirPort Extreme router and no longer have that capability. When I use "canyouseeme" they can NOT see 80, 9000 or 1025. Lorex says I need them all available in order to access. Help! And all the help I see refers to a earlier version of the AirPort Utility so I cant use those to look at anything, I cant find the same screens, I have version 6.1 (610.31). I also don't really understand how ports work, so I need a pretty basic explanation.
Well...I went to the modem (Westell, WireSpeed), found the NAT settings, once again, I'm WAY over my head, I am assuming this is a TCP connection (as opposed to a UDP) and per Lorex my mobile devices will use port 1025. So I gave it a "global port range" of 1-10 and I indicated that the "base host port" was 80, 1025, & 9000 (ports 1,2,3). When I selected the 'enable' it asked for a "host devise" my choices are my IPhone, IMac and the IP address for the dvr, so I choose the dvr. I still cannot connect and canyouseeme still can NOT find these open ports. This is taking up my whole day! I don't know how people figure this stuff out.
Maybe you are looking for
-
I've checked my server. I've checked my Internet connection. The only other culprit is Thunderbird. Has something changed? Do I need different settings? This is the same problem on two different accounts. And both stopped working at the same time. (I
-
Nokia 501 not recognising in windows 7 as mass sto...
I have two models if Asha 501 Dual sim. Both the phones were working good in windows 8, but recently i shifted back to windows 7 ( Note: Service Pack 1 is not yet installed). Now one of my phone gets recognised as modem automatically but not as mass
-
Get skype out of my outlook NOW!
Here's the deal: I want skype OUT of my outlook account, i'm sick and tired of being logged on forever because of the MORON who had the sad ideia to link skype account to outlook account, and to make things more lame, skype and microcrapsoft don't al
-
Change country code in address
So ... a moment's inattention while setting up my profile and I find I'm in Belorussia instead of Belgium <g> The forum mechanism is bright enough to spot a discrepancy here, and suggests I go back and edit it: but when I dutifully go back to correct
-
"Catching" a java.lang.NoSuchMethodError
Hi all, Currently developing a number of different versions of the same system at the same time and I have a problem with NoSuchMethodError. Background: The system consist of a number of jar files: - a.jar - b.jar - c.jar Each jar-file is version han