How to setup osx Firewall to allow incoming access to nginx?

Similar Messages

• Firewall issue -- allow incoming connections?

  I have my computer set to allow incoming connections for various programs. (Almost) every time I run the programs, however, I'm asked if I want to allow the connections. Am I missing something, or is it supposed to keep asking me about that?

  Hello rokapoke:
  I have my firewall set to +"allow only essential services"+ - the highest level, I believe. I do not get those messages.
  Barry

• Cisco ASA 5505 Firewall Not Allowing Incoming Traffic

  Hello,
  I am wondering if there is a very friendly cisco guru out there who can help me out.  I am trying to switch out a cisco pix 501 firewall with a cisco ASA 5505 firewall.  I am not very familiar with all of the commands for the firewalls and have always relied on a standard command line script that I use when building a new one.  Unfortunately, my script is not working with the 5505.  Can someone please let me know what I am doing wrong with the following script?  I've masked public IP info with xxx.xxx.xxx and I run it right after restoring the firewall to the factory defaults.  I am able to get out to the internet if I browse directly from one of the servers, but cannot access a web page when trying to browse to it from an outside network.
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  ip address outside xxx.xxx.xxx.94 255.255.255.224
  ip address inside 192.168.1.1 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  nat (inside) 1 0.0.0.0 0.0.0.0 0 0
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  nat (inside) 1 192.168.1.0 255.255.255.0
  nat (inside) 1 192.168.1.0 255.255.255.0 0 0
  outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.93 1 DHCP static
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www

  Hey Craig,
  Based on your commands I think you were using 6.3 version on PIX and now you must be  moving to ASA ver 8.2.x.
  On 8.4 for interface defining use below mentioned example :
  int eth0/0
  ip add x.x.x.x y.y.y.y
  nameif outside
  no shut
  int eth0/1
  ip add x.x.x.x y.y.y.y
  nameif inside
  no shut
  nat (inside) 1 192.168.1.0 255.255.255.0
  global (outside) 1 xxx.xxx.xxx.106-xxx.xxx.xxx.116
  global (outside) 1 xxx.xxx.xxx.95
  access-list 100 permit icmp any any echo-reply
  access-list 100 permit icmp any any time-exceeded 
  access-list 100 permit icmp any any unreachable
  static (inside,outside) xxx.xxx.xxx.95 192.168.1.95 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.95 eq www
  static (inside,outside) xxx.xxx.xxx.96 192.168.1.96 netmask 255.255.255.255 0 0
  access-list 100 permit tcp any host xxx.xxx.xxx.96 eq www
  route outside 0 0 xxx.xxx.xxx.93
  access-group 100 in interface outside
  You can use two global statements as first statement would be used a dynamic NAT and second as PAT.
  If you're still not able to reach.Paste your entire config and version that you are using on ASA.

• How to setup clients to use authentication to access OID

  Hello,
  I'd like to perform two tasks with OID:
  1) anonymous OID browse for net service entries access to everyone (simple all client configuration - add LDAP naming method and ldap.ora)
  2) password protected OID browse for particular net service entries to subset of users (for special clients who has to access restricted Net services)
  I check documentation and played a bit and finally can perform task 1) with anonymous binds
  Main problem is how to perform task 2). I try to follow guidance from http://download.oracle.com/docs/cd/E11882_01/network.112/e10836/config_concepts.htm#i484232
  that I need to put those parameters to sqlnet.ora file:
  names.ldap_authenticate_bind = TRUE
  wallet_location = location_value
  I start playing with Wallet Manager with no success yet.
  Question:
  1) Maybe somebody knows how to perform tasks above better than I suppose to do with little overhead for admin and end user?
  2) Do I need to put all OID Net Service entries to wallets for all clients?
  3) Do I need to simply create user in OID with enough privileges to access restricted net service names for browsing and put this user to wallet for all clients?
  4) Other ideas?
  Configuration:
  I setup OID 11.1.1.3.0 on Windows XP 32-bit, import Net Service entries from tnsnames.ora, setup anonymous binding.
  Thanks,
  Sergiy

  Hi
  Do you have a radius/tacacs server in your infrastructure. What you want is to authenticate the user on the ASA before they get access to the devices.
  Attached is a link to authenticating network access with the ASA
  http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043431
  HTH
  Jon

• How to setup a physical architecture for MS ACCESS in Solaris

  There isn't any odbc in Solaris platform. How can I access to MS ACCESS files?
  Thanks in advance!

  Hi, here are two solutions from metalink.
  a) Setting up a Sunopsis Agent on the Microsoft Windows system hosting the Access database which will use the ODBC / JDBC bridge for connecting to the Access database. The data may then, for example, be loaded by an Integration Interface into a Database on a Unix system for further processing.
  b) Seting up a Sunopsis Package made up of the following steps (to be executed on an Agent set up on the appropriate Microsoft Windows host)
  - 1. Run the SnpsSQLUnload Tool to extract the data to a Flat File on the Microsoft Windows host
  - 2. Use the SnpsFTP tool to transfer the file to a Unix system
  - 3. Run an Integration Interface from the Unix system file as Source.

• OBIEE Security - How to setup SSO-integrated EBS users & mobile access?

  I'm looking for the best approach to solution my company's OBIEE Security requirements, they are:
  1) Create a standard authentication/security process at an enterprise level
  2) Maintain EBS Roles to provide object-level and data-level security in OBIEE
  3) EBS Users must go through the EBS portal to get to OBIEE (ie. single signon integration)
  4) non-EBS users must go through the OBIEE portal
  5) Both EBS and non-EBS users need ability to use the OBIEE iPad mobile application
  So for the EBS users, I've implemented the SSO integration between OBIEE 11.1.1.5.0 and EBS R11 based on the Oracle white paper [ID 1343143.1]. I've also set up an Authorization session init block to read the user's EBS Roles and set up object/data level security.
  For the non-EBS users, I've kept the default identity store (WLS-LDAP) and authentication provider.
  My question is what's the best approach for providing mobile access to the EBS users? Obviously I can't pass an HTML cookie to the iPad for these guys. Assuming these EBS users are in an corporate-LDAP store, I was thinking to setup a dual authentication store that connects to both corporate-ldap(EBS) and the WLS-integrated LDAP(non-EBS).
  Will this work? Does anyone have a better approach they'd like to share?

  Please post the details of the application release, database version and OS.
  We have a customer, who has upgraded to EBS R12 recently. With EBS R12 there comes a responsibility that enables users to directly open embedded BI in EBS. When people do LDAP authentication to EBS, they can directly open the OBIEE inside the EBS. But, when the EBS is SSO (OAM+WNA) integrated, OBIEE SSO in EBS does not work. What is the error?
  It could be related that OAM generated cookies are not recognized by embedded OBIEE.
  Is there a way to do a setup with both OAM SSO enabled to EBS, and EBS-OBIEE SSO is enabled inside EBS ? I do not think there is a single document that covers all the above (I believe you are aware of the individual docs).
  For urgent issue, please always log a SR.
  Thanks,
  Hussein

• How can I change settings to allow Spotify access?

  i signed up for Spotify and think i need to change firefox setting to access. Please advise. thanks

  Try the Firefox SafeMode. <br />
  ''A troubleshooting mode, which disables most Add-ons.'' <br />
  ''(If you're not using it, switch to the Default Theme.)''
  # You can open the Firefox 4/5/6/7 SafeMode by holding the '''Shft''' key when you use the Firefox desktop or Start menu shortcut.
  # Or use the Help menu item, click on '''Restart with Add-ons Disabled...''' while Firefox is running. <br />
  ''To exit the Firefox Safe Mode, just close Firefox and wait a few seconds before using the Firefox shortcut (without the Shft key) to open it again.''
  If it is good in the Firefox SafeMode, your problem is probably caused by an extension, and you need to figure out which one. <br />
  http://support.mozilla.com/en-US/kb/troubleshooting+extensions+and+themes

• Firewall in set access mode let "allow incoming connections" without me

  I have set up my firewall to allow incoming connections for a file sharing client under "Set Access for specific services and applications", and I noticed that Skype, iChatagent, and Safari all included themselves to be set under allow as well a week later. I did not enter this in manually. How did this occur?

  I am quite befuddled by the 10.5 firewall. Maybe I'm thinking too much, but I've read all the documents I could get a hold of, and I still find it confusing and often conflicting in the specifics.
  For starters, there is the cryptic remark of ""Mac OS X normally determines which programs are allowed incoming connections. Select this option if you want to allow or block incoming connections for specific program." Presumedly the "option" it is referring to is the "Set access for specific services..." option, which implies that the "normally determines" circumstance refers to the first two options. But, "Allow all incoming connections" supposedly allows everything, and "Allow only essential services" supposedly blocks everything (except for two or three things). Where in either of these cases would OS X be "determining" anything, and if it does, what criteria is it using?
  The next thing I don't understand: when the option is set to "Set access for specific services", which applications does OS X explicitly ask permissions for? It seems that it since the firewall is only blocking incoming connections, it should only ask for applications that look like they want to accept incoming connections (i.e., server applications). But for me, it asks for permission for applications like Cyberduck (ftp app), and Microsoft Word 2004. In addition, the poster above mentioned Safari made it onto the list. To me, neither Cyberduck nor Safari should matter, since they are both purely client applications that only receive incoming data when it is requested by them, no? And what business does Word have in wanting to accept incoming connections? (maybe this is a question for Microsoft, not Apple).
  Well, I have a list of other questions about half a page long, but if anyone can help with those two, it would be a big help.

• ITunes always asks to allow incoming connections

  I have the apple firewall turned on. iTunes is set in the firewall to allow incoming connections.
  With iTunes Home Sharing turned on every time I start iTunes I am asked to allow incoming connections. I reply yes and the next time I restart iTunes I am asked the same question again.
  If I turn iTunes Home Sharing off I am never asked about allowing incoming connections when I use iTunes.
  Is there something else I should be doing? ( other than turning the firewall off )
  Any help would be appreciated.

  If you are experiencing this problem on your Mac, follow these simple steps to get rid of the Allow or Deny popups:
  1. Go to the Applications folder and drag iTunes to the Trash. Don’t worry, your music, videos, and entire media library are not affected and will still be there. Only the iTunes software will be uninstalled (though it's always wise to have a backup, particularly of your iTunes Store purchases or anything else that would be difficult/expensive to replace).
  2. Reboot or log out of your Mac. This step may or may not be necessary, but it certainly doesn’t hurt.
  3. When you are logged back in, go to Apple’s website to download the latest version of iTunes if you haven't already..
  4. Install iTunes. Do not import any songs or videos if it prompts you to do so.
  All of your media should be right where you left it the first time your fresh installation of iTunes is opened. If you get another firewall popup asking to Allow or Deny incoming network connections, make your choice and that should be the last time you see it. Future iTunes launches shouldn't pester you anymore.
  From: MacYourself
  http://www.macyourself.com/2009/08/19/itunes-keeps-asking-to-allow-or-deny-incom ing-connections/
  Hope this helps.

• Firewall keeps prompting to allow incoming connections

  Hi,
  This is, by far, Lion's most annoying new feature. Every time I open iTunes after startup, I get asked to allow incoming connections through the firewall. This behavior started happening after I made the mistake of upgrading to Lion. Removing itunes from the listed of allowed software does absolutely nothing, almost as if the program is just a blank field with no actual code running behind it. The excepetion gets added back to the firewall every time the Mac is restarted along with the prompt. iTunes' startup often hangs upon waiting for this prompt to appear and be answered.
  Disabling the firewall is not an option, nor is reinstalling iTunes as it is the firewall which seems to be the problem. Rolling-back to 10.6.8 is also not a possibility at this time. I can't be the only one with this problem. Anyone else?

  Hi!
  I re-enabled firewall just to see if it was solved on 10.7.3 and, as you said, no way. Everytime I startup my iMac, Firewall is prompting me to allow incoming connections for iTunes, but not for the rest of the other software I'm using, which I was asked for just once.
  Could you solve it?

• How to setup user's rights to modify Windows Firewall Rules?

  I would like to have an account in my system that doesn't have any other administrative privileges besides rights to modify the Windows Firewall rules by means of Firewall API. How to setup a minimal set of rights for this account to do the task?
  Right now what I see is that if I try to call INetFwRule::put_RemoteAddresses from an account without administrative privileges, the call fails with access denied. There is no means to find out access to what is needed. The call fails even if the process
  is run under high integrity level.
  I tried to setup global security audit, but there were no relevant events logged.
  I tried to monitor the process with procmon, there were no any access denied events logged.
  I tried to give the full access for this account to the correspondent registry keys. It didn't help.
  I stepped firewallapi.dll in a debugger and found out that what fails is an RPC call to some COM interface proxy. I assumed that probably it is a remote call to some HNetCfg.FwRule method. I tried to add the user account to the HNetCfg.FwRule launch and
  access permission ACLs in the DCOM configuration utility. It didn't help either.
  Dear Microsoft, why did you do such a simple thing as settings user rights so difficult? Can you reveal the secret what rights and privileges I have to set?
  Thanks in advance.
  Dei nostra Matrix est.

  Here is what I found so far.
  The firewall service calls RpcServerRegisterAuthInfo to setup RPC security from FwRpcAPIsRegisterAuthInfo. It happens during registration of RPC interfaces in FwRpcAPIsInterfaceCreate. FwRpcAPIsInterfaceCreate is called from FwRpcAPIsInitialize. And FwRpcAPIsInitialize
  is used from FwServiceAsyncStartupRoutine.
  After calling FwRpcAPIsRegisterAuthInfo function FwRpcAPIsInterfaceCreate calls ConvertStringSecurityDescriptorToSecurityDescriptor, which converts a textual description of a security descriptor to some binary form.
  So my guess is that access rights are hard coded inside mpssvc.dll and what I have to do is just to find the textual representation of the correspondent descriptor.
  I found 8 descriptors inside mpssvc.dll:
  O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)
  O:SYG:SYD:(A;;RCWD;;;S-1-5-80-2940520708-3855866260-481812779-327648279-1710889582)(A;;RCWD;;;S-1-5-80-3526382388-830156861-4107432654-3665941875-1028450966)
  O:SYG:SYD:(A;;RCWD;;;S-1-5-80-62724632-2456781206-3863850748-1496050881-1042387526)
  O:SYG:SYD:(A;;RCWD;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
  O:SYG:SYD:(A;;RC;;;BA)(A;;RC;;;NO)(A;;RCWD;;;CY)
  O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)(A;;RC;;;CY)
  O:SYG:SYD:(A;;RCWD;;;BA)(A;;RCWD;;;NO)(A;;RC;;;AU)
  O:SYG:SYD:(A;;RC;;;AU)
  I don't know yet which one corresponds to changing a firewall rule.
  Dei nostra Matrix est.

• How to setup a Default Playlist to Airport but allows BYOD playlist override?

  Sorry for the unclear description.
  Here is what I am trying to accomplish.  I have my laptop or ipod playing a default playlist to my Airport express attached to my Stereo system.  The music plays fine with no issues.  I come into the house and want to play music from my iphone or ipad, I cannot connect or play to airport express since it is already sync'd or acquired by my laptop.
  My goal is to have a default playlist playing all the time.  When myself, my kids, or anyone comes in to house they can have priority over my laptop to play their music.  Then when they disconnect, stop playing music, or leave the house; the default playlist kicks back on and continues to play out the speakers via the airport.  I am trying to do this without human manual interaction.
  I can do all of this manually like disconnect laptop, new device syncs to airport, then when they leave manually start playlist.  But I am trying to figure out how to do this dynamically without human interaction.
  Any ideas or solutions on how to get this to work?
  Thanks!
  T.

  Hello,
   I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
  Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
  Thanks in advance
  This topic first appeared in the Spiceworks Community

• Skype installed. Icon in Apps folder. Login ok... Skype logo, my name with "logout" next to it. Stopped right there. "check network connections".Skype guy said firewall must allow but FW is not even turned on. Have Airport router.

  Skype installed. Icon in Apps folder. Login ok... Skype logo, my name with "logout" next to it. Stopped right there. "check network connections". Skype guy said firewall must allow but firewall is not even turned on. Have Airport router.
  How do I allow Skype to get past network?

  You make no mention of which OS you are using.  The following are Yosemite instructions:
  System Preferences>Security & Privacy>Firewall>Unlock the padlock.
  Click on the Firewall Options button.
  Click the + (plus) button & do the necessary to add Skyp & to allow incoming connections.  When done, click the OK button & lock the padlock.
  Restart your computer.  Report back the results.

• How to setup DMZ on Watchguard XMT 330

  Hi PCITech,there is nothing, that could be directly called a 'DMZ' as you find it on some low end routers.Instead you have network interfaces, that each may represent their own full blown network (if you set them up for that). By default WatchGuard allows you to select between 'trusted' and 'optional' for a new network, that you configure, but you can also select 'custom'. Later, when you write firewall rules, you can than reference 'Any-Trusted' and 'Any-Optional' in your rules. But sometimes you don't want a network to follow the rules, that you have in place for 'Any-Optional' and than you need to set that network as a 'Custom' network.If you want to make a server in one of these additional networks accessible by the outside world, you have to set up SNAT rules, that connect between an external interface IP/port and your internal...

  Hello,
   I'm either blind or over-worked (probably both) but I can't seem to find how to setup a DMZ on the XTM 330. I need to add an Avaya IP phone system and don't want to try using SIP because the vendor said they need no NAT.
  Can someone please either direct me to the correct spot in the documentation or tell me how to do it?
  Thanks in advance
  This topic first appeared in the Spiceworks Community

• When using Microsoft office programs it alwasy asks if i want to "Allow incoming connection"

  Ok guys i have check my firewall and I have it set to allow incoming connections yet it still always asks. How do I fix this?

  Any Front Row, Apple TV, or iDevices around?
  See 2nd to last post here...
  http://rafsoftware.com/rafsoftware/forums/viewtopic.php?f=5&t=17&start=10
  Little Snitch, stops/alerts outgoing stuff, I wonder if you tried that & set it to allways allow whatever VNC or port 5900 wants...
  http://www.obdev.at/products/littlesnitch/index.html