Firewall log permission
I just installed scheduled system updates and rebooted, now when I try to open the ipfw log it says "you don't have permission to read this log".
This is after I enter the administrator's password. Before the update to 10.4.11 I was able to open and read the firewall log just fine. What happened?
Thanks
Check the Permissions on that file, here I get...
Owner - system R&W
Group - admin = RO
Others - No Access
Similar Messages
-
Windows Server 2008 and Firewall Logging
Our Windows server 2008 R2 domain controller does not appear to be logging anything into the windows firewall log: c:\windows\system32\logfiles\firewall\pfirewall.log. The file is always blank. Every 2003 server and 2008 R2 non-dc work fine.
I'm a little stumped. The firewalls are configured via GPO's and appear to be applied ok.
I compared the 2003 and 2008 configuration and did notice one discrepancy:
The 2003 windows firewall service runs as the local system account. It's effective permissions to the pfirewall.log file is "full control"
However, the 2008 firewall service runs as "LOCAL SERVICE". This account has read-only permissions to the pfirewall.log file.
I haven't changed anything as this is a production server. I was hoping for some guidance before I start changing default settings. Any ideas why the pfirewall.log file is always blank?
Thanks!Hi,
Generally, C:\Windows\System32\LogFiles\Firewall\firewall.log has the following permission settings:
NT SERVICE\MpsSvc:(F)
NT AUTHORITY\SYSTEM:(F)
BUILTIN\Administrators:(F)
BUILTIN\Network Configuration Operators:(F)
Please make sure MPSSvc (Windows Firewall service) has Full Control on this file.
Thanks.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.
This worked for me on a 2008 R2 DC that had somehow dropped the MpsSvc account off the Permissions list. In my case the pfirewall.log file wasn't even being created, so I had to modify permissions for the "%systemroot%\System32\LogFiles\Firewall"
folder.
Adding the MpsSvc account can be tricky if you're not familiar with where to look. Here are some supplemental instructions that might prove useful to those like myself who might not do this type of thing every day. Remember that these instructions for for
a 2008 R2 Domain Controller.
Open the "%systemroot%\System32\LogFiles\Firewall" folder. If necessary, "Click Continue to permanently get access to this folder."
Right-click the empty space in the Firewall folder and click Properties.
Go to the Security tab and click the Edit button.
In the "Permissions for Firewall" window, click the Add
button. The next step is where it gets tricky.
Click the Object Types button and in the window that opens, make sure the
Service Accounts box is checked. Click OK.
Now click the Locations button. In the window that opens, make sure you change the default selection from the domain name to your Domain Controller's hostname (e.g. DC01).
Click OK.
In the object names text field, type "NT SERVICE\MpsSvc". If you were to simply enter "MpsSvc" it wouldn't work. This is not case sensitive, but the context of your entry is very specific.
Click Check Names and your entry should automatically change to an underlined "MpsSvc" value.
Click OK.
Back on the "Permissions for Firewall" window, you can give MpsSvc
Full Control of the Firewall folder, then click OK.
You'll see a warning about changing permission settings on system folders. Read it, and if you accept the risk, click
Yes. (Otherwise click No and enjoy your non-existent firewall logs.)
Click OK again to save your changes and close the
Firewall Properties window.
You may have to restart the Windows Firewall service before the firewall log file will appear.
You should also run a "gpupdate" just to make sure your settings are permanent and aren't being overridden by a GPO somewhere out there in Active Directory.
That's all folks!
"This posting is provided "AS IS" with no warranties, and confers no rights."
-Mike -
I had closed Firefox after briefly running it and then tried to reopen it anew but got a message that said "Firefox is already running but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system."
I logged off my computer, and later restarted. However, when I checked my Firewall log it showed that during the minute I had my computer on earlier there were about a dozen instances of "Firefox is preparing to access the internet" which were recorded just seconds apart.
I don't have the problem now -- restarting apparently took care of the issue -- but I don't understand why there were so many instances of Firefox preparing to access the internet when I was not clicking on it all those times, the one time I did I got a message that it already was running, and there were no tabs on my screen to reflect all those supposed instances.
Thanks for any insight that folks can offer.Were that Firefox processes or plugin-container processes?
*http://kb.mozillazine.org/Plugin-container_and_out-of-process_plugins
*https://support.mozilla.org/kb/What+is+plugin-container
In case you are using "Clear history when Firefox closes", try to exclude the cookies in case you currently have selected this.
*Tools > Options > Privacy > Firefox will: "Use custom settings for history": [X] "Clear history when Firefox closes" > Settings
*https://support.mozilla.org/kb/Clear+Recent+History
Note that clearing "Site Preferences" clears all exceptions for cookies, images, pop-up windows, software installation, and passwords.
Firefox will try to remove cookies created by plugins in case you clear the cookies and that can result in plugin-container processes getting created. -
Hi there!
I got VPN setup and running.
But when connected, I get a huge list of denied acces in my server firewall log.
This is just a small part of the list, its displaying a huge amount of ports:
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63189 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:52190 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:51801 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63187 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:62158 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:60736 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:49626 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:50363 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:64415 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:65084 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:49345 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:57670 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63019 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:59496 192.168.0.116:53
Client: 192.168.0.102
Server: 192.168.0.116
Anyone know whats causing this?
Thanks!Hi there!
I got VPN setup and running.
But when connected, I get a huge list of denied acces in my server firewall log.
This is just a small part of the list, its displaying a huge amount of ports:
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63189 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:52190 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:51801 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63187 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:62158 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:60736 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:49626 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:50363 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:64415 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:65084 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:49345 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:57670 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:63019 192.168.0.116:53
ipfw[3352]: 65534 Deny UDP 192.168.0.102:59496 192.168.0.116:53
Client: 192.168.0.102
Server: 192.168.0.116
Anyone know whats causing this?
Thanks! -
Re: How to interpret firewall log?
I am presently employing advanced firewall settings on my iMac G5 running Tiger 10.4.7, i.e., block udp traffic, enable firewall logging, and enable stealth mode. When I opened the firewall log for the first time today, I realized I didn't know what I was looking at. Can someone help me interpret what's going on? I guess I'm wondering if stealth mode is working properly?
Here's a sampling of what was happening several days ago:
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52668 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52671 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52678 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52679 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52681 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52688 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52690 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52691 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52693 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52692 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52694 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52695 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52699 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52700 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52698 from 66.230.172.18:80
Sep 7 14:10:44 iMac-G5 ipfw: Stealth Mode connection attempt to TCP 10.0.1.3:52696 from 66.230.172.18:80Yes it is working properly.
These are often "tail-end charlies" from a connection you've left with your browser. If you move from one website to another, before the first one has fully loaded, then the firewall will log the un-used packets from the first site as "Stealth Mode connection attempt" because your browser is no longer listening to that site. Note that all the "attempts" are on port 80 (http).
I find, quite often, that ads and images from sites, other than the one you're actually visiting, can take quite a while to arrive, so if you've moved on at least a few packets are wandering around the 'net looking for a home. -
This whole situation first started with a complaint from my ISP that it appeared I had a trojan virus... around 1100-1200 messages per hour were being run through their servers via my account. I have also Anti-Virus enabled, so I was left scratching my head...
No viruses found on a full scan - so I started watching processes and connections. This nmbd process is suspicious... I don't run windows file sharing, nor have I ever. This just popped up recently. I also had two mac tech support calls, and one to Symantec - and it ran fine for a couple of days - but it's back again.
What is this, and how can I find the culprit, and remove it permanently...?
Thanks in advance for any advice!
--JeffThanks Thomas, appreciate the insight! Thanks for taking the time to help me think through this...
I have reset the password twice now...
It's only impacting one account, and the ISP says it's local to me - somewhere on my local network.
I do have a few devices on my home network. The only one with windows is my macbook air running parallels. I just use this to browse some web projects I work on (view in IE to make sure everything is looking like it should).
The passwords I have used both times - they were ones set by my isp - the type you can't remember, they seem rather strong (upper/lower case letters, numbers, symbols). That's what leads me to believe it's also local - something on my machine. And it only seems to be impacting one email account (I have 5 running in Mac Mail).
WiFi network is protected by WPA2 - just checked to be sure. All good there.
Now, in Norton Firewall log - I can see incoming and outgoing connections via Windows File Sharing/nmbd.
The reason I feel/felt that this is related to the spam sends is that once I saw the number of connects, and roughly equals the number of sends per hour of spam - I stopped the process with the firewall and suddenly my isp says the spam sends stop. That led me to believe they are related. Perhaps this virus or malware has spoofed it's name and is identifying itself as nmbd? I have no idea. Just scared to turn it all off just yet.
I did notice that Moutain Lion does not run this... (nmbd).
I did wonder about the Air sending something off of windows - but this all happened while it was off, laying on the desk next to me. It rarely gets used unless I'm testing or traveling.
I can understand nmbd being useful part of the system, I cannot understand how it would be very useful if I didn't turn it on, it connects at that frequency, and I don't have file sharing enabled. That's why I am hesitant to turn Norton off, and hope that everything just goes away. I want to try and get this problem figured out as simply turning Norton off doesn't seem like I'm taking steps to eliminate the problem. Perhaps Norton is causing other issues - and I'll be removing the software asap - but want to make sure the spam sends cease.
Let me know if that sparks any ideas... Thanks again!
--Jeff -
Firewall log - what's this mean?
I had a hardware router/firewall and IP address server, just down stream from my cable modem until that device died this week. I've reconfigured what I had to use my Airport Graphite to distribute IP addresses and share a single IP address for all the devices on the home network "using NAT and DHCP" and connected 2 computers and a network printer with a simple Ethernet switch/hub. (BTW, this provides noticeably faster speed to the internet!) I already had the OS 10.4 firewall turned on in the 2 MacBooks, but I also now enabled Stealth Mode and for the first time "Firewall logging."
So I later looked in the log file and I find:
"Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:31 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80
Jan 8 20:49:33 Michaels-MacBook ipfw: Stealth Mode connection attempt to TCP 10.0.1.8:52066 from 74.125.19.104:80"
10.0.1.8 is the IP for this MacBook. I think this says I'm being scanned by someone attempting to use port 52066 (???), from some other computer named 74.125.19.104 port 80 - is that correct? Should I be worried? Is there something else I should enable or disable? Naturally, I turned on the minimum number of services in the Firewall. BTW, how could I find out who/where 74.125.19.104 is? This went on for about 3 minutes last night but seems to have stopped now.
I think this also makes me believe I should go back to a hardware firewall upstream, right at the 'port of entry,' but I don't see much for sale these days (at home prices) that is a true firewall. I know a new Airport Extreme Basestation says it has a "built-in firewall" but I can't find any information about that feature, ie is it more than just NAT translation? Does anyone have a recommendation for a reasonably priced, easy to set up and manage firewall?
thanks!I have Snort NIDS running on my computer and get port scans similar to this reported to me all the time from numerous websites - for example, from these very discussions.apple.com forums. Port 443 is a server https port, your port 49235 is in all likelihood the randomly created outbound port that you initially established a web browsing connection with, hence, assuming this to be an established connection, it would have been forwarded through your router to your computer (to your 192.168.x.x address). This IPA belongs to akamai.com, I think they handle a lot of online purchasing and online billing stuff and stuff that requires logging in in some manner or another -- were you paying bills or buying something online or in an authenticated website at the time this occurred?
I don't understand why these port scans from established connections to reputable web servers happen, but I don't believe them to be abnormal. Perhaps someone who is a subject matter expert in enterprise-class web servers could weigh in here and explain what may be going on here. -
Stealth mode and firewall logging problems to be resolved please.
I am running OS X v10.6.8 and am having difficulty setting stealth mode. System Preferences shows stealth mode to be switched on, but System Profiler shows it to be off, no matter how many times I set it and shut down/restart. System profiler also shows firewall logging to be switched off, but there is no facility within the Security/Firewall section of System Preferences to switch it on.
I think the answer to this is if you have "Block all incoming connections" checked, then "Enable stealth mode" in Sys Prefs is checked but greyed out. Mine is set up that way and I'm seeing, like you, that Stealth Mode is off in System Profiler>Network>Firewall. If you have "Block all incoming" checked, then activating Stealth Mode becomes moot.
I can only get it undimmed if I uncheck Block all incoming. -
Snow Leopard is extremely fast & stable for me on my 3 Macs. One problem though - I was unable to find the option to disable firewall logging which was available in Leopard.
System Profiler says firewall logging: No. But in the same System Profiler, appfirewall.log file keeps growing (with Stealth Mode enabled).
Is there a way to disable firewall logging or is it a bug that will be addressed in the next update?
Thanks for any help.
Best - KrishnaMohan.I've found a way to disable logging while keeping stealth mode enabled. Unfortunately, it involves a little manual plist editing and converting from/to binary xml format. Here's what worked for me in a terminal session:
cd /Library/Preferences
sudo plutil -convert xml1 com.apple.alf.plist
Careful, that's a lower case 'L' and a number '1' above.
sudo nano com.apple.alf.plist
search (ctrl-W) for the key loggingenabled
change the integer value to 1
save the file (ctrl-O)
quit nano (ctrl-X)
sudo /usr/bin/plutil -convert binary1 com.apple.alf.plist
That should do it but to be safe you might want to log out and back in (or restart for overkill).
I don't know about others, but the volume of my denied connection attempts really taxed the appfirewall.log. Often there were several entries logged every second. -
What does "P:2" mean in the firewall log?
i am getting entries like this in my firewall log:
63300 Deny P:2 169.254.68.70 224.0.0.251 in via en1
what is "P:2" and how should i deal with this kind of traffic? we are having some odd network issues related to the firewall so i'd like to make the P:2 stuff Allowed instead of Denied, but these entries have no port number and they are neither TCP nor UDP, so i can't see where in the UI to make a change...right, 169.254.x.x would be one of the office machines that hasn't picked up an IP from the DHCP server yet. 224.0.0.251 is related to bonjour somehow... i am thinking that the machine with the self-assigned IP is using bonjour to talk to other machines on the LAN, or to discover the DHCP server or something like that.
but -- my problem is that i can't figure out what rule in the firewall is causing these P:2 packets to get denied, and likewise how i would go about changing the firewall to accept these packets. for now i've set up an address group for 169.254.0.0/16 and told the firewall to accept all traffic from those IPs, but i still don't understand what P:2 means or why these connections don't have an associated port (which implies that "allow all traffic" is doing something different than checking the box for every service in the list). -
Hi all,
I'm trying to create a log file to my ejb client. To run the client I use the command "runclient". When I do it, it occurs the following exception:
Application threw an exception:java.security.AccessControlException: access denied (java.util.logging.LoggingPermission control)
I'm using the java.util.logging.Logger and java.util.logging.FileHandler classes.
Could anybody help me?
Thanks,
Marcio Azevedo.You need to grant logging permission to your application. Depending on what EJB container you are using, this is different but it boils down to editing a Java Policy File.
LoggingPermission has only one entry and that is control. So your policy file entry will be something like:
grant codeBase "jarOrClassURL" {
java.util.logging.LoggingPermission "control", ""; -
My firewall log is showing strange activity on my computer.
I am seeing these entries:
Dec 13 09:29:39 TheMacPro Firewall[84]: Allow Transmission connecting from xx.xx.xx.xxx:34762 to port 56202 proto=6
...and on and on, about 1,000 entries like the one above (but with different IPs). This goes on and on for days, then repeats as the log gets cleared (after 1000K worth of log entries).
I've Googled the IPs and most of them resolve to strange places, such as New Dehli, Saudi Arabia, and so on.
Doesn't sound good. Is there a way that I can trace what process on my computer is talking to these IPs?Ahhhhhhh...that's gotta be it!
Um, I mean no, I did not have relations with that application.
Thanks! -
Firewall log entries originating from Xserve
Our 3com ADSL NAT router/firewall log shows repeated entries relating to our Xserve (10.4.2 / AFP, DHCP, DNS, NetBoot, Open Directory Master, VPN) inside the firewall. Access attempt typically is repeated every 2 seconds on port 49152. The intended target is a string of different external IP addresses on port 53 and so would appear to be DNS queries – one at least appeared to be a name server. However, the firewall registers them as UDP Flood to Host.
I'm not aware of any issues arising from this, but having had problems from PC viruses on our LAN I'm a bit nervous about odd firewall entries. Can anyone illuminate or reassure me?
Martin InchleyAhhhhhhh...that's gotta be it!
Um, I mean no, I did not have relations with that application.
Thanks! -
Logging of denied packets is enabled on our 10.4 Server and it used to display the log just fine. However the current log file is now empty and is not updating at all. I've tried deleting the log and new log file is created but nothing is written to it even if I enable logging of allowed packets.
Anyone know what would be causing this problem or how to fix it?I'm now having some other problems on the server so I ran repair permissions and this has fixed the firewall log problem. I don't know how the permissions became corrupted.
-
Hi, I just posted this in a different category on the forums, but I haven't received a response. Maybe this is a better category for the topic.
I have been having some trouble with the firewall log recently. I have firewall logging enabled in the security menu of System Preferences. I also have the firewall set to Allow Specific Programs. However, when I try to view the firewall log, the error that is returned to me in console is:
LSOpenFromURLSpec() returned -43 for application (null) path /var/log/appfirewall.log.
What does this error mean, and how can I go about fixing it? The firewall no longer asks me if I want to allow new programs that I run, and I thought this could be the culprit. I just did a clean install of Leopard, and now this has happened. Thanks for any help.It likely means that for whatever reason you have no /var/log/appfirewall.log file.
At the very least, you should have the following file in /var/log:
<pre>$ ls -l /var/log/app*
-rw-r----- 1 root admin 47268 Dec 30 03:53 appfirewall.log</pre>
If you don't have one, you may need to create one; let me know if you're missing it and I'll give you further instructions.
Maybe you are looking for
-
Hi everyone. I am not sure if this will be possible but I thought I would ask the guys in the know. I am using the defocus filter on a piece of work in 2D. I would like the filter placed on some other elements (not the base video) to approximate the
-
Illustrator / swatch pattern movement issue? (*advanced question)
In Illustrator CS3 I often make new swatch pattern to use as a fill. When I flll an object w/ that swatch, then copy that object, then paste it into a new file, the pattern has moved inside the object. When I paste the object within the original file
-
Jdeveloper 11.1.1.0.0 - DefaultServer don't start
Hi. I have download the new version of Jdeveloper. I develop a simple ADF application. I right-click my jsf and press run. The DefaultServer didn't start. I see the problem is that the version of jrockit is 1.5 and the server needs the jvm 1.6. Is th
-
Hi, I am not able to resolve the JNDI name - ATGProductionDS I have used CIM to create this and i am using ATG10.2 with MYSQL as my database and weblogic. /atg/epub/file/ConfigFileSystem journaling file system started: vfs=file:/C: /Stixs/ATG/ATG10.2
-
whole drive wiped clean and reloaded disc 1 as instructed,booted up computer using (c)held down while powering up with disc already in machine,everything fine eccept iphoto is missing and I use it a lot.can anyone shed any light or tips to remidy....