FMS: NAT and Firewall
I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.
FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible. RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.
Similar Messages
-
Hello all,
I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic. Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode. I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites. Based on my configuration below, does anyone have any insight into what could be wrong?
R1-881W#show run
Building configuration...
Current configuration : 14484 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1392450818
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
<some cert>
quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name somedomain.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
username someuser privilege 15 secret 5 xxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
interface Null0
no ip unreachables
interface FastEthernet0
switchport access vlan 11
interface FastEthernet1
interface FastEthernet2
switchport access vlan 11
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
shutdown
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endHenrik,
I redid the changes you suggested (excluding the
config to make the guest-zone only allowed to ping and get an IP-address of the route). I cannot connect to the internet from VLAN12. Here is my config below:
R1-881W#show run
Building configuration...
Current configuration : 8875 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
username somerookieuser privilege 15 secret 5 xxxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
class class-default
drop
zone security out-zone
zone security in-zone
zone security guest-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 somestrongpassword
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 somestrongpassword
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
R1-881W# -
Howto: Zones in private subnets using ipfilter's NAT and Port forwarding
This setup supports the following features:
* Requires 1 Network interface total.
* Supports 1 or more public ips.
* Allows Zone to Zone private network traffic.
* Allows internet access from the global zones.
* Allows direct (via ipfilter) internet access to ports in non-global zones.
(change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
Network setup:
iprb0 65.38.103.1/24
defaultrouter 65.38.103.254
iprb0:1 192.168.1.1/24 (in global zone)
Create a zone on iprb0 with an ip of 192.168.1.2
### Example /etc/ipf/ipnat.conf
# forward from a public port to a private zone port
rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
# force outbound zone traffic thru a certain ip address
# required for mail servers because of reverse lookup
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
map iprb0 192.168.1.2/32 -> 65.38.103.1
# allow any 192.168.1.x zone to use the internet
map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
Create /etc/init.d/zone_route_hack
Link this file to /etc/rc3.d/S99zone_route_hack.
#/bin/sh
# based on information found at
# http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
# http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
fake_router=192.168.1.254
public_net=65.38.103.0
router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $fake_router >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $fake_router $router_arp
# route our private subnet through our fake private subnet router
route add default $fake_router
# Can't create this route until the zone/interface are loaded
# Adjust this based on your hardware and number of zones
sleep 300
# Duplicate this line for every non-global zone with a private ip that
# will have ipfilter rdr (redirects) pointing to it
route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
The following /etc/ipf/ipf.conf defaults to deny.
# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# INCOMING DEFAULT DENY
block in all
block return-rst in proto tcp all
# two open ports one of which is redirected in ipnat.conf
pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
# INCOMING PING
pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
# INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
#pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
# OUTGOING RULES
block out all
# ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
# remove/edit as needed to actually talk to local private physical networks
block out quick from any to 192.168.0.0/16
block out quick from any to 172.16.0.0/12
block out quick from any to 10.0.0.0/8
block out quick from any to 0.0.0.0/8
block out quick from any to 127.0.0.0/8
block out quick from any to 169.254.0.0/16
block out quick from any to 192.0.2.0/24
block out quick from any to 204.152.64.0/23
block out quick from any to 224.0.0.0/3
# Allow traffic out the public interface on the public address
pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
# Allow traffic out the public interface on the private address (needs nat and router arp hack)
pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
# INCOMING TRACEROUTE FIX PART 2
#pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.Instead of using the script as a legacy_run script, set it up in SMF.
First create the file /var/svc/manifest/system/ip-route-hack.xml with
the following
---Start---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
ident "@(#)ip-route-hack.xml 1.0 09/21/06"
-->
<service_bundle type='manifest' name='NATtrans:ip-route-hack'>
<service
name='system/ip-route-hack'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='physical'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/physical:default' />
</dependency>
<dependency
name='loopback'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/loopback:default' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-ip-route-hack start'
timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
Hack to allow zone to NAT translate.
</loctext>
</common_name>
<documentation>
<manpage
title='zones'
section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
---End---
then modify /var/svc/manfiest/system/zones.xml and add the following
dependancy
---Start---
<dependency
name='inet-ip-route-hack'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/ip-route-hack' />
</dependency>
---End---
Finally create the file /lib/svc/method/svc-ip-route-hack with the
contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
import /var/svc/manifest/system/zones.xml'.
This will guarantee that ip-route-hack is run before zones are started,
but after the interfaces are brought on line. It is worth noting that
zones.xml may get overwritten during a patch, so if it suddenly stops
working, that could be why. -
Static NAT and same IP address for two interfaces
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
static (production,Outside) 10.10.10.10 access-list production_nat_static_1
Thanks for any help.
JeffHi Jeff,
Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Setting up gateway and firewall in OS X Server 10.3?
Hi all,
I have a G4 tower with two working ethernet cards in it that I would like to configure as a gateway and firewall. It has OS X Server 10.3 on it. I have easily found the firewall configuration in the Server Admin intrerface, but I can find nothing about configuring the server to act as a gateway. The only information I have found that is pertinent is related to the Gateway Setup Assistant that comes with OS X Server 10.4, which doesn't exaclty help me. Does anyone have any documentation on configuring OS X Server 10.3 to be a gateway? Thanks.Actually, I may have marked this as answered too quickly...
So I followed the guide at the back of the getting started manual, and set everything up as follows:
- PCI ethernet card is set up as the connection to the outside world. It is plugged into a switch which connects to a wall jack. In Network under System Preferences, it is set up as the first internet conection to try. It has a static IP address, and is set up to use the organization's DNS servers. It is NOT plugged into the upstream port, but is instead in port #9. The light on the router is on.
- Built-in wireless is set up to be the internal connection. It is plugged into the upstream slot on anouther switch. It has a static IP address, and is set up to use the organization's DNS servers. The light on the router is on, so it appears there is a connection.
- A different computer is plugged into the second switch, which a static IP address and to use the organization's DNS servers.
So basically, unlike in the scenario in the manual, I am not using the OS X Server for DNS, DHCP or NAT services. That should, if anything, simplify it.
The firewall service is started, and is set to allow all traffic in and out, no problems. Nice and simple to start.
The server has an okay connection to the outside world via the PCI ethernet card. I can ping other machines and load web pages. I cannot, however, access the machine connected to the router which is connected to the built-in ethernet. Likewise, that machine has no access to either the OS X Server or the outsideworld.
How does OS X Server decide which ethernet card is to be connected to the outside world, and which is for the internal firewall? Is the confusion possible because I'm connected to two routers? -
Airport Utility and Firewall Difficulties
I am running Windows 7 with a Time Capsule and Airport Express for NAS, wireless routing, and Airplay. The TC is connected to the Win 7 desktop via ethernet and we have a Vista laptop and iPhones which connect wirelessly to the network.
I also have a Webroot internet security program for antivirus and firewall which seems to be interfering with Airport Utility finding the TC and AE. If I disable the firewall and reboot, the devices appear in APutil. Windows Firewall is disabled and not used.
I have included the APutil.exe, APagent.exe, iTunes.exe, and a few other Apple executables in the security exceptions to allow their traffic but APutil still can't see the devices. The wireless internet connection still works but Airplay will not. Is there another Webroot setting I need to change?
Alternatively, would I still be protected if I shut off the Webroot firewall function and allowed the NAT Firewall in the Apple hardware to operate? Is there anything I need to do in the Airport Utility to make this happen?
Many thanks in advance from a wireless newbie.iTunes uses UDP port 5353 to locate AirPort Express base stations that can be destinations for your AirTunes music stream. Make sure this port is allowed through your firewall.
The following link contains a list of all the ports tha apple uses with it's software.
http://support.apple.com/kb/TS1629?viewlocale=en_US -
Guys,
If I have servers protected behind a firewall and I need to load balance some servers , where should I place the ACE?
Sent from Cisco Technical Support iPad AppHi,
With one-arm i believe the question is where you want to place the firwall. As long as the client is able to reach the VIP and server replies back to ACE i dont see any problem with this design.
Firewall ---------Switch ---------------- Load Balancer ---
As you know with one-arm requires a source NAT and might not be a good fit for application that are using the source IP address to track client usage patterns. PBR avoids this problem but adds other considerations, such as routing complexity, asymmetrical routing for non-load-balanced flows, and VRF support; PBR is not available on VRFs.
Regards,
Siva -
Not sure if I am doing this right. This is my first time in the support community.
I imagine what I put in my heading was supposed to go in here.
I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).Why do ISPs insist upon making things so difficult for their customers?
If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
Scroll down to DHCP Settings
You will need to log in with proper "technician" credentials. They are provided in the above link as
Username: tech
Password: t3lu5tv
... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business. -
Good afternoon,
My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl tv VoIP wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
First of all, can I do the following with my TC :
1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
The standard manual is very poor.
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
Sincerely yours,
AVDB1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
This is easy enough to do..
Plug the TC directly into a computer.. without other connections to do the setup.
Using the newly installed 5.6 utility.
Bridge the TC.
Create a wireless network.
This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
Update the TC..
Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router. -
Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??
Have deleted temp video, configured anti spam and firewall, and one specific video keeps giving me an error. Just tried downloading a previous episode of the show and it worked just fine. Always sunny in philly "Charlie rules the world" anyone else??
-
Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?
Hi the_mad_movies,
It seems like this article will be the best option for addressing this issue:
Error 3194, Error 17, or "This device isn't eligible for the requested build"
http://support.apple.com/kb/ts4451
Thanks for coming to the Apple Support Communities!
Cheers,
Braden -
Thrree different times I attempted to download the new OS to my wife's iPad. each time it would proceed to a point somewhere around 80 minutes remaining (started with 3+ hours remaining and downloaded about 4mb per minute). I have a 1mbDSL line that routinely tests out at around .85mb per min. I have tried all the "fixes" I found on the site including isolating allother USB interfaced hardware, rebooting both machines (PC and iPad), shutting off AV and firewall and still it fails at about the same point - giving error 3259.
An attempt to find other info or any way to comminicate directly with Apple re this was not successful.
Any ideas?
My next idea is to take the entire PC to my son's where there is a faster internet connection but that is a lot of trouble and you shouldn;t have to do that. with other large file updates I have done on other software, if it fails or times out you are able to resume where it left off and eventually get it done.An alternative is to try downloading the update via a browser : https://discussions.apple.com/message/16703914#16703914
You could also do that via, for example, a friend's computer and then copy it to your own computer for the actual update. -
NAT and Routed Network with Two ISP's on one router
I'm sure this has been done covered many times, but I am not finding it.
I have two ISP connections.
With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
Everything on 192.168.100.x should use NAT and go out ISP-B
I have tried
ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
route-map ISP-B permit 10
match ip address 101
match interface GigabitEthernet0/1
set ip next-hop 100.0.0.1
route-map ISP-A permit 10
match ip address 111
match interface Multilink1
set ip next-hop 1.1.1.1
The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
HTH -
when installing third party software, how do I temporarily turn off the factory installed virus sw and firewall? Is it necessary on a Mac to do so? I come from the Windows world and am still in the learning curve on the Mac.
Correct. I have not installed ANY other software for anti-virus, etc. I want to install a Synch app for my HTC phone to sych with MS Outlook 2011 installed on my Mac. HTC will not synch with it otherwise. That was really the basis for my question....if installing a non Apple app can be done without messing with factory settings on the Mac. In Windows I remember that I needed to disable Norton and the Firewall in order for installation to occur.
Thanks. -
Suggest antivirus and firewall
Hi, im running a windows computer xp home service pack3,
I was having problems downloading films from itunes, and i suspected either a bug/virus in my computer
or conflict with security software in my computer was causing problems, So i wiped my computer and installed new version
of xp,Went onto itunes and downloaded film which seems to have downloaded okay,
I dont want the same problem so can anyone suggest please an antivirus and firewall for my computer [had pandacloud antivirus before] which shouldnt cause conflict problems with itunes?, Many thanks for any help given.WIndows XP has a fairly serviceable firewall built into it already. As long as you are connecting to the internet via a router there really shouldn't be too much to worry about. Back in the day of directly connected modems people were inadverntly exposing their file systems to anyone who chose to look. A quick visit to Sheilds Up! should let you know if there are any significant issues.
I tend to recommend AVG-Free as an AV solution for personal use. Don't install its toolbar or search redirector. Whatever AV package you use you may want to go into its advanced settings and exclude it from monitoring your iTunes folder. This should prevent any conflict between the AV and iTunes.
tt2
Maybe you are looking for
-
Hi all, I have recently bought a new laptop. My old desktop PC has been used to sync and back-up my iPhone4. However, when I installed itunes on the new laptop and tried to sync the iphone I got the message "iPhone can only be synced with one iTunes
-
3GS applications opening randomly??
The last coupla days, my new black 32GB 3GS is acting pretty buggy. I will leave it on the home screen and it goes into standby. Sometimes, when I turn it back on, it will already be on an application like Youtube or a specific email is opened, even
-
Quick time is not loading mp3 in PC IE only...
The deal is, this is an issue only shows in Windows Internet Explorer. The code I put in is as follows. <embed src="http://www.newstribune.com/weather_feed/images/tribune.mp3" width="135" height="32" autostart="False" type="audio/mpeg" volume="50"> <
-
How do I access the Photoshop Elements editor inn Premier Elements 12?
I am unable to access the editor tools for editing photos in Premier elements 12.
-
LossLess Compatibility/Work-Arounds
I'm using iTunes for Windows. I'd like to rip my music into a lossless format that would be compatible with iTunes and any other music players that I may need to use in the future. Apple Lossless works with iTunes and the format will work with my iPo