Firewall Allow all traffic on lan

Similar Messages

• Firewall blocks Airplay (even under 'allow all traffic')

  Hi every body,
  I am somewhat at the end of my knowledge. I have a mac mini server running Lion 10.7.2 server. Interestingly, my the server's firewall blocks
  a) all airplay traffic and
  b) 'reading Airport confirguration' requests
  even when the firewall is set to 'allow all traffic'. However, when I completely switch it off, everything works just fine.
  Any help would really be appreciated.
  Thanks a lot.
  Nonresidentalien
  P.S. I have also tried to open ports 80 (t), 443(t), 554 (t/u), 3689(t), 5297(t), 5289(t/u), 5353(u), 49159(u) and 49163(u) with no success

  Pointing to the IPv6 thread was a good idea. After reading it, I found out that the firewall preferences in Server Admin only show you IPv4 related firewall rules.
  There is a terminal command that allows you to play with IPv6 rules. And by doing so, I was actually able to get AirPlay working again.
  First, you want to show you the current IPv6 firewall rules. In my case they looked like this (10.7.2):
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65000          0          0 deny ipv6 from any to any
  65535          6        306 allow ipv6 from any to any
  As you can see, rule number 01100 only allows traffic to the local subnet, while the next rule (65000) blocks anything else. So you want to get rid of 65000:
  reptilehouse:~ sascha$ sudo ip6fw delete 65000
  To confirm, show the rule table again and you should see 65000 is gone:
  reptilehouse:~ sascha$ sudo ip6fw show
  01000        285      96163 allow ipv6 from any to any via lo0
  01100         66       5750 allow ipv6 from any to ff02::/16
  65535          6        306 allow ipv6 from any to any
  Mind you, the rule numbers could be different on your system and you could see more or less rules. But you get the idea.
  What I don't know if whether this is sticky, e.g. survives a reboot.

• RV016 Router Allow All Traffic For Outside IP

  Hi,
  I need to configure the firewall to allow all traffice for an IP address of a sever. What steps in the router do i need to configure this? This is a cloud based voip server and we have IP phones and we need to add an IP address of the phone server to allow all traffic for that IP.
  thanks.

  Hi Jonathan,
  I have a similar problem with VOIP traffic being dropped by my new RV016 v3 router.
  I have created one Firewall Rule, to allow ALL traffic from the external VOIP PBX provider (single IP) to connect to the internal VOIP phones, which have assigned addresses in a small IP Address range (eg. 10.1.2.50 - 10.1.2.59)
  The Aastra VOIP phones continually loose their  registration wtih the cloud-based PBX. If you make an outgoing call, it will work, but the PBX will lose connection with the phone, 3 or 4 minutes after you hang up,  and will mark it as offline. Incoming calls made within the 3 or 4 minutes will get through, but after that they go right to voicemail on the PBX system.
  We used to have an RV016 v2 router and VOIP traffic worked  OK,  with a similar Firewall Rule.  We replaced the v2 router  because its CPU crashed. 
  I tested the VOIP traffic with a WRT160 router with minimal Firewall Rules, and it works OK, as long as SIP-ALG is turned Off.   We want to use the RV016 because it provides a larger number of ports for our LAN.
  Any suggestions ?
  Kirk

• ACE 4710: Config Allows all traffic except large HTTP downloads

  Hi Folks,
  Got an ACE 4710 with a basic config that seems to work for all traffic except large downloads.
  I've attached the current config
  As I mentioned I can do normal HTTP to a standard destination like google or SSH through the ACE or ICMP
  If i try to get a large file from the server side of ACE, then a trace shows that the first and subsequent 1460Byte packets dont go through ACE
  I've thought of parse lengths, but i cannot see any that seem to affect the generic L4 maps that I am trying to use
  Cheers
  Alan

  I've seen a similar fault. I suppose a lower MSS was sent in the TCP SYN handshake packets (1300 or 1380?) and the packets exceeding that value were dropped by the ACE. This is the default behavior which can be switched to a less strict mode by either
  exceed-mss allow
  or
  no normalization
  commands.
  In our case, a linux web server was whose replies wouldn't keep to the MSS limit.

• Time Capsule firewall allows broadcast traffic

  It appears that Time Capsule will forward broadcast traffic from the LAN side to WAN and allow responses back. I would have thought that when the Router Mode was set to "DHCP and NAT" that this wouldn't happen. It seems like this might be a security flaw.
  Here's my setup, and why I believe this is the case:
  Comcast Xfinity service -> Motorola SB6121 -> Time Capsule (latest generation 7.6.1 software) -> Netgear GS116 -> home network with airport express and various hard-wired and WiFi devices.
  The SB6121 cable modem is wired direclty to the WAN port on the Time Capsule. And then the first LAN port on the Time Capusule is wired direclty the Netgear switch. And then everything else is wired directly to the Netgear switch. The Time Capsule's DHCP server is set to hand out addresses in the 172.16.0.2 to 172.16.0.200 range and so everything in my home network should be getting addresses in that range.
  The SB6121 is not a gateway or router - its just a modem, but does still have a weird little DHCP server that is supposedly only active when the cable service is dead, but in practice (at least for me) seems to always be on. And there's no way to turn it off, at least from my end - perhaps Comcast could, but that's a black hole. This weird little DHCP server is hard-wired to hand out addresses between 192.168.100.11 and 192.168.100.42 and there's no way to configure it differently.
  What I see though I (which makes me think there is a security flaw in the Time Capsule firewall) is that DHCP requests from my home network are sometimes answered by the SB6121's DHCP server instead of the Time Capsule's. I say "sometimes" because most of my Apple equipment (laptops, iPhones, iPads and a Mac Mini) get configured with 172.16.0.X addresses. But most non-Apple equipment is getting 192.168.100.X addresses - this includes a Denon AV reciever and Comcast cable box. But I also have an Airport Express (latest version, 7.6.2 software) - its Router Mode is set to "Off (Bridge Mode)", but if its Internet -> Connect Using: is set to DHCP it also gets a 192.168 address.
  I thought maybe it was just the hard-wired devices getting the 192.168 addresses, but they're not. The Mac Mini is hardwired and gets the right address range. And then I thought that all WiFi devices were getting 172.16 addresses, but they're not. I have a "Nest" thermostat that connects to the WiFi and gets a 192.168 address.
  Obviously there are several problems here - having multiple DHCP servers on a network is a recipe for disaster. But it seems to me that the Time Capusule is mis-behaving. The weird little DHCP server on the cable modem on the WAN side of the Time Capsule shouldn't be accessible from my home network. The Time Capsule shouldn't be passing broadcast DHCPDiscover packets from the LAN side through to the WAN side.
  I've been all through the Time Capsule settings and don't see a way to further lock down the WAN-LAN connection. I suppose I could get a managed switch or "real" firewall to stick between the cable modem and the Time Capsule and use it to block traffic, but I shouldn't have to. And I suppose I could ask Comcast to disable the DHCP server on the cable modem, but I don't have the fortitue to sit on hold for hours trying to explain it to them. Or I suppose I could get a different cable modem that doesn't have the silly DHCP server, and maybe that's the ultimate answer, but I still think the Time Capsule has a flaw.
  I got the SB6121 plus Time Capsule combination specifically because I didn't want fidgety stuff to deal with. I could have gotten a router supporting DD-WRT if I wanted to play network engineer at home, but I do that at work and just wanted something I didn't have to debug or think about.
  Anybody in a similar situation or have suggestions?
  If you got this far, thanks for listening.
  -dave.
  (Oh yeah, I swapped the Time Capsule with the Aiport Express -- latest model with WAN and LAN ports -- and got the exact same behavior. I suspect that all Airport models just treat the multple ethernet ports as a dumb layer two switch and blindly forward ethernet broadcast traffic from one port to all the others.)

  Thanks for reporting this.. I think you should advise Apple of this flaw.. It is a serious flaw.
  The cable modems are always made with local IP address so you can check the settings and the DHCP in them is designed for using a block of public IP addresses.. ie.. if you were extremely rich.. you buy a block of IP addresses from the ISP, plug the modem directly to a switch. And every client that joined would get a public IP address. Since the ISP are not that generous as to actually hand out more than one IP, (our local cable ISP in Australia, Telstra actually gives out 3 for free). The modem however will switch from public to private IP address when it does so, once the first address is allocated. There is no security risk as that private IP has no internet connection. (Test it and see, but any device getting 192.168 address should have no internet connection). The Modem has no NAT.. so it is purely for internal purposes.
  When you tested the Airport Express, did you set it up to 172.16.x.x range as well?
  Could you please test if you haven't already the TC at its native IP address and range?
  Domestic routers often fail to work properly if used off their default range.. somewhere in the coding they have fixed some addressing, instead of correctly using settings you put in. This is not at all unusual actually. My advice to people is always stick with default unless you really want some pain.
  If you are happy with pain, I would ensure all names are set to SMB standard.. as it sounds like you know networks I presume you would already do this. Apple names are ghastly things.
  Stick to short, no spaces, pure alphanumeric names for everything.
  Make sure the dhcp range includes enough addresses that it cannot run out..the normal standard is 2-200.
  If the lease time is set to 1day default, set it to 20min.
  I would also turn off ipv6 (maybe only possible on the client). That does seem to lead to confusion.
  If necessary you should be able to use static IP reservation via the dhcp setting in the TC.. that might also help.
  Are you running a 5.6 utility to do the setup?? If not you must!!
  You can load it even into Mountain Lion with a bit of fiddling.
  Check logs and setup the reservation for any devices failing to get IP correctly.
  And yes, in the end you may have to simply use a more standard router.. and hive off the TC to bridged role.

• Howto allow all inbound traffic on 678?

  I have a 501 behind a 678 (CBOS 2.4.6) The 678 does not allow inbound connection by default. How can I config the 678 to simply terminate the ADSL and allow all traffic both in and out, so that I can let the 501 do all the access control?

  Try:
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/products_user_guide_book09186a008007ce34.html
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps528/prod_release_note09186a00800eac45.html

• Allow DNS Traffic

  Hi!
  We need to allow DNS Traffic from Lan to Wan network for our internal LAN Users through Cisco Router. May we have the lines to add in the router and do we need anything else to apply this access-list?
  Thanks.

  access-list 101 extended permit tcp net_lan sub net_wan sub eq 53
  access-list 101 extended permit udp net_lan sub net_wan sub eq 53
  access-list 101 extended deny any any
  interface Serial 0/0
   ip access-group 101 out
  N.B. That access-list is only for permit traffic for DNS protocol. All traffic except DNS will be deny  

• How do I remove "Allow all connections" for Pando in my firewall settings?

  In System Information under Firewall Settings - Applications, I see the following: com.pando.pando: Allow all connections. However, when I go to System Preferences and look at the firewall options, this is not listed, nor can I find any trace of Pando anywhere else on my computer. Is this hidden somewhere, and how can I get rid of it?

  pirihi,
  open Safari’s Preferences, and select its Privacy tab. For the “Block cookies and other website data” set of radio buttons, select “Never”.

• Allow external traffic to access internal computers

  We have an ASA 5505 running version 8.4. We are having problems allowing external traffic to access computers behind the firewall. Our current config is:
  ASA Version 8.4(3)
  hostname ciscoasa
  domain-name default.domain.invalid
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.2.1.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 152.18.75.132 255.255.255.240
  boot system disk0:/asa843-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object network a-152.18.75.133
  host 152.18.75.133
  object network a-10.2.1.2
  host 10.2.1.2
  object-group network ext-servers
  network-object host 142.21.53.249
  network-object host 142.21.53.251
  network-object host 142.21.53.195
  object-group network ecomm_servers
  network-object 142.21.53.236 255.255.255.255
  object-group network internal_subnet
  network-object 10.2.1.0 255.255.255.0
  access-list extended extended permit ip any any
  access-list extended extended permit icmp any any
  access-list extended extended permit ip any object-group ext-servers
  access-list acl_out extended permit tcp any object-group ecomm_servers eq https
  access-list outside_in extended permit ip any host 10.2.1.2
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any echo-reply inside
  icmp permit 10.2.1.0 255.255.255.0 inside
  icmp permit any echo-reply outside
  icmp permit any outside
  asdm image disk0:/asdm-523.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static a-10.2.1.2 a-152.18.75.133
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.2.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  telnet timeout 5
  ssh 10.2.1.2 255.255.255.255 inside
  ssh 122.31.53.0 255.255.255.0 outside
  ssh 122.28.75.128 255.255.255.240 outside
  ssh timeout 30
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.2.1.2-10.2.1.254 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect icmp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:c7d7009a051cb0647b402f4acb9a3915
  : end
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 112
  ciscoasa(config)# sh nat
  Manual NAT Policies (Section 1)
  1 (inside) to (outside) source static a-10.2.1.2 a-152.18.75.133
      translate_hits = 1, untranslate_hits = 113
  ciscoasa(config)#

  Okay I will bite.
  Assuming you have
  a.  dynamic pat rule for lan users-devices to reach the internet
  (missing ???????????????
  (should look like a nat rule that makes two entries when you make the one rule)
  (with router set at defaults it may make this rule for you already in place)
  -object bit  
  object network obj_any_inside
  subnet 0.0.0.0 0.0.0.0
  and rule bit
  object network obj_any_inside
  nat (inside,outside) dynamic interface
  b.  route rule - tells asa next hop is IP gateway address
  route outside 0.0.0.0 0.0.0.0 152.18.75.129 1
  c.  Nat rule for port forwarding- Using objects it creates two entries (lets say i call it natforward4server)
  object bit
  object network natforward4server
  host 10.2.1.2
  Nat bit
  object network natforward4server
  nat (inside,outside) static interface service tcp 443 443
  d. Nat for translated ort.
  If you had wanted to translate a port, lets say you have external users that can only use port 80 but need to access https
  object bitobject network natfortransl4server
  host 10.2.1.2
  Nat bit
  object network natfortransl4server
  nat (inside,outside) static interface service tcp 443 80

• WRVS4400N Won't allow L2TP traffic to passthrough

  The latest in a series of issues with the WRVS4400N:
  As any Mac user knows, you cannot connect to this device with QuickVPN, as there is no Mac version of QuickVPN.  That leaves us with one of two options:
  1)  Obtain iPSecuritas and configure an IPSec tunnel with it.  Problematic for many, but it can be done.  I've been doing it for two years, but recently learned that with this configuration, you can't route all network traffic over the VPN (email, web browsing, etc), which is sometimes a security concern when on public wifi.  This leaves you with solution 2:
  2)  Get some other VPN device and put it behind the Linksys Router and setup the Linksys to passthrough VPN traffic, and/or forward the necessary ports.
  I am running both a PPTP and L2TP server on Mac OS X server behind the WRVS4400N.  I have the 4400N setup to passthrough all VPN traffic (select the enable circle for IPSec, PPTP, and L2TP on the VPN Passthrough tab).
  After forwarding the appropriate port (1723) to the OS X server's ip address, PPTP goes through just fine.
  L2TP is a problem, though.  Nothing I try gets through this 4400N.  As stated above I have L2TP passthrough enabled.  I have also forwarded ports UDP 500, UDP 4500 and even tcp/udp 1701 to the L2TP server's ip address.  No go, no traffic gets through.
  Suspecting it was something wrong with my L2TP server or client settings, I put the L2TP server into a DMZ zone.  Voila!  L2TP traffic connects as expected.  This proves it is the WRVS4400N not doing its thing.
  I have checked the logs on the WRVS4400N and nothing appears at all.  I thought maybe that it is reading the L2TP traffic as IPSec traffic destined for its internal IPSec server, even though I don't have any IPSec tunnels or QuickVPN accounts setup on the WRVS4400N, but with the lousy logging and no ipconntrak tables in this version of the firmware, i don't know what else to check. 
  I am using Firmware v1.0.16 because v1.1.03 is not stable on my router.  Using that firmware leaves the router in a corrupted state requiring a power cycle to reset it after any IPSec connection is shut down.
  Can anyone suggest what I am missing or doing wrong in getting the WRVS4400N to actually passthrough my L2TP traffic to the working L2TP server?
  /rant:  I have to say I am begining to hate the WRVS4400N.  This temperamental beast has a lot of frustration and long hours over the past two years;  in hindsight, considering the hours (in excess of 100, seriously) I have put in to trying to get various forms of VPN working on it, I should have just moved on to a more stable and flexible router.  

  gv wrote:
  1. Never ever forward L2TP port 1701. That's a security risk. Port 1701 is not supposed to be accessible from the internet.
  2. Running an IPSec server behind a NAT gateway is a very bad idea and is either very difficult or impossible depending on the server software and kernel version on the server machine. In particular you usually see a lot of problems if the client as well is behind a NAT gateway.
  3. Turn off the L2TP and IPSec passthrough options. Passthrough is difficult because NAT will modify the packets passing. When you disable the passthrough options the VPN client and server should switch to encapsulation through UDP port 4500.
  Thanks for the reply.  Comments/follow-up on each of your numbered responses:
   1)  Port 1701 is off.  Plenty of sites insist it must be open, so I tried it out of desperation.  Lots of bad information on the internet, as we all know.
   2a)   My IPSec server has always been the NAT gateway itself (the WRVS4400N).  That's not the problem.  My issue with leaving the setup that way is that Linksys has ZERO support for Mac OS X to connect to the WRVS4400N's IPSec VPN.  QuickVPN is only offered for Windows OS, and Cisco VPN Client for OS X will not connect with the WRVS4400N.  THis leaves me with having to use 3rd partyclient  solutions which work flawlessly and completely with other hardware but not with the WRVS4400N.  
  I'd actually be happy with that solution if I could route all traffic (web and email especially) over the VPN tunnel.  THis won't work with the only solutions I have to using IPSec on a Mac to connect to the network.  I've considered establishing SSH tunnels binding the various ports, but proxies, slower performance and other issues make that less than desirable.  Very frustrating.
  I guess since L2TP uses IPSec, your point is relevant, but I don't understand why, if IPSec behind a NAT gateway is such a bad idea, EVERY router on the market offers IPSec passthrough in its specs.  
  If it's so problematic, and such a bad idea, why allow it?   Especially on devices marketed to SOHO consumers who are bound to have less networking savvy?  In fact, the Linksys products ship with these options ENABLED by default. 
  3)  I've done all that.  
  Here are log entries from the WRVS4400N for a few combinations of passthrough and port forwarding:
  Passthrough disabled, ports forwarded
  Dec 7 07:38:40 - Drop by Port Scan UDP
  Dec 7 07:41:25 - UDP Packet - Source:xxx.xxx.xxx.xxx,500 Destination:192.168.2.11,500 - [Firewall Log-IPSecPass Fail]
  Dec 7 07:41:30 - [VPN Log]: shutting down
  Dec 7 07:41:30 - IPSEC EVENT: KLIPS device ipsec0 shut down.
  Dec 7 07:41:32 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
  Dec 7 07:41:32 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
  Dec 7 07:41:32 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
  Dec 7 07:41:32 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
  Dec 7 07:41:32 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
  Dec 7 07:41:32 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
  Dec 7 07:41:32 - [VPN Log]: starting up 1 cryptographic helpers
  Dec 7 07:41:32 - [VPN Log]: started helper pid=11543 (fd:5)
  Dec 7 07:41:32 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
  Dec 7 07:41:32 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
  Dec 7 07:41:32 - [VPN Log]: Warning: empty directory
  passthrough enabled, ports not forwarded
  Dec 7 07:47:28 - [VPN Log]: shutting down
  Dec 7 07:47:28 - IPSEC EVENT: KLIPS device ipsec0 shut down.
  Dec 7 07:47:31 - [VPN Log]: Starting Pluto (Openswan Version cvs2006Jan12_11:29:56 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE@ECqImzhFD)
  Dec 7 07:47:31 - [VPN Log]: @(#) built on Aug 2 2007:11:09:37:
  Dec 7 07:47:31 - [VPN Log]: Setting NAT-Traversal port-4500 floating to on
  Dec 7 07:47:31 - [VPN Log]: port floating activation criteria nat_t=1/port_fload=1
  Dec 7 07:47:31 - [VPN Log]: including NAT-Traversal patch (Version 0.6c)
  Dec 7 07:47:31 - [VPN Log]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
  Dec 7 07:47:31 - [VPN Log]: starting up 1 cryptographic helpers
  Dec 7 07:47:31 - [VPN Log]: started helper pid=12590 (fd:5)
  Dec 7 07:47:31 - [VPN Log]: Using KLIPS IPsec interface code on 2.4.27-star
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/cacerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/aacerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/ocspcerts'
  Dec 7 07:47:31 - [VPN Log]: Changing to directory '/etc/ipsec.d/crls'
  Dec 7 07:47:31 - [VPN Log]: Warning: empty directory
  passthrough enabled, ports forwarded
  BLANK LOG!  Not a single entry in the WRVS4400N's log files.
  Remember, there is nothing wrong with my client or server software, as demonstrated by bypassing the WRVS4400N.  L2TP connections work fine until the WRVS4400N is in the mix. 
  So, I'm back to the same original question:
   How do I enable L2TP traffic to an L2TP server behind a WRVS4400N in a manner that actually works...? 
  Message Edited by DistortedLoop on 12-07-2008 08:02 AM

• NAC Server still in "Fallback: Allow All" state

  Hi Guys,
  i have a strange behaviour under my NAC Server.
  Today I saw that my NAC Server is in Fallback: Allow All state and the CAM is in Manager: DEAD but
  in the CAM web administration i can access that CAS.
  The CAS can ping the CAM too.
  there are two things that were changed in the last month.
  The CAM was moved to other city and they are using a 2MB link connection between them.
  The IP Address of the CAM was changed.
  I've checked my link connection between them because my CAM is in a different city  of the CAS but my link is in 50% load.
  Does anyone know any possibilitie to solve this?

  Hi,
  Are you using ip based certs or domain name? Also make sure when you do an nslookup that the CAS is able to resolve the ip address of the CAM. Also check your firewall and make sure that you are allowing all ip traffic between the CAS and the CAM.
  Also check yoru certs on the CAM and make sure that they havent expired. Are you using a standalone CAM and CAS setup are are they in failover configuration?
  Thanks,
  Tarik

• Forwarding all traffic to a new IP

  I've got a machine with two NICs in it which is currently acting as a transparent firewall (i.e. just bridge the two NICs and watch traffic). I've added a third NIC and want to send a copy of all traffic that goes through the bridge out through the new NIC to a separate box so I can run an IDS or packet logger on it. How can I do it?
  I've tried fighting with various iptables rules but not gotten anywhere.
  I've got the daemonlogger script (http://www.snort.org/users/roesch/Site/ … ogger.html) which copies all the traffic on the bridge to the new NIC but I'm stuck with actually sending it out from there.

  To move SQL to New IP:
  To assign a TCP/IP port number to the SQL Server Database Engine
  In SQL Server Configuration Manager, in the console pane, expand SQL Server Network Configuration, expand Protocols for <instance name>, and then double-clickTCP/IP.
  In the TCP/IP Properties dialog box, on the IP Addresses tab, several IP addresses appear in the format IP1, IP2,
  up to IPAll. One of these is for the IP address of the loopback adapter, 127.0.0.1. Additional IP addresses appear for each IP Address on the computer. Right-click each address, and then click Properties to
  identify the IP address that you want to configure.
  If the TCP Dynamic Ports dialog box contains 0, indicating the Database Engine is listening on dynamic ports, delete the 0.
  In the IPn Properties area box, in the TCP Port box, type the port number you want this IP address to listen on,
  and then click OK.
  In the console pane, click SQL Server Services.
  In the details pane, right-click SQL Server (<instance name>) and then click Restart, to stop and restart SQL Server.
  https://msdn.microsoft.com/en-IN/library/ms177440.aspx
  Regards, Pradyothana DP. Please Mark This As Answer if it solved your issue. Please Mark This As Helpful if it helps to solve your issue. ========================================================== http://www.dbainhouse.blogspot.in/

• Redirect all traffic to http

  Hello,
  I'm running Server 3.1.2 on OSX10.9, I was wondering if there was a way to send all traffic to http versions of webpages and not allow https? 
  I'm working at a school and our current content filter only works with http and doesn't filter https. 
  Sorry if I'm not clear, I'm new at this whole sysadmin thing.

  Hi,
  You can do that with .htaccess  or php
  Here a link https://sites.google.com/site/onlyvalidation/page/301-redirect-https-to-http-on- apache-server
  A+

• Pix501: allow all incoming smtp to one host and all smtp out from one host only

  I have a pix501 and I have a mail server. What I would like to do is ensure that smtp traffic from the web only goes to my mail server and that my mail server is the only machine on my local network that can send to the internet on port 25. This is to secure the possibility of bots on my childrens PCs spamming other users. The mail server has been relay secured for selected PCs only.
  To the pix501; I think the following is what I need, but would like somebody to confirm or correct me:
  interface ethernet0 auto
  interface ethernet1 100full
  nameif ethernet0 outside security0
  nameif ethernet1 inside security100
  access-list inbound permit tcp any host x.x.x.x eq smtp
  access-list outbound permit tcp host x.x.x.x ant eq smtp
  access-group inbound in interface outside
  access-group outbound in interface inside
  Most important:
  1. Have I got the access-lists right? Does pix501 support host x.x.x.x (ip of local webserver 192.168.x.x)
  2. Are the access lists the right way around?
  3. Is the access-group setup right?
  4. Is there anything else that needs doing/
  Any help appreciated.
  Note: I am a Cisco newbie and trying to learn,

  Thanks for that information.
  I thought about this some more, after seeing your response, and I was wondering; if I only want to restrict smtp outbound traffic, but allow all other traffic, would the following work, as I dont have to allow each specific port/ip address:
  access-list outbound permit tcp host 192.168.1.3 any eq smtp
  access-list outbound permit tcp host 192.168.1.36 any eq smtp
  access-list outbound deny tcp any any eq smtp
  access-list outbound permit udp any any
  access-list outbound permit tcp any any
  I realise that this would open all sorts of other security risks, but at least trojans/worms will not be able to spam from PCs other than those listed as per the first 2 lines ( which is my major concern at the moment). As I learn more about the traffic on my network I can block more undesirable ports.
  Sorry to be a pain, but this could be useful to other and the more complete the setup, the easier it will be for them.

• Using Xserve to route traffic between LANs

  A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
  Xserve is running Server 10.5.4

  Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
  You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
  I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
  You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
  My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe).