Firewall for servers

Similar Messages

• Configuring Mac OS X Firewall for iChat

  I understand that one must configure the firewall in Mac OS X Tiger before using iChat. It is a mystery to me that Apple does not provide a pre-configured Firewall rule for iChat AV that the user can easily just turn on or off. (Apple does have a pre-configured rule for iChat Bonjour).
  There is a How-To article on Apple's web site (see http://docs.info.apple.com/article.html?artnum=93208 ) but this article appears to be out of date. The article tells you to open up certain ports but it does not tell you whether the ports are TCP or UDP.
  From what I am been able to figure out, one needs to open up the following ports in the Mac OS X Firewall for iChat to work:
  TCP Ports -- 5190, 5297, 5298
  UDP Ports -- 5060, 5190, 5676, 16384-16403
  Is this correct? Do I need to open up these ports in the Mac OS X Tiger Firewall before I can get iChat AV to work?
  (I prefer not to open uo any unnecessary ports).
  RobK

  By default the Mac OS X firewall doesn't block UDP traffic. So unless you have clicked on the "Advanced" button in your firewall settings and told the firewall to block UDP you don't need to bother with the UDP ports (and indeed, including them in your firewall rule they wont even be used).
  There is absolutely no need whatsoever to open up TCP ports 5222 or 5223.
  While ports 5222 and 5223 are used by XMPP/Jabber SERVERS iChat doesn't receive inbound connections on those ports. iChat will make an outbound connection on a random high port (mine's currently using port 54804 to connect to Google Talk on port 5223) and there's no need for a firewall rule for these (and it's impossible to predict what port iChat will use anyway).
  Port 5190 (TCP) is used for AIM server connection. Just like above iChat will use a random high port to connect to the AIM server on this port so this does not need to be opened.
  Port 5190 (UDP) is used for AIM file transfers i believe. It may be that iChat also uses it for XMPP/Jabber and Bonjour file transfers too (though i suspect not since the Bonjour firewall rule doesn't open up this port). If you haven't blocked UDP traffic you wont need to open this port.
  Port 5220. As far as i know this port has nothing to do with XMPP/Jabber. The only thing i can think of is that perhaps iChat uses it as a custom file transfer port (though since Bonjour is just serverless XMPP/Jabber and this port isn't opened the Bonjour rule i suspect not). There is probably no need to open this port.
  Port 5298. I believe this is used for message exchange via Bonjour. If you're not planning on using Bonjour you shouldn't need to open it.
  Anyway, after this long rambling post the conclusion is:
  So long as you haven't blocked UDP traffic in the Advanced section of your Mac OS X firewall you shouldn't need to open up any ports for iChat to work (on your Mac anyway. Gateway/router is another story).
  If you have blocked UDP you will need to open the following:
  UDP: 5060, 5190, 5297, 5298, 5353, 5678, 16384-16403
  No TCP ports should need to be opened.
  Forwarding the above UDP ports to your machine on your gateway or router should enable things to work perfectly.

• Firewall for iPodTouch

  Hi
  I am not sure if this is the right place to post this question. I want to develop an application that can block the internet access (drop the tcp packets) in an ipod touch. If it was a mac - i would use the IPFW driver. Can i do the same with an iPod touch ? Are there any alternatives ?
  Or atleast is it possible to develop a firewall from scratch for the iPodTouch os ?
  Many Thanks
  Hazem

  Hello Ibrahim,
  Its common sense, a server farm got to be carefully placed into your network.
  You will have the most important information on your company on those serves, why would not you have a firewall for them, would be the right question?
  Each single network has a lot of vulnerabilities, we as security engineers are in charge of reducing the amount of vulnerabilities so people on the outside of our network cannot compromise our servers.
  And that is the whole point of a firewall, reduce the possibility of an attack to our servers.
  Hope this helps.
  Julio
  Security Engineer
  Do rate all the helpful posts!!!

• Which is better for servers, Apache or Tomcat?

  Which is better for servers, Apache or Tomcat?

  For some reason that link I gave you isn't working right now, but it was today, weird. I would get Tomcat simple because sun uses it in its examples and recommends it. Here's sun's link then, it's probably more useful anyway. http://java.sun.com/products/jsp/

• ZEN for Servers 7 agent on the NW 6.5 sp7

  I've tried on couple of servers and it's definitely the problem in running
  ZEN for Servers 7 agent on the newest NW 6.5 support pack 7 because it
  causes high processor utilization after 4-5 days of server up-time. Than,
  you cannot stop the agent with the exit command but only killing its java
  thread when the processor utilization fails to the normal stage.
  As we strongly use ZEN for Servers 7 agent to distribute applications to
  users desktops, I would very appreciate if someone can help me in this
  issue.
  Sinisa

  Please see my thread from last year, TED Subscriber Locking Up. The fix was to revert to Java 1.4.2_09. NetWare SP7 installs Java 1.4.2_13. We ran into this problem when we installed the latest version of Java to fix the Daylight Savings Time issue last year. When you back rev Java to 1.4.2_09 TED no longer hangs up. Be sure to run the TZUpdater from Sun to update Java for the new DST settings.
  We are currently testing SP7 for deployment in a few weeks. I would greatly appreciate any ideas as to how we can deploy it without updating Java to 1.4.2_13. Any ideas?
  Thanks, Brian Geissman
  My Thread Post:
  http://forums.novell.com/novell-prod...ocking-up.html
  NetWare DST Page
  Search Results Page

• Can I open a port range in the firewall for one host?

  Can I open a port range in the firewall for one host?  In other words, I want to be able to open ports 54001 to 54050 to allow one remote host in my LAN to access that port range in my Mac Server.  Is this possible?  Currently, the only option I see is to open individual ports for all external hosts (eg http or https)
  Thanks in advance!

  Which version of OS X Server are you using?
  Server 2.2 and earlier includes an interface to a software firewall that can be configured to open specific ports very easily. Descriptions of how to configure the firewall can be found in the documentation for these versions.
  Server 3.x no longer has an interface to the software firewall - it is still there, but you need to use other methods do configure it.  A popular example of such a method is the icefloor utility.
  Apple suggest that for Server 3 you delegate firewall duties to an external router.  Server 3 includes the ability to configure the firewall component of Apple Airport routers 'automatically'
  if you connect a machine running Server 3 directly to an Airport Router the router appears in the LH pane in the Server.app window (usually second line, below the entry for the server itself), and you can control what services are 'enabled' through the firewall there.
  a more common solution perhaps is to use a non-apple router, and configure the firewall (and so open specific ports) through whatever control interface is provided for that router.  There are many many kinds of hardware router you could use, and the control interfaces used vary widely - so you will have to consulting the documentation for your own router to work out how to do this.
  If you post information about your software versions, and hardware configuration, it is possible that you can get more specific help with the tasks involved in opening the ports.
  Hope this helps.

• OVA for LMS 4.2.1 support for Red Hat Virtualization for Servers

  Is the OVA available for download on Cisco's website compatible with anything outside VMWare?  For example, Red Hat Virtualization for Servers.

  Not without a hack on your part (which would void any hope of support).

• Administration for Servers No Content Servers Found.

  When I click on Admin server in Oracle content management server, Admin server page is getting loaded and I am getting "Administration for Servers
  No Content Servers Found." message on admin server page. Please suggest

  For some reason...
  The Admin Server can not find a list of Servers to manage. This could be because someone removed them via this interface or deleted them from the file system or...lots of other reasons probably.
  There is an option to add servers which is basically a wizard. As long as you know the install directory this should be pretty simple.
  HTH
  Tim

• Site list update not working with TED and Zenworks for Servers

  Product: Zenworks for Desktops 7Sp1 and Zenworks For Server/TED 7Sp1HP5
  Subject: Site list update not working with TED and Zenworks for Servers ,
  all on Linux
  Description: We have an exiting environment with 6 ZfS Servers and now we
  brought up a new Server for another location. I configured all same as on
  the other Server and the new one created all NAL-Apps at the new location.
  But in the Application Site list on the golden App is this Application
  missing. So I clicked on the Link up site list on the Distribution Screen
  in C1. On ApplicationSite list the App from the new location is missing.
  So I removed all and added the new from the new location and now i see all
  in the application site list.When I install an app on the client on the
  new location NAL is connecting alway th the same (wrong location-server
  and i get an msi error 1612 or id=53272 with path=\Wrong serverpath to
  file.
  I looked on the other tab on C1 at the golden app an I see the backlinks
  are going to all other servers without the new one. Software installation
  on other locations are ok
  Regards

  Andreas,
  I forgot to mention that you can also set the loging level on the Distributor and the Subscriber to 6. to do this at the Zenworks Server Management prompt type "setconsolelevel 6" if you want to capture this to the log file ted.log then use "setfilelevel 6"
  Next delete the Distribution from the Subscriber and then re-push the channel.
  What we are looking for here in the log is the creation of the object and the linking information about the gold object. it should look like this (not the failure part ;-))) )
  In this excerpt you will see the entry
  Golden App =
  This should be were the link is to
  You can check this both ways in the Golden App and in the Distributed Application.
  Here is a log from me that shows this info as an example of what you should be looking for.
  2008.05.29 03:35:41 [TED:Work Order In(yourserver.yes.com)] Receiving distribution: Creating new application failed,
  Subscriber Tree Name= YOUR-TREE,
  Subscriber DN = SUBSCRIBER_YOURSERVER.BRN.FL.SUBS.SUBSCRIBERS.ZSM. GRS.CBH,
  Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
  Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
  error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details..
  2008.05.29 03:35:41 [TED:Event Processing] Handle Event: Work order IN completed... Creating new application failed,
  Subscriber Tree Name= YOUR-TREE,
  Subscriber DN = SUBSCRIBER_HAVERHI-FLBRN1.BRN.FL.SUBS.SUBSCRIBERS.ZSM.GRS.CBH,
  Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
  Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
  error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details..
  2008.05.29 03:35:41 [TED:Event Processing] Received (from haverhi-flbrn1.yesbank.com) Creating new application failed,
  Subscriber Tree Name= YOUR-TREE,
  Subscriber DN = SUBSCRIBER_HAVERHI-FLBRN1.BRN.FL.SUBS.SUBSCRIBERS.ZSM.GRS.CBH,
  Golden App = SCRIPT-MS-HOTFIX.APP.BRN.ZENGOLD.GRS.CBH,
  Attempted AppName = SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH,
  error message: Failed creating SCRIPT-MS-HOTFIX.APP.BRN.HAVERHI.PALM.FL.CBH. With error message: Setting the trustee for BRN.HAVERHI.PALM.FL.CBH on the file "VOL1:\ZEN\UTILS" failed. Look in subscriber log file for more details..

• The Server Core installation option is recommended for servers running Hyper-V

  Hi,
  I installed Hyper-V Server 2008 R2 on my machine and upon running BPA it says that 
  The Server Core installation option is recommended for servers running Hyper-V
  I don't understand what it meant by re-installing hyper-v core instead of the full installation. My Hyper-v is a stand-alone Hyper-V Server 2008 R2 that is the free one.
  Thanks!
  JAnus

  Hi JAnus,
  I am afraid you can not change that report .
  Please just ignore that .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Hi looking for a bit of free  anti - virus and firewall for osx 10.8.2

  hi looking for a bit of free  anti - virus and firewall for osx 10.8.2 any pointers also any one used Mac cleaner ?

  1. This comment applies to malicious software ("malware") that's installed unwittingly by the victim of a network attack. It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the victim's computer. That threat is in a different category, and there's no easy way to defend against it. If you have reason to suspect that you're the target of such an attack, you need expert help.
  2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files. This feature is transparent to the user, but internally Apple calls it "XProtect." The recognition database is automatically updated once a day; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.
  The following caveats apply to XProtect:
  It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets (see below.)
  It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.
  3. Starting with OS X 10.7.5, there has been another layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't actually been tested by Apple (unless it comes from the Mac App Store), but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. For most practical purposes, applications recognized by Gatekeeper as signed can be considered safe.
  Gatekeeper has, however, the same limitations as XProtect, and in addition the following:
  It can easily be disabled or overridden by the user.
  A malware attacker could get control of a code-signing certificate under false pretenses, or could find some other way to evade Apple's controls.
  For more information about Gatekeeper, see this Apple Support article.
  4. Beyond XProtect and Gatekeeper, there’s no benefit, in most cases, from any other automated protection against malware. The first and best line of defense is always your own intelligence. All known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore reduces to a battle of wits between you and the malware attacker. If you're smarter than he thinks you are, you'll win.
  That means, in practice, that you never use software that comes from an untrustworthy source. How do you know whether a source is trustworthy?
  Any website that prompts you to install a “codec,” “plug-in,” or “certificate” that comes from that same site, or an unknown one, is untrustworthy.
  A web operator who tells you that you have a “virus,” or that anything else is wrong with your computer, or that you have won a prize in a contest you never entered, is trying to commit a crime with you as the victim. (Some reputable websites did legitimately warn users who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)
  “Cracked” copies of commercial software downloaded from a bittorrent are likely to be infected.
  Software with a corporate brand, such as Adobe Flash Player, must be downloaded directly from the developer’s website. No intermediary is acceptable.
  5. Java on the network (not to be confused with JavaScript, to which it's not related) is a weak point in the security of any operating system. If a Java web plugin is not installed, don't install one unless you really need it. If it is installed, you should disable it (not JavaScript) in your web browsers. Few websites have Java content nowadays, so you won’t be missing much. This setting is mandatory in OS X 10.5.8 or earlier, because Java in those obsolete versions has known security flaws that make it unsafe to use on the Internet. The flaws will never be fixed. Regardless of version, experience has shown that Java can never be fully trusted, even if no vulnerabilities are publicly known at the moment.
  Follow these guidelines, and you’ll be as safe from malware as you can reasonably be.
  6. Never install any commercial "anti-virus" or "Internet security" products for the Mac, as they all do more harm than good. If you need to be able to detect Windows malware in your files, use the free software ClamXav — nothing else.
  Why shouldn't you use commercial "anti-virus" products?
  Their design is predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere.
  In order to meet that nonexistent threat, the software modifies or duplicates low-level functions of the operating system, which is a waste of resources and a common cause of instability, bugs, and poor performance.
  By modifying the operating system, the software itself may create weaknesses that could be exploited by malware attackers.
  7. ClamXav doesn't have these drawbacks. That doesn't mean it's entirely safe. It may report email messages that have "phishing" links in the body, or Windows malware in attachments, as infected files, and offer to delete or move them. Doing so can corrupt the Mail database. The messages should be deleted from within the Mail application.
  ClamXav is not needed, and should not be relied upon, for protection against OS X malware. It's useful only for detecting Windows malware. If you don't need to do that, avoid it. Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else.
  8. The greatest danger posed by anti-virus software, in my opinion, is its effect on human behavior. When people install such software, which does little or nothing to protect them from emerging threats, they get a false sense of security from it, and then they may do things that make them more vulnerable. Nothing can lessen the need for safe computing practices.
  9. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use.

• I can not set up a firewall for my computer.  I can get to the place I'm supposed to get to but am unable to click start.

  I can not set up a firewall for my computer.  I can get to the place I'm supposed to get to but am unable to click start.

  If the Start Firewall button is grey (inactive) check to see if the pad lock is "locked" in the lower left corner of the screen.  If so, click it and enter the Administrator password to unlock it.  Then you can start the firewall.
  Hope this helps.

• Cost diff. in % for SERVERS on Freeware Linux against whole SAP implementai

  Hi One and All,
  What is the % of money involved for Servers in comparisn to the complete SAP
  implementation cost?
  ex.
  A company spends 40% on Purchasing SAP Liscence,
  20% on Implementation Partner,
  20% on Servers ,
  5% on PC systems on which Abap programmers and Functional Consultants sits,
  15% on Support Project.
  1.  What actual % of total cost of SAP implementation is spend on SERVERS.
  2.  If Linux Servers (Freewares like OPEN SUSE or FEDORA or LIKEWISE) are used, how much  of money will be reduced, in case the existing servers are Windows?
  3. There are 2 identical organizations:
  ONE has implemented SAP with database on WINDOWS SERVERS and all SAP systems have Windows OS.
  OTHER has implemented SAP with database on LINUX (Available as Freeware in market) Servers  and all SAP systems have Linux as OS.
  now the Question is:
  What will be the difference in MONEY SPEND by above 2 Organizations in PERCENTAGES?

  1.  What actual % of total cost of SAP implementation is spend on SERVERS.
  This depends a) on the servers your buy and b) on the implementation. An implementation of e. g. just FI is less expensive than if you implement more "modules".
  2.  If Linux Servers (Freewares like OPEN SUSE or FEDORA or LIKEWISE) are used, how much  of money will be reduced, in case the existing servers are Windows?
  Linux ist not "freeware". There only specific distributions supported (SuSE SLES, Redhat Enterprise Server), especially the ones you you named are not. So you will need to buy an OS and maintenance license for the OS too.
  What will be the difference in MONEY SPEND by above 2 Organizations in PERCENTAGES?
  We also use Linux everywhere and money (or licenses) were not the reason to use one or the other but rather technical reasons.
  The hardware and license costs are usually ony a very small amount of the total implementation costs. How much however, is project specific.
  Many people think Windows is "easier" than Unix and use it but I personally think that both are equally "difficult"; one shouldn´t let oneself cheat by having the possibility to "manage the system by clicking"
  Markus

• Firewall for traffic shaping and bandwidth

  Hi all,
  I want one basic firewall for my small office. I have 15 to 20 users in my office. Please suggest me which firewall suitable for me? Please help me. Thanks

  Hi Sandeep,
  I guess this is mainly for day to day general work activities like browsing etc. You can go with ASA5505 with 50User license. In future if number of users grow, you can upgrade the license as well with no additional hardware costs.
  hth,
  MS

• I dont have data in "Client status summary" report for servers in server collection, but get data from our Windows 7?

  Hi,
  I dont have data in "Client status summary" report for servers in server collection, but get data from our Windows 7?
  So and idea of way I dont get data from or servers? Missing client setting for servers?
  /SaiTech

  Hi,
  I do see the server in Server collections in "Monitoring--Client Status--Client Activity" but not in reports like "Clients with failed client check details" i get "No Data Available"?
  /SaiTech