Firewall and IPv6, how to block ports?

Similar Messages

• Cisco IOS Zone Based Firewall and IPv6

  Hello,
  I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
  Which protocols must be alloved to and from router?
  IOS version: 15.1.2T1 (Adv.ip services)
  Setup:
  HE (tunnel-broker)  --- Internet (IPv4)  ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
  Config on router:
  IPv4 (self to internet and internet to self)
  policy-map type inspect Outside2Router-pmap
  class type inspect SSHaccess-cmap
    inspect
  class type inspect ICMP-cmap
    inspect
  class type inspect IPSEC-cmap
    pass
  class type inspect Protocol41-cmap
    pass log
  class class-default
    drop
  interface Tunnel1
  description Hurricane Electric IPv6 Tunnel Broker
  no ip address
  zone-member security IPv6tunnel
  ipv6 address 2001:47:25:105B::2/64
  ipv6 enable
  ipv6 mtu 1300
  tunnel source FastEthernet0
  tunnel mode ipv6ip
  tunnel destination xxx.66.80.98
  interface FastEthernet0
  description WAN interface
  ip address xxx.xxx.252.84 255.255.0.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  zone-member security WAN
  duplex auto
  speed auto
  zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
  service-policy type inspect IPv6-out-pmap
  zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
  service-policy type inspect IPv6-out-pmap
  policy-map type inspect IPv6-out-pmap
  class type inspect IPv6-internet-class
    inspect
  class class-default
    drop
  class-map type inspect match-all IPv6-internet-class
  match protocol tcp
  match protocol udp
  match protocol icmp
  match protocol ftp
  ipv6 route ::/0 Tunnel1
  ipv6 unicast-routing
  ipv6 cef
  parameter-map type inspect v6-param-map
  ipv6 routing-header-enforcement loose
  sessions maximum 10000

  OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  class-map type inspect match-all cm-selftowan-he-out
  match access-group name HETunnelOutbound
  ip access-list extended HETunnelOutbound
  permit 41 any any
  permit ip any host 64.62.200.2
  permit ip any host 66.220.2.74
  permit ip any host 216.66.80.26
  Now we see the same error, just on the 'new' first cmap in the pmap:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to  Invalid Segment with ip ident 0
  Yet as you can see above, we are allowing proto 41 any any.
  I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
  any ideas?
  Thanks,
  //TrX
  EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
  I decided to change the outbound cm-selftowan-he-out action to 'pass'.
  I suddently noticed the following log:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session  216.66.80.26:0 :0 on zone-pair wantoself class  cm-wantoself-he-in due to  Invalid Segment with ip ident 0
  Notice this is now inbound having trouble where as before was outbound.
  I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
  Looking at the original outbound PMAP:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan
    inspect
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
  This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
  Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
  Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
  Hope this helps the OP too
  //TrX

• How to Block send e-mail by telnet using Exchange 2010

  Hi
  I have Exchange 2010 SP3 server (Edge and Database servers).
  When i logon to exchange server: telnet mail.domain.com 25using commands:
  mail from:[email protected]
  rcpt to:[email protected]
  I can send e-mails without password.
  How to block it? What is wrong with this server settings?
  Kind Regards Tomasz

  you can change the receive connector that is listening on port 25 to require authentication removing the anonymous the problem will be every server that sends you email will need to have a password on your server so  you will not receive email
  form anyone unless they have the password configured if you only want to receive email on this server from another trusted server than this is how you do it, otherwise you need to leave anonymous access enabled. Spam appliances sometimes will be the only server
  allowed to send to your exchange server, but the spam appliance will have anonymous access allowed on port 25 so it can get the email. Typically the distribution of port 25 traffic is handled at the firewall and it's either sending port 25 traffic to
  your email server or a spam appliance.

• How to block a phone number

  I need to know how to block a phone number. and also how to block all incoming calls, showing as a "unknown number?"

  AngelDrey14 wrote:
  Tap the setting button on your iPhone. Press the phone button, After tap show my caller ID and then change it to off. To turn it back on do the same thing.
  This will not block any calls. It will only turn off caller id ,therefore not showing your caller id to those you call.
  Only the wireless provider can block calls.

• WSA s170 - How to block skype and download

  Hi,
  I recently changed my proxy solution from BlueCoat ProxySG to Cisco WSA but I'm finding some difficulties to operate the appliance. 
    a - I can't have multiple defaults route
    b - How can I block skype traffic?
    c - How can I block download
    d - No graphical interface for logging
  I hope some here can help me. Because I don't know yet if it was a good choice change the solution that used to work like a charm.
  If some one can also point the other good things I can do with this appliance should be good.
  Best regards,
  Alcides 

  It sounds like it may be best for you to reach out to the sales person that sold you this appliance.  But some quick answers for you:
  a) You can go to Network > Routes.  You can set routes based on destinations.  What exactly are you trying to do with multiple default routes?  Are you trying to get some kind of fail-over setup?  If so, this cannot be done.  You can contact TAC and ask that they submit a feature request for this.
  b) Skype can be blocked by the WSA, but after Skype determines that it cannot logon via port 80 or 443, it will start trying every port ever existed until it gets access.  Are you ready to block all other ports at the firewall?
  c) You can block a download by file types under Access Policies > Mime Type.
  d) There is web tracking.  But if you want to view live logs in the GUI, that is not available.  Consider contacting TAC and asking for a feature request as well.
  It sounds like you are very used to the Bluecoat.  Different products will have different features. 

• BT HH 2.0 - Blocking Ports / Firewall

  Is there a way to block all ports except http / smtp?  or are there other firewall settings that can be accessed apart from the 3 choices in the configuration.
  Thanks - Gary

  gpmcclean wrote:
  Thanks for the reply Tommy and the welcome.
  My goal is to block all possible P2P ports as my daughters are eating away at my 40GB allowance far to quickly.
  I have a Netgear DGN2000 which I used with Plus.net before I moved to BT Infinity back in Oct.
  Cheers - Gary
  Then you need to block all the port venues that their P2P Applications are capable of using perhaps even legitmatate ports that you use for you own needs? 
  A far better solution is to be firm but fair when dealing with their Internet access, it requires more discussion & time but it is usually a far better long term option with less friction.
  On a slight diversion, blocking ports may only a short term solution anyway, is your router properly IPV6 aware. (very few are )
  Take al look at these links.
  IANA, ARIN, and the IPv4 run-out
  The .net domain joins the DNSSEC fold
  The exaustion IPV4 addresses & the expected signing of the .com domain to DNSSEC early next year should make 2011 an interesting one.
  "I have this awful feeling someone is watching every move I make (one of my pet hates is router location tagging)." Marvin (A paranoid Android)

• Mac Mail and blocked ports

  Hi,
  I work in a not-very-Mac-friendly school district, but use a Mac anyway. We've figured out how to open the correct ports, etc. for internet use (via Network Preferences) but still can't access email (on an MS Exchange server) or any POP mail (Yahoo) or .mac mail through the mail program. I'm guessing it's something with a port somewhere that needs to be opened. Any thoughts on what it might be, or how to open ports on Mail?
  Thanks for any help anyone might offer.
  -Widget

  From the client side, you don't need to open any ports in Sys Prefs Sharing at all. Opening ports there is only for dealing with inbound traffic that you didn't initiate and weren't expecting as a response to something, i.e., if you were a mail or web server. But you're not a server, you're a client. So close 'em. Plus, in Mail.app (or any other application for that matter), those port numbers (like 25 or 587 or 465 for smtp, or 110 or 995 for pop, or 143 or 993 for imap) are at the destination mailserver, not your computer.
  If you launched Terminal.app, "su {adminUserName}" and "sudo tcpdump -i en1" (en1 if wireless, en0, if ethernet cable) you will find that when you launch Mail and try to check mail or send mail, stuff from your computer is leaving your machine on a randomly chosen (by Mail.app) five-digit port number and it's at the destination server where these port numbers (25, 587, 465, 110, 995, 143, 993) have any meaning. Same holds true for all applications, e.g. Safari, port 80 refers to the web server, not what port on which you are sending out your browser request to the server. The (mail, web, other) server responds back from its port (25, 143, ..., 80, etc.) port to the random port number that your application chose.
  Your problem, most likely, is that your IT Dept is blocking outbound traffic destined for any "foreign" host addresses at ports like 25 or 143, that are NOT the host addresses of your IT Dept's own mailservers. They would be blocking this at their firewall to the internet. My work's IT Secret Police does this. So unless they relax their firewall restrictions, you're going to have to do something like use your cellphone as a dialup modem to access those mail accounts, or use webmail (since they probably aren't blocking all http (destination server) port 80 traffic -- although they could be blocking traffic addressed to specific host addresses like yahoo.com/webmail).

• Cannot sync; receiving a message that firewall is blocking port 3689

  I am receiving an error message when I try to sync my Apple TV. The error message says that a firewall is blocking port 3689. I have checked the settings I can find, but have been unable to find the source of the problem. Has anyone had this problem and if so, how did you resolve this?

  Thanks Chenks! At least I know I'm not nuts. I have done exactly what you suggest. Itunes is in the list and I went the extra step and added port 3689. Still no luck. I've checked my McAfee settings and anything else I can find. I am at the point of resetting everything to the defaults to see if I can get around this. This is so odd as the Apple TV has been working beautifully, then, BAM! An error code and I can't synce.

• How to Block / Hardening of "Unused Ports" in OracleAS-10gAS

  Hi All,
  I have installed Oracle 10gAS PatchSet-2 9.0.4.2.0 and Windows-2000 SP-4 OS. The Both instances (INFRA & Mid-Tier) are installed on same box. My AS is working fine and all components are working great.
  +
  I can find-out the ports being used/configured by 10gAS of this installation. Rest all other Ports are open as such on this OS and are not being used. So basically i want to "Block all those Unused Ports of this 10gAS installation"
  1. Is it Possible..? If Yes! how to start about this.
  2. Does Oracle Provide a Documentation on this or the details of this is included anywhere in any of the Docs.?
  This has been pointed out by one of our Corporate Auditors who has audited our entire IT Infrastructure setup and given us that comment. Can anybody would help me in this regard or suggest me tips / docs. which could be useful to me. Looking for ur help.
  Regards,
  Kamesh Rastogi

  Hello,
  I would clarify what i need and intend to do......
  Let say my HTTP Server is configured and listening at port 7779 & 7778. And the range of this is 7777 - 7999 as provided by App.Serevr.
  SO i want to block all the ports of above range and ONLY want to open or allow requests coming for Port No. 7779 or 7778.
  What all is being used by App.Server is know to us and we can find it out and list it....but how to block them...here in App.Server.
  Regards,
  Kamesh Rastogi

• How to make the mobile application work with firewall and anti-virus ON

  Hi,
  I keep on receiving internal processing error when i try to login sap mobile solution 1.3.0 on my ipad and i was provided a solution, that is to turn off my firewall and antivirus. I works by turn off both of it but i cant possible turn of the firewall and antivirus on the server.
  Can anyone guide me how to make the mobile application work with firewall and anti-virus ON
  Thank you

  Dear Rajesh,
  Create a policy in your fire wall to allow the port to send and receive data.
  I believe the port for the mobile should be port 8080 and 8443.
  And your license server port 30000 and 30001
  nd.Q

• How can I use Back to my Mac when my ISP blocks port 1900?

  I was just forced to switch ISPs (don't ask...) and it turns out that my new ISP (Astound) lied to me and actually does block port 1900, which means that Back to my Mac (on which I rely) does not work.
  Has anyone seen this and found a viable workaround? Preferably one that is easy for my non-technical family to use also, but all suggestions are welcome.
  Thank you!

  So, I convinced my ISP to open port 1900 and they did, but it's still not working.
  I get two messages that make no sense to me, but I hope indicated something that someone here can help me undertstand...
  When I open the iCloud preference pane in System Preferences, It says just below the Back to my Mac setting "Configure Router for better performance" - My Airport Extreme is configured with  Back to my Mac and it looks like my account shows a green indicator.
  Second, next to the Back to my Mac setting in the iCloud preference pane, there is a button labeled "Details..." When I click that it tells me that "Back to my Mac is not working properly because the DNS server isnt' responding" and suggests I contact my ISP for a different DNS server.
  All other internet services - including iCloud services - are working fine. I even tried changing my DNS servers to Google's public DNS servers and nothing changed.
  Any suggestions are very much appreciated! Thank you!

• How do I port my Windows Word, Excel, and Powerpoint files to the MAC?  What software is needed on the MAC to use them?  Thanks.

  How do I port my Windows Word, Excel, and Powerpoint files to the MAC?  What software is needed on the MAC to use them?  Thanks.

  You can certainly use iWork, though I hesitate to recommend it to a seasoned Windows user simply because it would add another level of the unfamiliar with which you would have to gain familiarity. The iWork applications are certainly very competent and in most respects both easy to use and surprisingly powerful. They are not 100% compatible however, though that typically manifests itself in document formatting issues rather than anything more significant.
  I have never attempted to import emails from a Windows system into MacOS - other than in Outlook connected to an Exchange server, thus not really an issue at all. I doubt that the Mail app in MacOS can import directly, but of course you could always set the account(s) up on the Mac and then forward emails you want to keep from the PC. Not elegant, but it works. Virtually any Windows document or file, whichever application created it, can be opened or converted for use on a Mac, and using both systems on my desk each day I rarely see any issues switching stuff from one machine to the other. You may stumble over one or two issues, but likely not significant.
  In switching platforms there will be some inevitable issues, not so much with being able to import your stuff because there's usually a workaround or a utility that can help, but just with getting familiar with the platform and the differences between Windows and MacOS that can obscure their similarities. From time to time the support community here hears from a user who has found the migration very problematic and regrets it, but for the most part the phrase 'I should have done this years ago...' is rather more prevalent!

• How to turn on and off pop up blocker on mac notebooks

  how to turn on and off pop up blocker on mac notebooks?

  Safari / Preferences / Security. It's a checkbox.

• I am having trouble with a  lot of pop ups and causing websites and screens to roll slowly, firewall is on, how do i prevent this

  I am having trouble with a  lot of pop ups and causing websites and screens to roll slowly, firewall is on, how do i prevent this

  You installed adware along with something else.
  You can either follow Apple's manual instructions for removing it, or use the free automated tool, AdwareMedic.

• I have two iphones , i lost one  and entered to find my iphone and as mistake i block both and delate all the data of both. how can i get it on, im trying to restore it , but its not working ...

  i have two iphones , i lost one  and entered to find my iphone and as mistake i block both and delate all the data of both. how can i get it on, im trying to restore it , but its not working ...

  Hi Roger
  Thank you for your reply.
  My original feed is: http://casa-egypt.com/feed/
  However, because I modified the feed http://feeds.feedburner.com/imananddinasbroadcast and nothing changed, I redirected it to another feed and then I deleted this feed.
  Is there any way to change the feed in itunes? The only feed I have now is  http://feeds.feedburner.com/CasaEgyptStation
  I tried to restore the feed http://feeds.feedburner.com/imananddinasbroadcast but feedburner refused.
  I know that I missed things up but I still have hope in working things out.
  Thanks is advance.
  Dina
  Message was edited by: dinadik