JMX, Firewall and javaagent option

Hey all,
I'm working on setting up JMX monitoring on the JVMs running in our environment. Most of those JVMs are running third party applications supplied by our customers and are heavily protected by firewalls. So i needed to use the JavaAgent strategy to be able to set a fixed port for the JMX agent. (see: http://java.sun.com/javase/6/docs/technotes/guides/management/agent.html)
This all works very nice except that the JVM will never exit. The RMI Reaper is a non-daemon thread and will have to be stopped manually before the JVM will shutdown. The application has no knowledge of the RMI Reaper (as it is started from the premain method). A ShutdownHook doesn't work because those are called after the JVM decided to shutdown or when an external event is triggered (Ctrl-C) for example.
For now i have this horrible workaround. I create a thread that checks if there is still a main thread in the JVM. If there isn't it shuts down the JMX server and that allows the JVM to close down. Is there a better way of doing this? below is the code:
public class JMXAgent {
    private static JMXConnectorServer cs;
    private static Logger logger;
    public static void premain(String agentArgs, Instrumentation inst) {
           /** snip */
           JMXServiceURL url =
                    new JMXServiceURL("service:jmx:rmi://0.0.0.0:" + RMIConnectorPort + "/jndi/rmi://:" + RMIRegistryPort + "/jmxrmi");
            cs = JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
        // Setup the failsafe
        Thread failsafeThread = new MainCheckerThread();
        failsafeThread.start();
        logger.fine("MainChecker Thread created.");
        // Setup the shutdown hook
        Thread shutdownThread = new ShutdownThread();
        Runtime.getRuntime().addShutdownHook(shutdownThread);
        logger.fine("SchutdownHook implemented.");
    public static void stop() {
        try {
            logger.info("Stop called");
            cs.stop();
        } catch (IOException ex) {
            ex.printStackTrace();
     * Shutdown thread that allows the tracer to write out any final
     * information.
    private static class ShutdownThread extends Thread {
        @Override
        public void run() {
            JMXAgent.stop();
            Runtime.getRuntime().halt(0);
    private static class MainCheckerThread extends Thread {
        @Override
        public void run() {
            boolean found = true;
            while (found) {
                Logger.getLogger(this.getClass().getName()).finest("Ping!");
                ThreadGroup root = Thread.currentThread().getThreadGroup();
                while (root.getParent() != null) {
                    root = root.getParent();
                Thread[] list = new Thread[400];
                int threads = root.enumerate(list, true);
                found = false;
                for (int i=0; i<threads; i++) {
                    if (!list.isDaemon()) {
if (list[i].getName().equals("main")) {
found = true;
if (!found) {
/** No main found, stop the RMI server */
JMXAgent.stop();
} else {
try {
Thread.sleep(10000);
} catch (InterruptedException ex) {
JMXAgent.stop();
found=false;

Hi Hugo,
This is a very interesting question.
What happens here is that the RMI object exported by the JMX connector server prevents
the RMIReaper thread from terminating: as long as the JMX connector server is active, its
exported RMIServer object will remain active, and the RMI Reaper thread will stay there
waiting for the RMIServer object to be unexported.
This is in fact a feature: JMX connector servers where designed to be controlled by
the application itself. In the usual way of using JMX Connector Server, you would start your
server in main() (or some application equivalent of main) and stop it later on before exiting
your application.
Things got a little more complex when we introduced the 'out-of-the-box management'.
In the 'out-of-the-box management' the default connector is not controlled by the application
but by the VM - or more exactly by an agent loaded in the VM. As you rightly noticed, the
agent has no idea as to when the application (the main) will exit.
The default 'out-of-the-box management' agent is thus conspiring with RMI (using sun
private APIs) to export its RMIServer object, so that its exported RMIServer doesn't
prevent the RMI Reaper thread to terminate. These APIs are unfortunately private and
non portables (and low-level).
Maybe we should think of supporting some kind of 'daemon connector servers' for the future.
The ability of starting JMX Connectors servers in premain agents obviously makes this desirable.
Concerning your 'hack' that detects the end of the main thread I will make two observations:
1) such a hack might work if indeed the application is expected to exit when the main thread
terminates. This is not always the case - for instance consider this:
    public void main(String[] args) {
           final Thread myMainThread = new Thread("My real main thread") {
                 public void run() {
                        try {
                              System.out.println("Strike <return> to exit: ");
                              System.in.read();
                        } catch(Exception x) {
                              x.printStackTrace();
             myMainThread.start();
      }Such an application will wait for the user to strike enter to exit, although the main thread is
already terminated and gone. So the termination of main thread doesn't necessarily means
that the application is finished.
2) The concept of detecting a main thread is tenuous. What happens if an application does
new Thread("main") ?
This being said - detecting the absence of "main" thread might be sufficient to your needs in
most of the case. If you simply call JMXConnectorServer.stop() when you detect that the
main thread is no longer there - the only risk you will be taking is stopping the
JMXConnectorServer ahead of time, before the application actually exits. If you want
to implement such a hack - you might wish to use the following logic:
    // Attempts to find a "main" thread
    public static Thread findmain() {
        // When the premain agent is loaded from the command line the
        // current thread is the main thread....
        final Thread current = Thread.currentThread();
        if (current.getName().equals("main")) return current;
        // If the premain agent was loaded from the attach API, or by some
        // other means, the current thread might not be the main thread.
        // Try to find a main thread using Thread.enumerate()
        // The main thread should be already there, allocate some
        // more space than needed just to be sure we do get it, even if
        // new threads are created in between.
        final Thread[] all = new Thread[Thread.activeCount()+100];
        final int count = Thread.enumerate(all);
        // Try to find the main thread
        for (int i=0;i<count;i++) {
            if (all.getName().equals("main")) return all[i];
return null;
public static void premain(String agentArgs)
throws IOException {
final JMXConnectorServer cs = .....
cs.start();
final Thread main = findmain();
final Thread clean = new Thread("JMX Agent Cleaner") {
public void run() {
try {
if (main != null) main.join();
System.out.println("main thread exited...");
} catch (Exception x) {
x.printStackTrace();
} finally {
try {
System.out.println("cleaning up JMX agent...");
cs.stop();
} catch (Exception x) {
x.printStackTrace();
clean.setDaemon(true);
clean.start();
If you really want your JMXConnectorServer to stop() at the latest possible time, you could
for instance modify this logic to find the first non daemon thread (excluding RMI Reaper and
DestroyJavaVM threads), join it, and loop over this until the only non daemon thread that
remains is/are the RMI Reaper threads, in which case you would close the
JMXConnectorServer.
This would not be completely foolproof either because the normal behavior of the application
could precisely be to be held alive by an exported object, and waiting on some
external communication to stop. So even counting the non-daemon thread until only
the RMI Reaper threads remain doesn't necessarily means that the application is
finished...
Here is an example of CleanThread class that implements the logic above:
public class JMXAgent {
    public static class CleanThread extends Thread {
        private final JMXConnectorServer cs;
        public CleanThread(JMXConnectorServer cs) {
            super("JMX Agent Cleaner");
            this.cs = cs;
            setDaemon(true);
        public void run() {
            boolean loop = true;
            try {
                while (loop) {
                    final Thread[] all = new Thread[Thread.activeCount()+100];
                    final int count = Thread.enumerate(all);
                    loop = false;
                    for (int i=0;i<count;i++) {
                        final Thread t = all;
// daemon: skip it.
if (t.isDaemon()) continue;
// RMI Reaper: skip it.
if (t.getName().startsWith("RMI Reaper")) continue;
if (t.getName().startsWith("DestroyJavaVM")) continue;
// Non daemon, non RMI Reaper: join it, break the for
// loop, continue in the while loop (loop=true)
loop = true;
try {
System.out.println("Waiting on "+t.getName()+
" [id="+t.getId()+"]");
t.join();
} catch (Exception ex) {
ex.printStackTrace();
break;
// We went through a whole for-loop without finding any thread
// to join. We can close cs.
} catch (Exception ex) {
ex.printStackTrace();
} finally {
try {
// if we reach here it means the only non-daemon threads
// that remain are reaper threads - or that we got an
// unexpected exception/error.
cs.stop();
} catch (Exception ex) {
ex.printStackTrace();
public static void premain(String agentArgs)
throws IOException {
final JMXConnectorServer cs = .....
cs.start();
final Thread clean = new CleanThread(cs);
clean.start();
Thanks for bringing this to my attention! I'm probably going to have to update my entry
on this subject at
http://blogs.sun.com/jmxetc/entry/connecting_through_firewall_using_jmx
Hope this helps,
-- daniel
http://blogs.sun.com/jmxetc

Similar Messages

  • Help needed with Firewall and pureftpd

    I am having trouble getting the Leopard Firewall to let through ftp connections with PureFTPD manager 1.7
    On a clean install of Leopard I set the firewall to "Set access for specific services and applications". For ssh, and apache (web sharing) this worked just fine.
    I then installed PureFTPD Manager 1.7 (The version that is supposed to work with Leopard).
    However I have been unable to get the firewall to let through connections to the pure-ftpd server.
    I selected "allow" when OSX prompted me whether ProFTPD should be permitted to open a port. That worked right after I installed ProFTPD Manager until I reset the computer. Then it stopped working.
    I tried adding the pure-ftpd application to the application list in the Firewall settings. That didn't work.
    I always get "Deny pure-ftpd connecting from ..." in the firewall log.
    Has anyone out there gotten pro-ftpd to work with the Leopard firewall set to "Set access for specific services and applications?"
    Please don't suggest to disable the firewall or to use ipfw. Disabling the firewall I don't consider a reasonable solution for a computer that is exposed to the internet, and I would prefer not to have to use ipfw for everything.
    Thank you

    I'm assuming that this works fine if you disable the firewall altogether, correct?
    ipfw won't help you here since the way that the leopard firewall is setup, it's already set as an 'allow all'.
    Rather than waiting for the 'do you want to allow...' dialog to come up, have you tried clicking the + in the firewall and adding the application directly?
    Also, can you describe how you are performing your tests? From the same system or a different system? From behind a router/firewall or on the same segment?
    You may also want to read through this post on how the firewall works. It sounds like you already understand 99% of it though. http://discussions.apple.com/thread.jspa?threadID=1337153&tstart=0#6317068
    One last resort option would be to delete the firewall preference file and reboot to start over.
    You'd want to nuke /Library/Preferences/com.apple.alf.plist

  • On my mac should i turn on the firewall; and file vault or just leave them off?

    On my mac should I turn on the firewall; and file vault or just leave them off?

    Yes, you should turn on your Firewall, and in the advanced options, select 'stealth mode'.
    Unless you want to encrypt your hard drive, you don't need File Vault and can leave it off.

  • McAfee Firewall and scanning

    I have a B520 Idea centre with the following installed:-
        BT Net Plus (McAfee) installed through my BT Internet package
        Windows 8 upgrade (which updated the Windows 7 which was originally installed)
    Last week a message appeared telling me that the McAfee Firewall and Anti Virus were turned off.
    When I went to them I could not turn them on. I deleted and then re-installed BT Net plus but it did not fix the problem.
    I then thought I would do a system restore to an earlier date but at the end of this I got the following error message:-
    System restore failed while deleting the following
    Path C:\Windows\System32\DRIVERS\b95df1c913bec87a.sys
    an unexpected error ocurred 0x8007007b
    I also seem to have lost the option to restore the complete system to the default option.
    Does anyone have any ideas on what could fix this and also, is there any way I can now restore the complete system back to its original state with Windows 7
    Thanks for any help
    Solved!
    Go to Solution.

    hi FJAYM,
    Welcome to Lenovo Community Forums!
    If you have a wired Keyboard, Shut the computer down and turn it back on then right away start tapping F2
        this should boot you up to a recovery menu where you can select recovery and and will let you Restore it to factory Settings. Windows 7 might be reloaded to the system.
          If this does not work, you might need to contact Technical Support in your location and ask how to obtain the REcovery CDs
    Regards
    Solid Cruver
    Did someone help you today? Press the star on the left to thank them with a Kudo!
    If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
    Follow @LenovoForums on Twitter!

  • Trying to figure out pricing and plan options to add multiple computers to current subscirption. We currently have a subscription that allows the programs on two computers, but now I need 5 computers to be updated with CC.

    Trying to figure out pricing and plan options to add multiple computers to current subscirption. We currently have a subscription that allows the programs on two computers, but now I need 5 computers to be updated with CC. Have looked in to Small Business teams, but do not understand how many computers that is good for and if there is a professor or previous customer discount. Any help would be great, thanks!

    Hi,
    I presume that the new configuration is missing some parts as you seem to have the IP address of the external interface configured staticly on the interface but you have not configured any default route on the firewall? (Original configuration got default route dynamically and added it to the routing table)
    You also mentioned that you were able to connect to the Internet which would indicate there was indeed a default route with the new configuration?
    I am a bit confused about the host mask on the external interface (/32 - 255.255.255.255) ? Does the ASA really let you configure a host address on the interface? It can't lead anywhere as there is no next hop with a host mask. I think the ASA even blocks using a /31 mask link network which works with Cisco Routers.
    I guess I would go through the basic troubleshooting step when the new configuration is in use
    Check logs for any blocked connections or error messages
    Check the Static PAT (Port Forward) configuration with the "packet-tracer" command
    Capture traffic on the ASAs external interface (with the ASA itself) and confirm that you are seeing the TCP SYN of any connection attempts, or perhaps capture ICMP
    - Jouni

  • Arno-iptables-firewall and CUPS

    Hello everyone.
    I'm having a problem with my firewall and CUPS. The thing is, when I try to print when the firewall is active the programs (kword, kcontrol, etc) can't contact cups daemon. But when the firewall is stopped I can print normally. The problem is obviously something with the firewall configuration.
    So, the question is, does anyone know how should I configure the firewall (Arno's iptables firewall) in order to solve this problem?. I thought about opening the cups port (631) but this wouldn't be the best solution. I don't want to open a port that shouldn't be open.
    The weird thing is that I can access cups thru localhost:631 using konqueror but incredibly slowly. I don't know why the firewall is blocking cups.
    I almost forget. Before you ask the printer is connected direcly to my computer. Is not a network printer. I have the needed module loaded (usblp) and the cups server is running.
    Thanks in advance,
    Gonza
    Last edited by Gonzakpo (2008-06-20 20:16:20)

    Hello.
    I tried the command iptables -F but nothing. The cups server is still unreacheable by kcontrol.
    After running arno's firewall, the iptables -vL output is:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    15 2568 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
    0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
    0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
    8 1515 HOST_BLOCK all -- any any anywhere anywhere
    8 1515 SPOOF_CHK all -- any any anywhere anywhere
    8 1515 VALID_CHK all -- eth0 any anywhere anywhere
    8 1515 EXT_INPUT_CHAIN !icmp -- eth0 any anywhere anywhere state NEW
    0 0 EXT_INPUT_CHAIN icmp -- eth0 any anywhere anywhere state NEW limit: avg 60/sec burst 100
    0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 any anywhere anywhere state NEW
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
    0 0 DROP all -- any any anywhere anywhere
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
    0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
    0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
    0 0 HOST_BLOCK all -- any any anywhere anywhere
    0 0 UPNP_FORWARD all -- eth0 !eth0 anywhere anywhere
    0 0 SPOOF_CHK all -- any any anywhere anywhere
    0 0 VALID_CHK all -- eth0 any anywhere anywhere
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 3 LOG level info prefix `Dropped FORWARD packet: '
    0 0 DROP all -- any any anywhere anywhere
    Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes)
    pkts bytes target prot opt in out source destination
    0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    7 340 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
    8 552 HOST_BLOCK all -- any any anywhere anywhere
    0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
    0 0 DROP all -f any any anywhere anywhere
    8 552 EXT_OUTPUT_CHAIN all -- any eth0 anywhere anywhere
    Chain DMZ_INET_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain DMZ_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain DMZ_LAN_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain EXT_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain EXT_ICMP_FLOOD_CHAIN (1 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
    0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
    0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP-request(ping) flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-reply limit: avg 12/hour burst 1 LOG level info prefix `ICMP-reply(pong) flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
    0 0 LOG icmp -- any any anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench flood: '
    0 0 DROP icmp -- any any anywhere anywhere icmp source-quench
    0 0 LOG icmp -- any any anywhere anywhere limit: avg 12/hour burst 1 LOG level info prefix `ICMP(other) flood: '
    0 0 DROP icmp -- any any anywhere anywhere
    Chain EXT_INPUT_CHAIN (2 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG tcp -- any any anywhere anywhere tcp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `TCP port 0 OS fingerprint: '
    0 0 LOG udp -- any any anywhere anywhere udp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `UDP port 0 OS fingerprint: '
    0 0 DROP tcp -- any any anywhere anywhere tcp dpt:0
    0 0 DROP udp -- any any anywhere anywhere udp dpt:0
    0 0 LOG tcp -- any any anywhere anywhere tcp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `TCP source port 0: '
    0 0 LOG udp -- any any anywhere anywhere udp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `UDP source port 0: '
    0 0 DROP tcp -- any any anywhere anywhere tcp spt:0
    0 0 DROP udp -- any any anywhere anywhere udp spt:0
    4 1314 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
    0 0 ACCEPT tcp -- + any anywhere anywhere tcp dpt:4872
    0 0 ACCEPT udp -- + any anywhere anywhere udp dpt:4875
    0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
    0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable: '
    0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded: '
    0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem: '
    0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
    0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
    0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
    0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (UNPRIV)?: '
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (PRIV)?: '
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
    0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
    0 0 LOG udp -- any any anywhere anywhere udp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
    2 96 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
    1 57 LOG udp -- any any anywhere anywhere udp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
    3 144 DROP tcp -- any any anywhere anywhere
    1 57 DROP udp -- any any anywhere anywhere
    0 0 DROP icmp -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
    0 0 DROP all -- any any anywhere anywhere
    Chain EXT_OUTPUT_CHAIN (1 references)
    pkts bytes target prot opt in out source destination
    Chain HOST_BLOCK (3 references)
    pkts bytes target prot opt in out source destination
    Chain INET_DMZ_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain LAN_INET_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain LAN_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain MAC_FILTER (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_FORWARD_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_INPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain POST_OUTPUT_CHAIN (0 references)
    pkts bytes target prot opt in out source destination
    Chain RESERVED_NET_CHK (0 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG all -- any any 10.0.0.0/8 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class A address: '
    0 0 LOG all -- any any 172.16.0.0/12 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class B address: '
    0 0 LOG all -- any any 192.168.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class C address: '
    0 0 LOG all -- any any 169.254.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class M$ address: '
    0 0 DROP all -- any any 10.0.0.0/8 anywhere
    0 0 DROP all -- any any 172.16.0.0/12 anywhere
    0 0 DROP all -- any any 192.168.0.0/16 anywhere
    0 0 DROP all -- any any 169.254.0.0/16 anywhere
    Chain SPOOF_CHK (2 references)
    pkts bytes target prot opt in out source destination
    8 1515 RETURN all -- any any anywhere anywhere
    Chain UPNP_FORWARD (1 references)
    pkts bytes target prot opt in out source destination
    Chain VALID_CHK (2 references)
    pkts bytes target prot opt in out source destination
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-PSH scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level info prefix `Stealth FIN scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/RST scan: '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/FIN scan(?): '
    0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level info prefix `Stealth Null scan: '
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
    0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0 0 LOG tcp -- any any anywhere anywhere tcp option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(64): '
    0 0 LOG tcp -- any any anywhere anywhere tcp option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(128): '
    0 0 DROP tcp -- any any anywhere anywhere tcp option=64
    0 0 DROP tcp -- any any anywhere anywhere tcp option=128
    0 0 DROP all -- any any anywhere anywhere state INVALID
    0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 1 LOG level warning prefix `Fragmented packet: '
    0 0 DROP all -f any any anywhere anywhere

  • Firewall and ACS

    I've configured firewall to use ACS but the firewall locks me ou when the ACS is nt available
    my question is is there any command i hae to configure on the firewal to be able to get to it when the ACS is unavailable
    another question is I cannot run firewall on pixshel command it waill authenticate but fail to authorize Im running version 3.3(4)
    thanks in advance

    Try to configure AAA on firewall through PDM becasue it will be easy for you and you will find an option that first preference will be TACACS+ and other option will be LOCAL,what will happen is first it will try for ACS server if not available it will authenticate with username configured in pix local database. Also create a local user with maximum privilege in pix so that authentication is successful. This will solve your problem.
    As per my knowledge you cannot run pixsshell with current PIX IOS version 6.3 it may support in future IOS release.

  • Guest LAN and DHCP Options not passing through

    Managed to get the Guest LAN up and running for wired clients and all's working well.  Users are sat behind a proxy and if I force the use of a appropriate wpad file I can get the WLC auth to happen and then push off to the proxy.
    I'm trying to use option 252 in DHCP to present the WPAD url.  Only issue that happens is that while the DHCP server on the egress interface is handing out addresses to clients on the ingress interface correctly, the WLC doesn't appear to be handing through the option 252 I have set in DHCP.  I've used network monitor to see what the dhcp request process is dishing out in terms of options, and all look good if I'm not behind the WLC.
    Anyone know if theres a limitation on the WLC that prevents DHCP options being passed through to the guest LAN?
    TIA

    When configured as a DHCP server, some of the firewalls do not support DHCP requests from a relay agent. The WLC is a relay agent for the client. The firewall configured as a DHCP server ignores these requests. Clients must be directly connected to the firewall and cannot send requests through another relay agent or router. The firewall can work as a simple DHCP server for internal hosts that are directly connected to it. This allows the firewall to maintain its table based on the MAC addresses that are directly connected and that it can see. This is why an attempt to assign addresses from a DHCP relay are not available and the packets are discarded. PIX Firewall has this limitation.
    For more information please refer to the link-http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml

  • Replacing BM on NW with the ISP firewall and NAT

    Replacing BM on NW with the ISP firewall and NAT
    Hi!
    LAN is a tree with 3 servers:
    1. NW 6.5 sp8 + BorderManager 3.9 sp 2
    2. NOWS SBE 2.5 (Suse) - DNS\DHCP
    3. NOWS SBE 2.0 (Suse)
    Since I'm connected to the internet through my ISP router (XBOX- Checkpoint), I am considering to remove the first server (firewall) and ask my ISP ro configure the router as a firewall and NAT too.
    What are the steps needed to do it without any demages?
    TIA
    Nanu

    nanu,
    It appears that in the past few days you have not received a response to your
    posting. That concerns us, and has triggered this automated reply.
    Has your problem been resolved? If not, you might try one of the following options:
    - Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
    - You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)
    Be sure to read the forum FAQ about what to expect in the way of responses:
    http://forums.novell.com/faq.php
    If this is a reply to a duplicate posting, please ignore and accept our apologies
    and rest assured we will issue a stern reprimand to our posting bot.
    Good luck!
    Your Novell Product Support Forums Team
    http://forums.novell.com/

  • Are CC and BCC options available in XML Publisher email?

    I am working in XML publisher phase 2. I want to know whether there is any way to set CC and BCC options in email outputs.
    If yes, how can I do?
    What is the way to sent same mail to multiple persons?
    Thanks in Advance
    Sudheesh Sudhakar

    Have you looked in Mail Help? When I search for Bcc there, I get an article titled “Keeping confidentiality” and another titled “Sending an email to several people” that appear to contain the information you’re looking for, including what Klaus suggested and more...

  • I have created a PDF and password protected it for view. However, when reading the PDF in Adobe Reader app on the iPad the commenting and annotation options are not available. Is there a way to allow commenting and annotation in the app while password pro

    I have created a PDF and password protected it for view. However, when reading the PDF in Adobe Reader app on the iPad the commenting and annotation options are not available. Is there a way to allow commenting and annotation in the app while password protecting the document?

    Is there a setting that needs to be set to allow the annotation features?  I set password protection to open and then password for editing and set it to Any except page extraction, but it still did not give the annotation option

  • Error message about firewall and internet sharing

    hello all i have a question regarding the use of firewall and internet sharing.
    I have a PMG5 connected to internet through Airport. I've linked an Xbox 360 via the built-in ethernet port in order to access Xbox Live. I had to open specific UDP ports on the OS X firewall but it now works fine. However, in the Sharing Preference Pane, Internet Tab, i still get an error message saying that my Internet Sharing is disturbed by the settings of the firewall and sharing services, it says that i did not activate "personal web sharing" in the first two tabs...but i DID ! And there's no way to get rid of this error message.
    I know I know some may consider it's not a real problem because it's just an error message while the connection actually works fine but well, I tend to hate error messages when they're not supposed to show up. So if anyone know the answer, thanks in advance...
    Good day to everyone
    Vince, Paris...

    sorry about the delay in replying, was kinda busy
    well trashing the pref files was useless and i tried with another user, same thing. As for the second opinion, the problem was not about which port was used cause as i said the connection sharing works fine and anyway it was the correct port that was checked, it's just that i get an error message while there is no apparent error and everything works fine, i'm told that personal web sharing is not enabled but it is...
    Anyway as i said, it's probably not a real matter, as long as it works...which brings me to another thing. I've created a special protocol in the firewall to enable a proper dialog with the xbox. it's basically the same thing you do for ichat AV when you have video connection problems, you track down the concerned UDP port using terminal, you allow traffic and all... The protocol for the xbox worked great for some days, but now it seems it's not enough, the game set keeps trying on another port and i constantly have to update the protocol or deactivate the firewall...and enabling back all UDP traffic is not enough to solve it.
    In a way i think everything is linked, the initial error message when everything was fine and the current trouble. Any idea?
    thanks
    Vince

  • How to restrict 'Broadcast and Export' option of BW report through web.

    Helllo,
    Please anyone let me know, how NOT to give/allow "Broadcast and Export' option in BW report, when accessed through Web.
    Is there is any Auhtorization object which restrictes this option.

    Hi,
    Please check this, it may help you.
    http://help.sap.com/saphelp_nw70/helpdata/en/80/1a68b4e07211d2acb80000e829fbfe/frameset.htm
    Regards,
    Madhu

  • After installing or upgrading to Firefox 31, starting Firefox does not show homepage, customize shows a blank page and the option button does not work

    I am the Windows admin for a university department and install PCs with Firefox all the time. This problem does not happen with every PC I maintain, only a select few (different model laptops with Windows 8.1 and update 1.) Until today, it only happened with new user accounts (with admin rights) that I setup on the laptops for our staff. Today this happened with The Administrator account while setting up a new laptop. In all cases so far, I install Windows from a saved image that was created using sysprep.
    I have tried the many suggestions of resetting Firefox, deleting the users Firefox profile, deleting the users Windows profile, uninstalling/reinstalling Firefox, uninstalling/reinstalling Firefox and the latest Java, but nothing helps. After uninstalling, I run an app to delete temp files and caches and will even manually remove registry keys HKLM\SOFTWARE\Mozilla and HKCU\SOFTWARE\Mozilla. Plus I reboot and make sure the install folder is deleted after uninstall.
    Results are the same: after installing Firefox 31, the initial setup window for migrating IE and/or Chrome pops up and after clicking the Finish button, Firefox starts, but does not show the initial new user page, only a blank page. Clicking on the Options button (3 bars) does nothing. Right-clicking in the proper area, the popup menu appears so I can choose to Customize, but that only opens another tab with about:customize in the URL and the page is blank. From the right-click popup menu, I can enable the Menu Bar and get to Options from that.
    My latest attempt has helped a little. I uninstalled Firefox 31, cleaned up, deleted user Firefox profile, rebooted and then installed Firefox 30. Inital startup runs, and tells me I'm not up to date, and the Options button works. But I still cannot customize.
    I then upgraded to Firefox 31, but then it's back to no startup page, no options button and no customize. I can downgrade to 30 and get all but customize working again.
    Only Addon is one for McAfee Scriptscan for Firefox 15.1.0, which just after installing is disabled.
    Any help would be appreciated. Thank you.

    Ok. I disabled hardware acceleration. The only extension is the McAfee Scriptscan for Firefox 15.1.0, which was already disabled. I then disabled all plugins (Acrobat, Google Update, Intel Identity Protection (2x), Java Deployment Toolkit, Java Platform, MS Office 2013, Quicktime, Shockwave, Silverlight), which were all up to date.
    Normal or safe mode still has same result. No startup, no option button and no customize.
    Thanks for your help. Got any other suggestions?

  • I am using Numbers app for the ipad and it has been working absolutely fine but now, when I want to email a spreadsheet as a PDF via the 'share and print' option, the file now doesn't appear as an attachment to the recipient. Any ideas please?

    I am using Numbers app for the ipad and it has been working absolutely fine but now, when I want to email a spreadsheet as a PDF via the 'share and print' option, the file now doesn't appear as an attachment to the recipient. Any ideas please?

    Hi mafiose15,
    Thanks for visiting Apple Support Communities.
    Restoring your iPod to factory settings is the best way to try and get it back to working order. You can use the instructions below to restore it:
    How to restore iPod
    Verify that you have an active Internet connection, because you may need to download new versions of the iTunes and iPod Software.
    Download and install the latest version of iTunes if necessary.
    Open iTunes. Connect your iPod to your computer using the USB or FireWire cable that came with your iPod.
    After a few moments, your iPod will appear in the Source panel in iTunes.
    Select your iPod in the Source panel. You will see information about your iPod appear in the Summary tab of the main iTunes window.
    Click Restore.
    If you are using a Mac, you will be asked to enter an administrator’s name and password.
    A progress bar will appear on the computer screen, indicating that stage one of the restore process has begun. When this stage is done, iTunes will present one of two messages with instructions specific to the iPod model you are restoring.
    Disconnect iPod and connect it to iPod Power Adapter (typically applies to older iPod models).
    Leave iPod connected to computer to complete restore (typically applies newer iPod models).
    During stage two of the restore process, the iPod displays an Apple logo as well as a progress bar at the bottom of the display. It is critical that the iPod remain connected to the computer or iPod power adapter during this stage.
    Note: The progress bar may be difficult to see, because the backlight on the iPod display may be off.
    After stage two of the restore process is complete, the iTunes Setup Assistant window will appear. It will ask you to name your iPod and choose your syncing preferences, as it did when you connected your iPod for the first time.
    You can find the instructions in this article:
    Restoring iPod to factory settings
    http://support.apple.com/kb/ht1339
    All the best,
    Jeremy

Maybe you are looking for

  • Windows 7 driver issue with graphics card

    Currently windows 7 will not let me play most games because my graphics card(s)will not officially show up in my computer and system properties. I have installed boot camp drivers on windows, and searched nvidias site for a driver, but it still wont

  • Preview - Rotate a picture and resave it WITHOUT changing the date?

    Hi all, Is there a way in Preview to save a picture, but have it NOT change the date of the picture? I usually run into this problem when I download pictures from my cellphone. Lets say I take some snapshots with my phone, some vertical some horizont

  • Budget control issue

    Dear all First I am doing bottom up planning and then i am doing copy of planned total to budget.When i am doing change the quantity of material and rate,the system showing error of budget exceeding  Budget for WBS element RE-09-06.01 was exceeded by

  • Posting to AX by specific Operating Unit

    I would like to know if anybody knows if it is possible in AX (Global Accounting Engine) to select a specific Operating Unit instead of select "All" in this field so I can post to a specific set of books by that specific operating unit. I have the si

  • PayPal account could not be verified

    I'm trying to set up payment processings. When I put in my e-mail address and click Register account I get a message saying " The PayPal account could not be verified. I know it's the correct e-mail address and I have used it to collect payments on o