Firewall blocks port that it shouldn't

I have a WinXP client that wants to pass through our xserve (NAT/firewall) to get to an external VPN. I opened up the required ports in Server Admin -> Firewall -> Services (VPN ISAKMP/IKE - port 500 TCP/UDP - the predefined setting, plus UDP 259, 2746, 18234 - a custom setting) for the "Any" interface. The client would authenticate, then fail to connect. I turned on logging in the firewall and then filtered for the XP machine's IP address (192.168.8.x). Strangely, it was showing denied packets on UDP 500 (filtering on the catch-all rule 65534).
I created a new rule (in the advanced pane) to allow incoming from the remote server's IP (any port) and the client can now connect. Why didn't the predefined rule work as expected? Have I configured my firewall incorrectly?
Any insight appreciated.
Thanks,
Miles

The GUI for setting up the firewall hides the actual rules from you. If you can, enable the default rule, and then in Terminal:
sudo ipfw list
and then disable the default rule.
The listing in Terminal is the rules that the firewall is actually executing, and the issue should become apparent.
Roger

Similar Messages

  • Firewall Blocking sites when it shouldn't

    Hello all,
    I have seen others have mentioned this from time to time. It seems having the nForce firewall "on" causes some websites to be unreachable. Examples include...
    http://www.space.com
    http://www.roxio.com
    http://www.netflix.com
    Try these yourselves. They work with the firewall "off" but there is no access with the firewall "on". The firewall log shows nothing. The only clue is the "Personal Firewall/Information/table" shows the "Denied outbound TCP segments" increases by 2 or more everytime I try one of these sites. I can not find any setting which control how the firewall "Denies outbound TCP segments"... Any thoughts?
    Frank
    K8N Neo Platinum...

    Quote
    Originally posted by fholub
    Hello all,
    I have seen others have mentioned this from time to time. It seems having the nForce firewall "on" causes some websites to be unreachable. Examples include...
    www.space.com
    www.roxio.com
    www.netflix.com
    Sometime in the fall of 2003 I, and some others, suddenly became unable to reach Home Theater Guide, a hi-fi forum. This was at the same time the forum moved to a new ISP.
    It was a well known problem mentioned several times on that forum, mostly by users of D-Link routers (I use a DL-604). D-Link tech support had no idea how this could happen. They said they could reach it with the same router(s).
    A few months later, the forum again changed ISP. At the same time several D-Link users (and me, although later) could universally reach it again.
    Wierd.

  • Cannot sync; receiving a message that firewall is blocking port 3689

    I am receiving an error message when I try to sync my Apple TV. The error message says that a firewall is blocking port 3689. I have checked the settings I can find, but have been unable to find the source of the problem. Has anyone had this problem and if so, how did you resolve this?

    Thanks Chenks! At least I know I'm not nuts. I have done exactly what you suggest. Itunes is in the list and I went the extra step and added port 3689. Still no luck. I've checked my McAfee settings and anything else I can find. I am at the point of resetting everything to the defaults to see if I can get around this. This is so odd as the Apple TV has been working beautifully, then, BAM! An error code and I can't synce.

  • BT HH 2.0 - Blocking Ports / Firewall

    Is there a way to block all ports except http / smtp?  or are there other firewall settings that can be accessed apart from the 3 choices in the configuration.
    Thanks - Gary

    gpmcclean wrote:
    Thanks for the reply Tommy and the welcome.
    My goal is to block all possible P2P ports as my daughters are eating away at my 40GB allowance far to quickly.
    I have a Netgear DGN2000 which I used with Plus.net before I moved to BT Infinity back in Oct.
    Cheers - Gary
    Then you need to block all the port venues that their P2P Applications are capable of using perhaps even legitmatate ports that you use for you own needs? 
    A far better solution is to be firm but fair when dealing with their Internet access, it requires more discussion & time but it is usually a far better long term option with less friction.
    On a slight diversion, blocking ports may only a short term solution anyway, is your router properly IPV6 aware. (very few are )
    Take al look at these links.
    IANA, ARIN, and the IPv4 run-out
    The .net domain joins the DNSSEC fold
    The exaustion IPV4 addresses & the expected signing of the .com domain to DNSSEC early next year should make 2011 an interesting one.
    "I have this awful feeling someone is watching every move I make (one of my pet hates is router location tagging)." Marvin (A paranoid Android)

  • I recently upgraded to Fios Quantum and have a new ActionTech router. As a result my PC is no longer communicating with my APPLE TV.It must have a firewall or ports beegin blocked preventing the homesharing and communication even though the APPLE TV is on

    I recently upgraded to Verizon Fios Quantum high speed internet and was given an ActionTec router. I sucessfully installed all and connected wth my Apple TV. Although it worked initially it no longer does.  Something appears to be blocking  the Homesharing between my PC and the AppleTV even though the Apple TV is successfully connected to my home network. I spoke with an Apple Support Tech who was unable to help me becuase I have a PC! He admitted this is a common problem with FIOS and PCS. There must be a port that needs to be opened in the router. I do not beleive it is anything to do with my antivirus software or Windows Defender as i uninstalled all and still not communication. Must be a port within the routter that is blocking tis communication. On my Itunes you can see that it does not see the Apple TV. Please advise.

    I'd have to agree. I set my vms and two clients on Saturday in one hour. I think the picture is better I did not see an issue with the brightness. For the heck of it I recorded five channels at once to test it. I've also noticed when playing a recorded show on the client everything responds a lot quicker. So I am impressed and curious to see what new features come later.
    Kudos to verizon.

  • WRT54G v8 firmware that does not block ports?

    Hello everyone! Is there a 3rd party firmware for the WRT54G v8 router that does not block ports or has the option to disable port blocking? I would like all ports to be open on all devices in my network. Thank you!

    This setting is not recommended because it opens your entire network to attack.  Instead, you should selectively open only the ports you need to play your Internet games.
    People who open all their ports often get their computers infected with viruses which send out spam.  When your ISP sees you sending spam, they will turn off your email, IM, or even disconnect you.

  • 10.6 Server's Firewall Blocks It's Own Internet Connection

    I had this problem about two years ago when I was trying to run 10.6 on my home server (Mac mini) for the first time. Eventually I gave up, reverted the mini back to 10.5, and ram problem-free for years. When 10.7 came out, I tried to upgrade the mini to that. That didn't go well either, but mostly due to Lion missing many many features (suprise!). So I figured that 10.6's problems were fixed by now, and gave it another shot. It went fine and I've been running for about a month problem free (or so I thought). But now it's offline again. I finally found one other person on another forum that had the EXACT same problem as me. And reading this description, I realize that I have been having problems all long, I just assumed they were my ISP's problems, not my own.
    So here's what happens. The firewall in 10.6 server will "freak out". It will be running normally, then suddenly it will go haywire and block everything. And I mean everything. My computer won't even be able to get an IP via DHCP. Everything is blocked. But as soon as you stop the firewall, everything works normally. You can even modify the firewall rules, and set it up so there are NO deny rules, and EVERY connection to and from every host is set to allow. And the firewall still blocks everything. This is the same exact thing that happened 2 years ago when I first tried to run 10.6 Server on my mini. The difference is that back then, this would happen either immediatly, or within a day. This time around, with 10.6.8, it took about a month before suddenly, without any provocation, all internet connections stopped.
    I've had this happen on multiple computers. I don't do anything special, I just set up a basic firewall scheme where everything in the LAN range is allowed, and everything from "any" is allowed only to service ports I'm running. The basic gateway setup. Now I was running 10.6 Server on my laptop (for netbooting) and it would do the same thing. But because my laptop wasn't acting as a gateway, I could just turn the firewall off (you need the firewall for NAT). My mini server IS acting as a gateway, as was another mini I set up for a client of mine (that eventualy I changed over so they were running off an airport, and the mini server was just a client. But I don't want that setup at home, I want my mini to be the router).
    I have verizon Fios internet. 25/25, it's great. The ONT is in my basement, and it's plugged into the same fused outlet as our freezer. From time to time, when the power goes out, it trips that breaker and the outlet goes dead. My itnernet is gone and I have to go reset the outlet. Once I do, my mini won't get an IP from Verizon until I reboot the mini. Not once. Not twice. Usually 5-10 reboots, and suddenly it will get an IP. I always assumed this was a verizon problem. Until I read someone else's post about this same problem. Turns out, that's the firewall blocking DHCP again! If you turn the firewall off, you don't have to keep rebooting, it will grab an IP right away.
    At least I'm not crazy! So what is going on here? Does anyone have any idea what is going on with my firewall, or how I can fix it?
    Lastly, after 4.5 hours of complete inability to get an internet connection with the firewall on, it just started working again. I now have fully functional, normal internet. I find it hard to believe 10.6 has a firewall that is simply broken. I find it even harder to believe I'm imagining things, or that I've had fluke after fluke. Something is going on with 10.6 Server.

    The DNS skapegoat just doesn't make sense.
    Why would "improper" DNS cause OS X's firewall to block all network connections? Even the server's ability to make it's own DHCP connection?
    As far as a router, I don't want to use a cheap unreliable residential router. I have a home file server that, aside from running 10.6, makes a super reliable router. And port mapping aside, OS X Server's DHCP server is great to use. Rock solid. It makes no sense to run a cheap residential router when I have a home server. Then every 6-18 months, I get to deal with that router slowly failing, as my internet connection gets slower and slower. No thanks.
    So back to this firewall issue. I've talked to Apple aobut this before, and they give the same generic "DNS has to be right" answer to basically every problem I've ever had with 10.6 Server (hinting at endless CalDAV problems). But no one has every explained what that specifically means, or how something like wrong DNS (whatever that even means) can cause the firewall to block everything. This just makes no sense to me. And this especially does not explain why, after 10 reboots or so, everything just magically starts running normally.
    I just had an incedent today where I woke up to no internet. I rebooted 3 times. Each time, I either got a self-assigned IP address, or the ethernet interface would toggled between "unplugged" and "no-ip". I could turn the firewall off and the server would INSTANTLY start functioning normally. I'd happily run without a firewall, and just turn all services I'm not using off. However NAT needs the firewall, so without the firewall, the Server is the only Mac on the network that has an internet connection. So I kept rebooting and rebooting, and I think about 8 reboots later, like magic, the server came up, grabbed an IP, and everything started working normally.
    Also my IP through my ISP is dynamic, and that isn't going to change. So yes, I am trying to use OS X Server as my router on a dynamic internet connection. I've been doing this since the days of Mac OS X Server 10.1. Only 10.6 has had any problems at all.
    So really, "10.6 is more picky about DNS" isn't an answer to this problem. Or, at least, it's not a sufficient answer. I need much more information than that.

  • Verizon blocks ports?

    I have DSL & Actiontec GT704-WG. I opened a port to host online game, but when I use a port scanner found here: http://www.canyouseeme.org/
    It tells me my port is closed even though I forwarded everything correctly. Does verizon block any ports besides 80? I only use windows firewall so i know its not a firewall problem. Anyone with same router can help me?
    Thanks
    heres a snapshot of my router
    http://i45.tinypic.com/105edd5.jpg

    Verizon itself doesn't block ports at the head end besides port 25 for smtp outgoing email.  they basically don't let spammers bounce messages off their smtp servers to send emails.   Port 80 is questionably blocked by region - I have seen a lot of users in the forums that have port 80 unblocked.  and then sporadically a user forum member will say its blocked but most people say its unblocked now.  VZ made that decision middle of last year.
    The router that verizon provides has a firewall and like all firewalls it blocks a BUNCH of stuff.  that's what firewalls do.  it's kinda their gig.
    If you port forward, try to use portforward.com for a good guide.
    Basically this is stuff you probably know, but I'll recap just in case.
    Set your pc to have it's own IP address   - you'll configure that on your PC nic settings under tcpip v4
    then go into the router, and open the proper ports.  I don't know what ports your game wants, but make sure the source port is set to any, and do not specify a number in that section.
    make sure its pointed to the IP you gave your PC, and apply the changes and try again.
    if that doesn't work there may be one or two users here that will pop up that may have additional info, but you can also reach out on the portforward.com forums and see if you can get some answers there,   DSL Tech support won't help with any port forward configurations.  they consider it advanced and out of their boundaries.

  • Windows Firewall blocking connections to devices

    Hi
    I hope this is the right place. I am having a few problems with the Windows 7 firewall when connecting to embedded devices.
    I currently have a Windows application that connects to 4 embedded devices via TCP but Windows firewall only seems to allow a connection with 2 of the devices even with exceptions setup on the firewall.
    The devices are connected to their own ethernet adapter in the PC '192.168.1.32'. Each device has it's own IP Address but uses the same port.
    The network comes up as a 'public' network and with the firewall for the public profile enabled only connections to the first 2 devices are established.
    If I turn the firewall off for the public profile connections are made to all devices.
    Also if I give each  controller a different port number connection is again made to all devices.
    I was hoping that someone could tell me if this is expected firewall behaviour or at least be able to give me a clue as to why the firewall affects the connections.
    I know I can get round the problem but I wanted to at least understand why this is happening.

    You can check existing rules using this command (using
    admin command prompt).. 
    netsh advfirewall firewall show rule name=all
    and try to understand what is blocking your ports and try to create exceptions accordingly....
    Expected firewall behaviour is to open necessary ports for a  software by making exceptions in the firewall rules by that software while installing.. For some reason if it fails you may have to manually create exceptions.. rules etc..
    Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

  • OS X firewall blocks iTMS

    I've spent about two hours trying to figure out why OS X personal firewall blocks the Music Store, with no luck. Unless the firewall is turned off, the other computers (all Macs) on the network cannot log in. The sympton is the "Accessing the store" and eventually timing out.
    There are a lot of Windows-specific posts about firewall problems, but none that I could find about the Mac firewall.

    I have an additional Ethernet card in my Mac, and share the Internet access via that card. The built in port is connected to a cable modem.
    The Ethernet out (from the second card) goes to a sixteen port GigE switch, which lights up various ports around the house.
    I don't use any wireless in the house.
    Andrew

  • Blocked port 80?

    hello, i dont know is im in right topic.
    we have astaro SG 110/120
    we have 2 servers
    1.AD/DNS/DHCP win serv 2003
    2.MSQL/files/programs  serv 2003
    the main problem is that on 1 server is blocked port 80.
    cmd>ping google.com <this working fine there is connection
    but when i want to connect by browser to google.com by IE there is no answer
    i cant log in to astaro too by 192.168.1.1:4444
    i cant upgrade antivirsu virusbase becouse as support guy told me this connection is on 80 port.
    mby its not a 80 port only cos i cant even get to router by :4444 port

    On Wed, 23 Apr 2014 07:07:57 +0000, endriucontec wrote:
    hello, i dont know is im in right topic.
    we have astaro SG 110/120
    we have 2 servers
    1.AD/DNS/DHCP win serv 2003
    2.MSQL/files/programs  serv 2003
    the main problem is that on 1 server is blocked port 80.
    cmd>ping google.com <this working fine there is connection
    but when i want to connect by browser to google.com by IE there is no answer
    i cant log in to astaro too by 192.168.1.1:4444
    i cant upgrade antivirsu virusbase becouse as support guy told me this connection is on 80 port.
    mby its not a 80 port only cos i cant even get to router by :4444 port
    This is not a Windows Server issue, it is an issue with your firewall
    configuration. You'll need to contact Astaro for support.
    Paul Adare - FIM CM MVP
    On two occasions I have been asked [by members of Parliament], 'Pray, Mr.
    Babbage, if you put into the machine wrong figures, will the right answers
    come out?' I am not able rightly to apprehend the kind of confusion of
    ideas
    that could provoke such a question. -- Charles Babbage

  • Firewall blocking video chat connection

    I tried to video chat with my wife today from work on my PlayBook. Got a message about a firewall blocking it when it tried to connect us. It gave no further info so it's kind of hard for me to figure out whether this is my work wifi or my own router at home causing this.
    Where can I find more info on this?
    Staff UI Prototyper (read: full-time hacker)
    My BB10 apps: Screamager | Scientific RPN Calculator | The Last Weather App

    Hello TheMarco,
    Do you know if porting forwarding has been enabled for the firewall settings?
    -HMthePirate
    Come follow your BlackBerry Technical Team on twitter! @BlackBerryHelp
    Be sure to click Kudos! for those who have helped you.Click Solution? for posts that have solved your issue(s)!

  • NetProtect Firewall blocking connections

    I have a PC running Windows 7 with Netprotect which I use as a mediaserver, a couple of other PCs, a Roku Soundbridge and a Panasonic TV all connected via Home Hub. For the past few months I've had difficulty connecting to the mediaserver. After a lot of messing about I found that in the Firewall Connections, as well as the IP range 192.168.1.0-255, there is an entry fe80::/10. I've found that if I delete this, the 192.... entry is also deleted. If I re-enter the 192... range then the mediaserver becomes contactable until the next reboot, when the fe80::/10 entry returns.
    I don't know much about fe80::/10 except that it's something to do with IPv6 and may be a red herring. I've disabled IPv6 with a Microsoft app but this hasn't helped.
    It's driving me mad, BT support were no use as they could only suggest IP conflicts and their grasp of network issues was as limited as mine.

    You can check existing rules using this command (using
    admin command prompt).. 
    netsh advfirewall firewall show rule name=all
    and try to understand what is blocking your ports and try to create exceptions accordingly....
    Expected firewall behaviour is to open necessary ports for a  software by making exceptions in the firewall rules by that software while installing.. For some reason if it fails you may have to manually create exceptions.. rules etc..
    Hetti Arachchige V Aravinda | Network & System Administrator (B.Sc, Microsoft Small Business Specialist, MCP, MCTS, MCSA, MCSE,MCITP, CCNA, CEH, MBCS)

  • Firewall Block incoming connections fails

    Whenever I'm on the road or at clients loactions I set my firewall to block all incoming connections.
    The explanation of Mac OS X is:
    So it shouldn't matter if at the Sharing preferences you have enabled Screen or file sharing, which I have turned on, to be able to transfer files at home.
    If "Block all incoming connections" is enabled, nobody should see you have any sharing options enabled. I always understood this is a sort of override.
    Alas, this seems not the case. My laptop is actively promoting itself as a VNC enabled computer, while block all incoming connections is checked. Unchecking the screen sharing in the sharing preferences immediately has effect on this and stops VNC braodcasting.
    Who knows more about this? Is this a bug or undocumented / wrongly documented feature?
    Kind regards,
    Roeland

    PAHU wrote:
    Roerei wrote:
    Mac OS X explicitely states that "all sharing services" will be blocked.
    And they are blocked. With this setting enabled, you cannot connect to the Mac from a remote computer.
    What it does not say is that enabling this setting will stop the Mac from being advertised. If you want this then you will need to turn off File Sharing. This will stop the Mac from being seen on the local network.
    So in summary, if you want to stop your Mac from being seen on someone else's network you are connected to, then disable File and Screen Sharing. Or trust that with the "Block all incoming" setting enabled, no other user will be able to connect to your Mac even though they can see it.
    This is just stupid. Why advertise a service which is blocked? That is just plain dump and not very security minded. If you block a service, you also should not advertise that service. Especially in the firewall preferences checking that box greys out all other options, which gives you kind of the impression that you are stealth.
    So you might be right, but it is just wrong.
    Roeland

  • ISP Blocks port 25, server rejects 587

    I have a client who's home ISP blocks outgoing mail on port 25, when I switch his client to 587 to circumvent this, I get an error that the server rejected the connection on that port. I have double checked the firewall that 587 is open for traffic, but the rejected connection continues. Is there something I am missing?

    If your client trying to send mail from his home via his office mail server, then a VPN can be an option. That'll solve various problems here, including the firewall blocks (often found on inbound and outbound port 25 from dynamic IP addresses) and it'll provide secure connectivity and ease-of-use benefits. It'll operate like the client is "on" the office LAN, if established at the external firewall.
    But yes, configuring the office external firewall and the mail server to enable and allow the SMTP submission ports is normal practice, particularly if the mail server connections are comparatively fleeting as can be the case with remote and mobile clients. Both unencrypted and SSL connections are possible. And the submission ports isn't generally considered "circumvention", it's basically the normal path into a mail server for authenticated users. (Connections into the mail servers from dynamic ports are usually spam engines.)

Maybe you are looking for

  • Max no of profiles per user

    HI everybody An interviewer asked  that you have to assign 10 roles to user,but 9 roles it self the max no of (312) profiles, are reached.then how to assign 10 th role what procedure you follow.Of course i have this doubt since sap career started but

  • Using variables in message long text ( SE91)

    Hi everyone, Does anyone know how we insert the variables passed in the message can also be used to be printed in the long text as well. Suppose , say message e000 with a b c d. where a ,b , c and  d are the variables... How do i use these inside the

  • Dahdi.service script error after reboot

    Hi! Setup DAHDI drivers. Created a service-file as follows: [Unit] Description = DAHDI configuration script. After = network.target [Service] Type = forking WorkingDirectory = / home ExecStart = / usr / bin / dahdi_cfg-vvvv ExecStop = / usr / bin / d

  • Doubt with Appraisal Document

    Dear Experts. I am implementing Appraisal Document for ESS, but I need know if Appraisal Document that appear in the Portal ESS/MSS are the right but in the Backend. This for check if the information showed in the Portal ESS/MSS is the right.? Thanks

  • Zen Stone not showing up in device manager

    Before you send me to some link... I have hit quite a few?Currently I have been trying to use the Muovo driver; it flashes that it has detected something then it searches for about 2-5 minutes (it does not detect the player) and shuts down?When I use