Firewall and OS X Firewall

Hi,
I try to improve my networking science knowledge. today's topic = firewall
I use only Tiger Built-in Firewall, which i think perfectly makes his job, but I also have the Intego netbarrier software which I did not install.
I am not totally sure what would be the added value of a fancy FW like Intego. Do anyone has an idea of what such product brings more than built-in and which one is the most secure?

A third-party firewall such as Intego's would offer additional reporting and other features, while the underlying protection is pretty much the same as OS X's built-in firewall. Personally, I'd trust the OS X built-in firewall more as being more likely to be fully integrated with the OS and aware of any OS X updates. In an analogy with Windows, the one thing you should avoid is having multiple software firewalls active at the same time --- too much potential for one program deciding the other is evil and trampling things trying to 'fix' the other.
You can, through, combine a software firewall with a hardware one. All routers currently n the market should have at least a NAT firewall. Even if you only have one computer, putting a US$30 router between a cable or DSL modem and the computer gives you additional protection. And unlike e.g. a Windows third-party software firewall, the hardware firewall can't be tricked into turning off.

Similar Messages

Unable to configure Outlook with ASA firewall and IWSVA

Dear Sir,
We are unable to configure MS outlook in our network which is having IWSVA proxy and cisco ASA 5510 firewall.
snapshot of outlook error details are attached for your reference.
In our network L3 is behind IWSVA which is behind cisco ASA 5510.
when we change following NAt rule and ACL incoming rule it works fine
nat (inside,outside) source static any interface unidirectional
nat (inside,outside) source static obj_Proxy interface unidirectional
access-list 100 extended permit ip any any
access-list inside_access_in extended permit ip object-group Proxy_Server any
all required ports are allowed in IWSVA also please tell me if we have to make any changes in IWSVA like mapping ports etc.
Thanks in advance
Regards:
Anand Singh Dhouni

Hello Anand,
I already replied to you on the other post, Please mark this as answered so we can focus on one ticket and avoid duplicates.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at [email protected]
Cheers,
Julio Carvajal Segura

I recently purchased a macbook pro and i am trying to put some camcorder footage from my sony vx 2000 onto iMovies. for some reason i cannot import or capture any footage from my camera and tapes onto the imovies. i have the 9 to 4 inch pin firewall cable

i have a sony vx2000 and a macbook pro and i obtained the 9 to 4 inch firewall cable. my issue is that cant get any footage from my vx2000 to my imovies. i have looked up how to do it online and they make seem like you just plug it in and go its all golden. but not for me what am i doing wrong it does seem to be recoginize that my camera is even plugged in and no way letting import of capture any of my footage to my imovies. please help

The camera must be plugged in to AC power (not batteries only). And generally, the camera should be set to Play mode, not recording mode.

Unable to reach Adobe servers, Please check firewall settings and try again

I have been a creative cloud customer since it started and I've never experienced such buggy software as the app manager. The customer experience is just shocking and I wish Adobe would just offer direct downloads for the software we need rather than use the app manager.
I'm currently trying to install the latest versions of the programs but the app manager keeps showing "Unable to reach Adobe servers, Please check firewall settings and try again in a few minutes".
I do not have any firewalls on my network.
I've uninstalled all previous versions of the applications.
The app manager will download a few % and then the message appears again. I click retry and it downloads another few % before showing the message again. I keep doing this until the program is fully downloaded and installed which take hours. Because I am able to eventually download the app, the error should be anything to do with my setup or internet connection as I've never had this issue before when installing adobe products.
Is there a way we can bypass the app manager and install the programs directly? This is getting very annoying and I just need my apps to install without wasting days clicking the retry button.

I'm having the exact same problem. Photoshop is stuck at 0%.
Have the links for direct download changed? When I went to http://prodesigntools.com/adobe-cc-direct-download-links.htmland then scrolled down the page to:
Photoshop CC 2014 (64-bit)
740 MB
File 2
801 MB
File 1
and then clicked on File 1 and File 2, I reached a page that says "You don't have permission to access "http://trials3.adobe.com/AdobeProducts/PHSP/15/win64/Photoshop_15_LS20_win64.7z?" on this server."

Questions about Firewall, DHCP and other things

What I have;
Linksys WRT54GSv4
Up to 5 dynamic IP addresses, from my ISP
Fiber connection
What I want;
WLAN
To use the 'real' dynamic IP addresses (no LAN of my own)
Hardware Firewall (preferably from the Linksys)
Is this even possible? I can't seem to get it working.

No. This won't work with a WRT54GS. You can only set it up in router mode and only if you have a whole subnet. But in router mode the addresses can be reached from the internet.
I guess there is a big misunderstanding anyway. The router even in gateway mode and running not is not a firewall for the computers connected to the router. The router runs a firewall which basically protects the router and in a way your internet connection from attacks (e.g. DoS). The firewall in the router does not protect the computer connected to the router.
What usually provides the protection is the network address translation in gateway mode. Using private IP addresses in your LAN makes the computer unaccessible from the internet. The router maps the single internet IP address.
But you cannot configure the firewall on the router to block any specific traffic.
You may be able to install 3rd party firmware on the router. With 3rd party firmware you have direct access to the Linux system on the router and you can configure the packet filter on the router with iptables. This allows you to individually protect computers connected to your router. But this is not possible with standard Linksys firmware through the web configuration.
See the wikipedia article on "wrt54g" on details about which routers support 3rd party firmware and which projects exist.

Strange issue with 3.6.3 VPN Client and IOS firewall

I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check

Ok..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets."

Reliable working combination of VPN client and Sidewinder firewall?

My work's I.T. Dept has deployed a "Sidewinder" VPN firewall with certs at our workplace. All works well with our many remote Windoze clients. The Windoze clients are using a "Greenbow" VPN client.
They (the I.T. Dept.) were never able to get the built-in OS X VPN client to work with the Sidewinder VPN firewall at all. I don't really have any details of what they tried or why it didn't work and they aren't exactly the friendliest types to us Mac users in the organization so I probably won't be getting any further details in that regard.
They (the I.T. Dept.) did get VPN Tracker Player v6.2 client to work on the remote Mac clients -- sort of -- but it consistently fails after roughly ten minutes of connection time at IKE renegotiation. They purportedly had a trouble ticket open with, and were working with, Equinux to try to resolve the issue, but after spending a certain amount of time on it, they basically told us Mac users in the organization that they had already spent way too much time on trying to make the Mac VPN client work, so they weren't going to be doing anything further with it, so too bad, so sad for us. And they've got 100% Director support backing up their decision.
So, the question du jour is, is anyone out there using a VPN client on a Mac and reliably connecting through a "Sidewinder" VPN firewall/server with certs (i.e., no dropped connections after about ten minutes or thereabouts), and if so, what VPN client are using and how did you/do you have it configured?
Thanks

(first and last) bump

Problem with firewall and java on line sites internet explorer

i have been experiencing problems with java on line games because the firewall has blocked usage.On two of them when i press play to play the game a message appears error on page.If i dowload mozilla will i have the same problems? also when downloading from my gmail account again error on page. When i donload your browser do i click on save or open?
== User Agent ==
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB6.5; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; WinNT-EVI 27.03.2010)

Well... good; when we help each other here, we can't
assume that any step has been taken, unless it's been
specifically identified. I'm sure that makes it all
the more frustrating, since you are a very experienced
user.
Now, then:
-- since you have reinstalled the Java Update; and
-- if you open your Help >> Installed Plug-ins, and
scroll down the list and find these three items:
Java Plug-in for Cocoa -- Java 1.4.2 "JavaPluginCocoa.bundle"
Java Plug-in (CFM) -- Java 1.3.1 "Java Applet Plugin Enabler"
Java Plug-in "Java Applet.plugin"
-- and if Enable Java and Enable JavaScript are checked in:
Safari >> Preferences >> Security, as you say they are; and
-- if Enable Plug-ins is checked in the same section,
as you say it is; and
-- you have repaired permissions, as you say you have; and
-- you have emptied your Cache; and
-- your Icons folder ({YOU}/Library/Safari/Icons) has been
trashed if it is over 750 KB; and
-- you have Quit, then relaunched Safari after all this,
as you say you have; and
-- your {YOU}/Library/Caches and {YOU}/Library/Caches/Safari
folders have read and write permissions
...then, I'm currently at a loss as to what else to suggest.

TS2709 I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

I also get this problem on my iPad, so probably not related to the AppleTV. On the iPad I restarted Airport Extreme this time, and then the iPad saw my Home Sharing.
So to recap, restarting the router or Airport Express allowed the iPad and AppleTV to see Home Sharing. Restarting AppleTV also allows AppleTV to see Home Sharing.
So does anyone have any idea?
Thanks

Browser times out when trying to view my website - says the server is taking too long. And no, I don't have a firewall.

I can't view my website at www.artisancandies.com, even though it's working and everyone else seems to see it. No, I don't have a firewall, and it's not because of my internet provider - I have AT&T at work, and Comcast at home. My husband can see the site on his laptop. I tried dumping my cache in both Firefox and Safari, but it didn't work. I looked at it through proxify.com, and can see it that way, so I know it works. This is so frustrating, because I used to only see it when I typed in artisancandies.com - it would never work for me if I typed in www.artisancandies.com. Now it doesn't work at all. This is the message I get in Firefox:
"The connection has timed out. The server at www.artisancandies.com is taking too long to respond."
Please help!!!
Kristen Scott

Linc, here's what I've got from what you asked me to do. I hope you don't mind, but it was simple enough to leave everything in, so you could see the progression:
Kristen-Scotts-Computer:~ kristenscott$ kextstat -kl | awk ' !/apple/ { print $6 $7 } '
Kristen-Scotts-Computer:~ kristenscott$ sudo launchctl list | sed 1d | awk ' !/0x|apple|com\.vix|edu\.|org\./ { print $3 } '
WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.
To proceed, enter your password, or type Ctrl-C to abort.
Password:
com.microsoft.office.licensing.helper
com.google.keystone.daemon
com.adobe.versioncueCS3
Kristen-Scotts-Computer:~ kristenscott$ launchctl list | sed 1d | awk ' !/0x|apple|edu\.|org\./ { print $3 } '
com.google.keystone.root.agent
com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae
Kristen-Scotts-Computer:~ kristenscott$ ls -1A {,/}Library/{Ad,Compon,Ex,Fram,In,La,Mail/Bu,P*P,Priv,Qu,Scripti,Sta}* 2> /dev/null
/Library/Components:
/Library/Extensions:
/Library/Frameworks:
Adobe AIR.framework
NyxAudioAnalysis.framework
PluginManager.framework
iLifeFaceRecognition.framework
iLifeKit.framework
iLifePageLayout.framework
iLifeSQLAccess.framework
iLifeSlideshow.framework
/Library/Input Methods:
/Library/Internet Plug-Ins:
AdobePDFViewer.plugin
Disabled Plug-Ins
Flash Player.plugin
Flip4Mac WMV Plugin.plugin
Flip4Mac WMV Plugin.webplugin
Google Earth Web Plug-in.plugin
JavaPlugin2_NPAPI.plugin
JavaPluginCocoa.bundle
Musicnotes.plugin
NP-PPC-Dir-Shockwave
Quartz Composer.webplugin
QuickTime Plugin.plugin
Scorch.plugin
SharePointBrowserPlugin.plugin
SharePointWebKitPlugin.webplugin
flashplayer.xpt
googletalkbrowserplugin.plugin
iPhotoPhotocast.plugin
npgtpo3dautoplugin.plugin
nsIQTScriptablePlugin.xpt
/Library/LaunchAgents:
com.google.keystone.agent.plist
/Library/LaunchDaemons:
com.adobe.versioncueCS3.plist
com.apple.third_party_32b_kext_logger.plist
com.google.keystone.daemon.plist
com.microsoft.office.licensing.helper.plist
/Library/PreferencePanes:
Flash Player.prefPane
Flip4Mac WMV.prefPane
VersionCue.prefPane
VersionCueCS3.prefPane
/Library/PrivilegedHelperTools:
com.microsoft.office.licensing.helper
/Library/QuickLook:
GBQLGenerator.qlgenerator
iWork.qlgenerator
/Library/QuickTime:
AppleIntermediateCodec.component
AppleMPEG2Codec.component
Flip4Mac WMV Export.component
Flip4Mac WMV Import.component
Google Camera Adapter 0.component
Google Camera Adapter 1.component
/Library/ScriptingAdditions:
Adobe Unit Types
Adobe Unit Types.osax
/Library/StartupItems:
AdobeVersionCue
HP Trap Monitor
Library/Address Book Plug-Ins:
SkypeABDialer.bundle
SkypeABSMS.bundle
Library/Internet Plug-Ins:
Move_Media_Player.plugin
fbplugin_1_0_1.plugin
Library/LaunchAgents:
com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist
com.apple.FolderActions.enabled.plist
com.apple.FolderActions.folders.plist
Library/PreferencePanes:
A Better Finder Preferences.prefPane
Kristen-Scotts-Computer:~ kristenscott$

Why Are There Multiple Instances Of Firefox Preparing To Access Internet According To Firewall Log When I'm Not Launching Them And Nothing Appeared On My Screen

I had closed Firefox after briefly running it and then tried to reopen it anew but got a message that said "Firefox is already running but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system."
I logged off my computer, and later restarted. However, when I checked my Firewall log it showed that during the minute I had my computer on earlier there were about a dozen instances of "Firefox is preparing to access the internet" which were recorded just seconds apart.
I don't have the problem now -- restarting apparently took care of the issue -- but I don't understand why there were so many instances of Firefox preparing to access the internet when I was not clicking on it all those times, the one time I did I got a message that it already was running, and there were no tabs on my screen to reflect all those supposed instances.
Thanks for any insight that folks can offer.

Were that Firefox processes or plugin-container processes?
*http://kb.mozillazine.org/Plugin-container_and_out-of-process_plugins
*https://support.mozilla.org/kb/What+is+plugin-container
In case you are using "Clear history when Firefox closes", try to exclude the cookies in case you currently have selected this.
*Tools > Options > Privacy > Firefox will: "Use custom settings for history": [X] "Clear history when Firefox closes" > Settings
*https://support.mozilla.org/kb/Clear+Recent+History
Note that clearing "Site Preferences" clears all exceptions for cookies, images, pop-up windows, software installation, and passwords.
Firefox will try to remove cookies created by plugins in case you clear the cookies and that can result in plugin-container processes getting created.

PAT with a single public IP and several servers behind firewall

Hi,
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
Single static public IP: 16.2.3.4
Need to PAT several ports to three separate servers behind firewall
One server houses email, pptp server, ftp server and web services: 10.1.20.91
One server houses drac management (port 445): 10.1.20.92
One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505.
Here is what I have. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP?
ASA Version 8.4(4)1
hostname kaa-pix
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.1.20.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 16.2.3.4 255.255.255.0
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network server_smtp
host 10.1.20.91
object service Port_25
service tcp source eq smtp
object service Port_3389
service tcp source eq 3389
object service Port_1723
service tcp source eq pptp
object service Port_21
service tcp source eq ftp
object service Port_443
service tcp source eq https
object service Port_444
service tcp source eq 444
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit icmp any any echo-reply
access-list acl-out extended permit icmp any any
access-list acl-out extended permit tcp any interface outside eq pptp
access-list acl-out extended permit tcp any object server_smtp eq smtp
access-list acl-out extended permit tcp any object server_smtp eq pptp
access-list acl-out extended permit tcp any object server_smtp eq 3389
access-list acl-out extended permit tcp any object server_smtp eq ftp
access-list acl-out extended permit tcp any object server_smtp eq https
access-list acl-out extended permit tcp any object server_smtp eq 444
access-list acl-out extended permit tcp any object drac eq 445
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static server_smtp interface service Port_25 Port_25
nat (inside,outside) source static server_smtp interface service Port_3389 Port_
3389
nat (inside,outside) source static server_smtp interface service Port_1723 Port_
1723
nat (inside,outside) source static server_smtp interface service Port_21 Port_21
nat (inside,outside) source static server_smtp interface service Port_443 Port_4
43
nat (inside,outside) source static server_smtp interface service Port_444 Port_4
44
nat (inside,outside) source static drac interface service Port_445 Port_445
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 16.2.3.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
prompt hostname context
no call-home reporting anonymous

Thanks Lcambron...I got PPTP to work. Everything else works fine. I can access email, access my web server, FTP server, and PPTP server. However, from the above configuration, I cannot access my DRAC over the internet..The DRAC runs on a different internal server, and over port 445. So I have th following lines:
object network drac
host 10.1.20.92
object service Port_445
service tcp source eq 445
access-list acl-out extended permit tcp any object drac eq 445
nat (inside,outside) source static drac interface service Port_445 Port_445
Am I missing something here? Internally, i can telnet to port 445 on 10.1.20.92, so I know it is listening. However, externally, i cannot telnet to my external ip address of the ASA through port 445.
Thanks

Error message about firewall and internet sharing

hello all i have a question regarding the use of firewall and internet sharing.
I have a PMG5 connected to internet through Airport. I've linked an Xbox 360 via the built-in ethernet port in order to access Xbox Live. I had to open specific UDP ports on the OS X firewall but it now works fine. However, in the Sharing Preference Pane, Internet Tab, i still get an error message saying that my Internet Sharing is disturbed by the settings of the firewall and sharing services, it says that i did not activate "personal web sharing" in the first two tabs...but i DID ! And there's no way to get rid of this error message.
I know I know some may consider it's not a real problem because it's just an error message while the connection actually works fine but well, I tend to hate error messages when they're not supposed to show up. So if anyone know the answer, thanks in advance...
Good day to everyone
Vince, Paris...

sorry about the delay in replying, was kinda busy
well trashing the pref files was useless and i tried with another user, same thing. As for the second opinion, the problem was not about which port was used cause as i said the connection sharing works fine and anyway it was the correct port that was checked, it's just that i get an error message while there is no apparent error and everything works fine, i'm told that personal web sharing is not enabled but it is...
Anyway as i said, it's probably not a real matter, as long as it works...which brings me to another thing. I've created a special protocol in the firewall to enable a proper dialog with the xbox. it's basically the same thing you do for ichat AV when you have video connection problems, you track down the concerned UDP port using terminal, you allow traffic and all... The protocol for the xbox worked great for some days, but now it seems it's not enough, the game set keeps trying on another port and i constantly have to update the protocol or deactivate the firewall...and enabling back all UDP traffic is not enough to solve it.
In a way i think everything is linked, the initial error message when everything was fine and the current trouble. Any idea?
thanks
Vince

Help with Firewall and Internet Sharing

I’m trying to use my Mac Mini with an Airport Extreme card, which is connected to the internet using Siemens Speedstream 4100 DSL modem, for Internet Sharing with a Windows (work) laptop.
So, in the Sharing preferences panel:
Share connection from: Built in Ethernet
To computers using: Airport
I get the warning message:
Other settings may interfere with Internet Sharing.
The ‘More Info’ button gives the popup message:
Your firewall settings will prevent computers sharing your internet connection from browsing the web. Enable Personal Web Sharing in the Services pane to allow computers sharing your connection to browse the web.
I do that, turn the Airport card on, and the laptop can see the network, but can’t connect.
If I turn the Firewall off, then I can connect fine, but then I don’t have a Firewall. Isn’t that risky if I’m using DSL? How can I do the internet sharing and still protect my computer?
I realize I could buy a router with a built-in firewall, but isn’t there a way to set up the system using what I have?

BDAqua wrote:
We just need to figure out what port is needed. I'd goto Sharing>Firewall>New>Port Name... Other, and try Port 53 both UDP and TCP.
Oh, and when you say the PC can't connect, could that just mean it can't browse?
On the PC, put the IP of the Mac in DNS servers, or...
208.67.222.222
208.67.220.22
Well, I'm unable to set the DNS server addresses, as this is a work computer and I don't have the administrative privileges.
How bad is it to just turn the Firewall on the Mac off when I want to use the connection?

Firewall and Internet Sharing dont mix

After talking to AppleCare, looks like my firewall is not letting me sync to my AppleTV because I am using Internet Sharing to connect it to my Mac Mini (PPC) and get to the internet through the Mini's ethernet. I have no Airport Express or Extreme.
He says that enabling "iTunes Music Sharing" only opens that port for ONE of the network connections (ethernet or airport), but not both. Hence AppleTV wont sync with the firewall on. Only with it turned completely off.
Anyone out there know different? Or know of a workaround to open the port for both networks somehow? (sorry if I don't speak the wireless-magic lingo well)
This is my first wireless device- so I'm a noob. Sorry.

I have had a ton of trouble syncing.
Can you see Apple TV in your preferences?
Does Apple TV start syncing and then drop off?
If so, open iTunes and quickly click on Apple TV and you will see the sync start. Then quickly Click on iTunes/Preferences and then on the Apple TV tab. Leave that small window open and then the sync will keep going.
Weird butmay help.

DNS for internal network and Firewall ports?

Hello,
I don't know were to begin, so I guess I'll start with my setup.
I have Mac OS X server 10.5.7 running DNS, Firewall, Mail, iChat, RADIUS, VPN, SMB. Behind an Airport Base Station in DMZ.
My DSN setup is just for the server and local clients. I'm also setup to forward my ISP DNS.
My question is do I need to open any ports in the firewall. I currently have my local subnet 172.16.4.x to allow all. The "Any" subnet to allow DNS outbound. Is this correct or am I creating a security risk?
I dont want the public to be able to use my DNS server. (I would like to ONLY allow my local network, and VPN users.)
Thanks!
Message was edited by: Robert LaRocca

I always recommend going with a hardware device (including the base station) over IPFW when running a server.
The main reason is that when you're running behind a NAT device (such as the AirPort Base Station), ALL incoming traffic is blocked unless you specifically enabled it via port forwarding. A positive security model.
In contrast, Mac OS X Server will open firewall ports based on the services you're running, without regard to whether that service should be publicly accessible or not.
You then have to go through the motions of securing each service to either block external traffic at the service level (e.g. by telling the application what addresses it can listen to), or at the network level (by configuring the firewall to block external access). This is a bad security model since each service is public by default and you have to go out of your way to secure it.
Also bear in mind that you might not think this is a problem today since you can just configure IPFW and be done, but what about next week? or next month? or next year when you add another service. Will you remember to reconfigure the firewall to secure it then?

Firewall and OS X Firewall

Similar Messages

Maybe you are looking for