On which interface should i open ports?

Hi!
Got a case from a customer. They want me to open some ports so that one client can use some applications.
The problem is, I am not sure on which interface i should open the ports. The customer have about 10 interfaces on the ASA. It's a client on the inside network and it should be able to talk to internet through the ports, and anyone on the internet should be able to reach the client on the same ports.
The client uses a static IP.
Sent from Cisco Technical Support iPad App

Hi,
You need to map the flow of traffic for your customer.  That way you can plan the changes without breaking anything.
It could be as simple as creating ACL's for the inside and outside interfaces + nat or something more complex.

Similar Messages

  • How do I choose which space should "Reminders" open in?

    I was reading the support page (http://support.apple.com/kb/PH11158?viewlocale=en_US) to learn how to choose which spaces to use with particular apps. But what is said at the suport page doesn't applies to the app "Reminders".
    Someone can teach me how to set up "reminders" to open on the second desktop spaces?

    go to Desktop 2

  • Open ports? Which ones?

    I ran port scan on my AE base station and found the following ports open:
    Port Scan has started ...
    Port Scanning host: 10.0.1.1
    Open TCP Port: 53
    Open TCP Port: 5009
    Open TCP Port: 10000
    Port Scan has completed ...
    is this a concern? If so how do I close them / reroute them. Not sure which airport software it's running, but I do software update weekly so it should have the latest.

    Port 53 is used by DNS
    Port 5009 is used by Airport Admin Utility, Airport Utility, and Airport Express Admin utility. Perhaps this is controlled by the option to permit admin of the AEBS from the WAN port. Didable such option, and have a good password on your AEBS (not the wireless security password).
    Port 10000 I don't know, but port numbers > 1023 are not very worrysome.
    Nothing to worry about. You can't do anything about it anyway and, I suspect, they don't get past the Airport's WAN interface.

  • When i open i-movie it ejects my back up disc which is via a usb port.

    When i open i-movie it ejects my back up disc which is via a usb port.

    Hmmmm,
    Did you load some movie or project off another USB device at some time recently?
    What happens if you then unplug the drive & plug it back in when iMovie is running?

  • Which Interface table should I select

    I require to insert data into the interface tables for the shipping done against the customer order.
    I have doubt as to which interface tables are to be selected. I am listing the interface tables which are known to me.
    1. WSH_DELIVERIES_INTERFACE
    2. WSH_NEW_DEL_INTERFACE
    3. WSH_TRIPS_INTERFACE
    Are the table names I have listed above are correct. If there are any more tables that I have to select please suggest me
    Thanks in advance
    Vishwanath

    Hi,
    Please help me out how to use the WSH_FREIGHT_COSTS_PUB.Create_Update_Freight_Costs API.
    I had used the below code but it returns with error.
    pub_freight_costs.delivery_id      := Delivery_Id;
         pub_freight_costs.freight_cost_type_id := P_type;
         pub_freight_costs.currency_code := 'USD';
         pub_freight_costs.unit_amount      := nvl(I.shipping_charges, 0);
         p_action_code := 'UPDATE';
    APPS.WSH_FREIGHT_COSTS_PUB.Create_Update_Freight_Costs (
         p_api_version_number => 1.0
         , p_init_msg_list => init_msg_list
         , p_commit => p_commit
         , x_return_status => x_return_status
         , x_msg_count => x_msg_count
         , x_msg_data => x_msg_data
         , p_pub_freight_costs     => pub_freight_costs
         , p_action_code => p_action_code
         , x_freight_cost_id => freight_cost_id
    Please send the reply to [email protected]

  • Dell 2650 / Solaris 10 Intel (should I open a bug)?

    Hi.. am just wondering about a Dell 2650 I have, running Solaris 10 11/04.
    The system is, as usual, equipped with dual Broadcom NetXTreme gigabit ethernet ports. I tweaked /etc/driver_aliases to recognize the onboard adapters and the "bge" driver lit them up, giving me "bge0" and "bge1" interfaces.
    That said, there is little tidbit in dmesg:
    Dec 30 22:35:43 trans1 bge: [ID 801725 kern.warning] WARNING: bge1: 5701-based subsystem 'pci1028,0121' not supported
    While I'm not actually -using- bge1 (the system is networked via bge0), I'm concerned that bge is specifically announcing that the 5701 (which is what is used on the 2650) is not supported... even though bge0 is up and running.
    I wouldn't have even mentioned it as an issue, but this system pretty much "froze" earlier today (all existing connections at the time of freeze seemed to work, but all new connection attempts to the server would just hang, regardless of what port you were attempting to connect to) and am just going through all the logs to see what could have caused the problem.
    That said, this is the only error in the logs. :(
    For the record, this is the entry I added to driver_aliases:
    bge "pci14e4,1645.1028.121"
    Any ideas from the community?
    Should I open a bug? Will the 5701 be supported by bge in SX release, or should I download the drivers from Broadcom and use them? Seems silly to have to go that route....
    Sun? :)

    OK...
    After a few days of testing I'm thinking that the problem isn't actually in the BGE driver (though am still curious about the "not supported" issue), but in the cadp160 driver instead.
    Today, the system literally "hung" for about 5 minutes. Network activity was still running, and the java processes we already had running that -didn't- require disk access were serving a-ok.
    Anything that needed disk access, on the other hand, was stalled.
    Eventually, it started appearing in bursts, and then finally started working again.
    There are -no- entries in any log to indicate there was any issue (scsi timeouts messages, etc).
    Anyone?

  • Getting error 'opening port for MGR  (Connection refused).

    Hi Guys,
    I m getting below, while starting replicat on target.
    GGSCI (ggtarget) 16> start replicat RLOAD
    Sending START request to MANAGER ...
    ERROR: opening port for MGR MGR (Connection refused).
    GGSCI (ggtarget) 20> view param mgr
    PORT 7809
    USERID orgg, PASSWORD orgg
    PURGEOLDEXTRACTS /ggs/dirdat/*, USECHECKPOINTS
    GGSCI (ggtarget) 21> view param rload
    REPLICAT RLOAD
    USERID orgg, PASSWORD orgg
    ASSUMETARGETDEFS
    HANDLECOLLISIONS
    APPLYNOOPUPDATES
    GETUPDATEBEFORES
    reperror default, discard
    DISCARDFILE ./dirrpt/rload.dsc, purge
    MAP HR.TCUSTORD, TARGET HR.TCUSTORD;
    MAP HR.TCUSTMER, TARGET HR.TCUSTMER;
    from Source I could able to do the telnet to target...
    What could be issue ???

    Hi,
    Error:
    GGSCI (ggtarget) 16> start replicat RLOAD
    Sending START request to MANAGER ...
    ERROR: opening port for MGR MGR (Connection refused).
    You can start Manager, but when you try to start Replicat, GGSCI gives me a connection timeout error
    Solution:
    GoldenGate uses a TCP/IP socket to communicate between local processes. When you issue a START, STOP, SEND, or other command in GGSCI, the command interface will try to open a local port for the process.
    Here is how to find out which local ports these processes are listening on. In the dirpcs directory, there will be one file for each running GoldenGate process.
    For Manager, the file name will be MGR.pcm.
    For Extract, it will be <GROUP_NAME>.pce.
    For Replicat, it will be <GROUP_NAME>.pcr.
    These are text files that can be viewed by using cat or any equivalent command. For example, the MGR.cpm file content will read like this:
    PROGRAM MGR PROCESSID MGR PORT sys1.4356 PID 60070
    After the keyword PORT will be the local hostname and the port number that Manager is supposed to be running on. In the preceding example, the hostname is sys1, and the port is 4356.
    The program (ggsci) tries to use that hostname to communicate to the process (Extract/Replicat/Manager) when the command is issued in GGSCI. If you get a timeout or connection-refused error on the command, that means GoldenGate could not connect to the local host. Most of the time, you should have no problem connecting to a local host, but when you have the wrong IP address or routine table configured in your TCP/IP settings, connection errors can happen.
    To troubleshoot this, follow the steps below
    1. Try to ping that host name from the OS shell to see if it goes to the correct IP address (which should be the one for the local system).
    2. If the ping is successful, try to telnet to the Manager port on your local host. You will be able to see your telnet session connect if a Manager is listening on that port.
    Here is an example:
    shell>telnet
    telnet> open sys1 4356
    Trying 100.100.100.100...
    Connected to sys1.oracle.com (100.100.100.100).
    Escape character is '^]'.
    3. If your telnet session times out or gets a connection-refused error, that means either the hostname is wrong or the port number is wrong.
    If the ping to the hostname listed in the pcm/pce/pcr file fails, or if you cannot connect your telnet session to the port listed in the file(s), contact your network engineers to get the TCP/IP issue resolved.
    Hope this information helps.
    Thanks & Regards
    Santhosh

  • Open port issues with Direct Print functionality

    Hi, I have been fighting with HP call support about the Photosmart 7525 printer.
    Originally I setup and had performed all the functions to enable both web support and WIFI.
    Within an hour the printer would not respond to wireless communication, though it had its wireless indecator showing it was connected.
    I was told by HP support that the issue will be resolved in March, as there will be a firmware update to fix the issue.
    Now that I had the printer install the new firmware I still get the issue.
    Though I found through some sniffing, that there are a number of ports enabled and open that are over and beyond print requirements.
    Funny thing I can send my printer into instant lockup with all lights flashing with a simple UDP ping sniff. I would think I can do this with other new HP printers using Eprint functions. I will find HP web based printers that are open for public printing and test my theory that HP Eprinters are open to hacking and denyal of service attempts.  My Hp print app on andriod list three in my area, and one is at my local Walmart. This would be cool to find this, as I am usually not the first to point such matters out.
    I assume some are for Apple devices to print.
    Here is my sniffing report:
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 07:57 Central Daylight TimeNSE: Loaded 110 scripts for scanning.NSE: Script Pre-scanning.Initiating ARP Ping Scan at 07:57Scanning 192.168.223.1 [1 port]Completed ARP Ping Scan at 07:57, 0.23s elapsed (1 total hosts)Initiating Parallel DNS resolution of 1 host. at 07:57Completed Parallel DNS resolution of 1 host. at 07:58, 16.50s elapsedInitiating SYN Stealth Scan at 07:58Scanning 192.168.223.1 [1000 ports]Discovered open port 445/tcp on 192.168.223.1Discovered open port 139/tcp on 192.168.223.1Discovered open port 80/tcp on 192.168.223.1Discovered open port 443/tcp on 192.168.223.1Discovered open port 8080/tcp on 192.168.223.1Discovered open port 9220/tcp on 192.168.223.1Discovered open port 6839/tcp on 192.168.223.1Discovered open port 631/tcp on 192.168.223.1Discovered open port 7435/tcp on 192.168.223.1Discovered open port 8089/tcp on 192.168.223.1Discovered open port 9100/tcp on 192.168.223.1Completed SYN Stealth Scan at 07:58, 1.71s elapsed (1000 total ports)Initiating UDP Scan at 07:58Scanning 192.168.223.1 [1000 ports]Discovered open port 5353/udp on 192.168.223.1Completed UDP Scan at 07:58, 1.82s elapsed (1000 total ports)Initiating Service scan at 07:58Scanning 20 services on 192.168.223.1Discovered open port 161/udp on 192.168.223.1Discovered open|filtered port 161/udp on 192.168.223.1 is actually open
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 07:51 Central Daylight TimeNmap scan report for 192.168.223.1Host is up (0.0025s latency).Not shown: 93 closed portsPORT     STATE SERVICE     VERSION80/tcp   open  http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)139/tcp  open  tcpwrapped443/tcp  open  ssl/http    HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)445/tcp  open  netbios-ssn631/tcp  open  http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)8080/tcp open  http        HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)9100/tcp open  jetdirect?MAC Address: A03:C1:BD:C8:34 (Unknown)Device type: printer|general purposeRunning: HP embedded, Wind River VxWorksOS CPE: cpe:/h:hp:laserjet_cm1415fnw cpe:/h:hp:laserjet_cp1525nw cpe:/h:hp:laserjet_1536dnf cpe:/o:windriver:vxworksOS details: HP LaserJet CM1415fnw, CP1525nw, or 1536dnf printer, VxWorksNetwork Distance: 1 hopService Info: Device: printer; CPE: cpe:/h:hphotosmart_7520OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 34.11 seconds

    OK now I am able to run a full scan on TCP ports without causing a lock up of the printer.
    I found that having the printer connect to a router that has been setup to use channel 5, 6 or 7 will cause port scanning issues with the printer.
    It is obvious that there are 18 ports that are seen as open, whether they are used or not. Two of which are active but have no service connected to them. Some are just dead like port 25, but over half are active enough to recieve data and lock network connectivity within the printer.
    As the firmware states some other laser jets may be affected depending on how the configuration can be set.
    I moved my routers channel to channel 1 as it is the only other option I have in a highly congested location. It is not as good as channel 6, but the printer seems to have channel 6 locked in for direct printing.
    Here is the latest full scan with UDP enabled, it is the furthest and most complete scan I am able to complete, with UDP ports enabled. The TCP port scan has a bit more and I have placed a simple list below the information given here:
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-21 13:27 Central Daylight Time
    NSE: Loaded 110 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating ARP Ping Scan at 13:27
    Scanning 192.168.1.211 [1 port]
    Completed ARP Ping Scan at 13:27, 0.44s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 13:27
    Completed Parallel DNS resolution of 1 host. at 13:27, 0.03s elapsed
    Initiating SYN Stealth Scan at 13:27
    Scanning 192.168.1.211 [1000 ports]
    Discovered open port 443/tcp on 192.168.1.211
    Discovered open port 80/tcp on 192.168.1.211
    Discovered open port 139/tcp on 192.168.1.211
    Discovered open port 8080/tcp on 192.168.1.211
    Discovered open port 445/tcp on 192.168.1.211
    Discovered open port 631/tcp on 192.168.1.211
    Discovered open port 9100/tcp on 192.168.1.211
    Discovered open port 7435/tcp on 192.168.1.211
    Discovered open port 9220/tcp on 192.168.1.211
    Discovered open port 6839/tcp on 192.168.1.211
    Completed SYN Stealth Scan at 13:27, 5.25s elapsed (1000 total ports)
    Initiating UDP Scan at 13:27
    Scanning 192.168.1.211 [1000 ports]
    Discovered open port 137/udp on 192.168.1.211
    Completed UDP Scan at 13:27, 4.46s elapsed (1000 total ports)
    Initiating Service scan at 13:27
    Scanning 16 services on 192.168.1.211
    Discovered open port 161/udp on 192.168.1.211
    Discovered open|filtered port 161/udp on 192.168.1.211 is actually open
    Completed Service scan at 13:29, 82.51s elapsed (17 services on 1 host)
    Initiating OS detection (try #1) against 192.168.1.211
    NSE: Script scanning 192.168.1.211.
    Initiating NSE at 13:29
    Completed NSE at 13:30, 82.29s elapsed
    Nmap scan report for 192.168.1.211
    Host is up (0.023s latency).
    Not shown: 1983 closed ports
    PORT     STATE         SERVICE      VERSION
    80/tcp   open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
    |_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
    | http-methods: GET POST PUT DELETE
    | Potentially risky methods: PUT DELETE
    |_See http://nmap.org/nsedoc/scripts/http-methods.html
    |_http-title: Site doesn't have a title (text/html).
    139/tcp  open          tcpwrapped
    443/tcp  open          ssl/http     HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
    |_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
    | http-methods: GET POST PUT DELETE
    | Potentially risky methods: PUT DELETE
    |_See http://nmap.org/nsedoc/scripts/http-methods.html
    |_http-title: Site doesn't have a title (text/html).
    | ssl-cert: Subject: commonName=HPPS7525/organizationName=HP/stateOrProvinceName=Washington/countryName=US
    | Issuer: commonName=HPPS7525/organizationName=HP/stateOrProvinceName=Washington/countryName=US
    | Public Key type: rsa
    | Public Key bits: 1024
    | Not valid before: 2014-02-25T10:12:24+00:00
    | Not valid after:  2034-02-20T10:12:24+00:00
    | MD5:   9144 ca3b 557e 09cc aba0 8387 2732 2375
    |_SHA-1: a6b2 95c0 b72a 7201 578c 32de 662a e6fe b082 48ca
    |_ssl-date: 2014-03-21T13:30:09+00:00; -4h59m12s from local time.
    445/tcp  open          netbios-ssn
    631/tcp  open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
    | http-methods: GET POST PUT DELETE
    | Potentially risky methods: PUT DELETE
    |_See http://nmap.org/nsedoc/scripts/http-methods.html
    6839/tcp open          tcpwrapped
    7435/tcp open          tcpwrapped
    8080/tcp open          http         HP Photosmart 7520 series printer http config (Serial TH3AS711XZ05YZ)
    |_http-favicon: Unknown favicon MD5: 76C6E492CB8CC73A2A50D62176F205C9
    | http-methods: GET POST PUT DELETE
    | Potentially risky methods: PUT DELETE
    |_See http://nmap.org/nsedoc/scripts/http-methods.html
    |_http-title: Site doesn't have a title (text/html).
    9100/tcp open          jetdirect?
    9220/tcp open          hp-gsg       HP Generic Scan Gateway 1.0
    137/udp  open          netbios-ns   Samba nmbd (workgroup: HPPS7525)
    138/udp  open|filtered netbios-dgm
    161/udp  open          snmp         SNMPv1 server (public)
    | snmp-hh3c-logins:
    |_  baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
    | snmp-interfaces:
    |   Wifi0
    |     IP address: 192.168.1.211  Netmask: 255.255.255.0
    |     MAC address: a0:d3:c1:bd:c8:32 (Unknown)
    |     Type: ethernetCsmacd  Speed: 10 Mbps
    |     Status: up
    |_    Traffic stats: 6.16 Mb sent, 3.43 Mb received
    | snmp-netstat:
    |   TCP  0.0.0.0:7435         0.0.0.0:0
    |   TCP  192.168.1.211:56076  15.201.145.52:5222
    |   UDP  0.0.0.0:3702         *:*
    |   UDP  127.0.0.1:666        *:*
    |_  UDP  192.168.223.1:67     *:*
    | snmp-sysdescr: HP ETHERNET MULTI-ENVIRONMENT
    |_  System uptime: 0 days, 3:34:23.28 (1286328 timeticks)
    | snmp-win32-shares:
    |_  baseoid: 1.3.6.1.4.1.77.1.2.27
    1022/udp open|filtered exp2
    1023/udp open|filtered unknown
    3702/udp open|filtered ws-discovery
    5355/udp open|filtered llmnr
    MAC Address: A03:C1:BD:C8:32 (Unknown)
    Device type: general purpose
    Running: Wind River VxWorks
    OS CPE: cpe:/o:windriver:vxworks
    OS details: VxWorks
    Uptime guess: 0.150 days (since Fri Mar 21 09:55:04 2014)
    Network Distance: 1 hop
    TCP Sequence Prediction: Difficulty=255 (Good luck!)
    IP ID Sequence Generation: Busy server or unknown class
    Service Info: Hosts: HPA0D3C1BDC832, HPPS7525; Device: printer; CPE: cpe:/h:hphotosmart_7520
    Host script results:
    | nbstat:
    |   NetBIOS name: HPA0D3C1BDC832, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
    |   Names
    |     HPA0D3C1BDC832<00>   Flags: <unique><active><permanent>
    |     MSHOME<00>           Flags: <group><active><permanent>
    |     HPA0D3C1BDC832<20>   Flags: <unique><active><permanent>
    |     HPPS7525<00>         Flags: <unique><active><permanent>
    |_    HPPS7525<20>         Flags: <unique><active><permanent>
    | smb-security-mode:
    |   Account that was used for smb scripts: guest
    |   User-level authentication
    |   SMB Security: Challenge/response passwords supported
    |_  Message signing disabled (dangerous, but default)
    TRACEROUTE
    HOP RTT      ADDRESS
    1   23.26 ms 192.168.1.211
    NSE: Script Post-scanning.
    Read data files from: F:\Progs\Nmap
    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 180.90 seconds
               Raw packets sent: 2030 (74.829KB) | Rcvd: 2921 (149.377KB)
    +++++++++++++++++++++++++++++++++++++++++++++++++++++===
    Full TCP port scan without UDP scanning of all ports, showing up as open... * designates open and active.
    192.168.223.1Discovered open port 25/tcp on
    *192.168.223.1Discovered open port 80/tcp on
    *192.168.223.1Discovered open port 110/tcp on
    *192.168.223.1Discovered open port 119/tcp on
    *192.168.223.1Discovered open port 139/tcp on
    192.168.223.1Discovered open port 143/tcp on
    *192.168.223.1Discovered open port 443/tcp on
    *192.168.223.1Discovered open port 445/tcp on
    192.168.223.1Discovered open port 465/tcp on
    192.168.223.1Discovered open port 563/tcp on
    192.168.223.1Discovered open port 587/tcp on
    *192.168.223.1Discovered open port 631/tcp on
    192.168.223.1Discovered open port 993/tcp on
    192.168.223.1Discovered open port 995/tcp on
    *192.168.223.1Discovered open port 7435/tcp on
    *192.168.223.1Discovered open port 6839/tcp on
    *192.168.223.1Discovered open port 8080/tcp on
    192.168.223.1Discovered open port 8089/tcp on
    *192.168.223.1Discovered open port 9100/tcp on
    *192.168.223.1Discovered open port 9220/tcp on

  • Could not open port 3601

    Hello,
    I installed WEB AS6.40 and all the services are running properly. But when I try to access the j2ee engine thru http://ipaddress:50000/index.html, I get the error connection failed in the browser. The j2ee_engine port is correct. In the default trace i get an error Can't open 3601. Message server is running in this port 3601. What could be the problem ? Kindly help.

    Hi Rukmani,
               This alerts me some thing.When you have installed WAS 6.40 did you change the default instance number for port.If you have left that as 00 then 50000 should work or else if you have changed that to 01 or 02 you should change the port as 50010 0r 50020 accordingly.
    One more possibility is that if you have any other applications running on the same port then either you have to free that particular port which is in use or else choose an another port.
    Hope it helps.
    Regards,
    Guru Subramanian B
    p.s :- Reward points for useful answers.

  • Do I need to open ports for NTP?

    I just noticed that my hwclock was off by nearly 30 seconds. It's almost certainly due to the recent initscripts update.
    As I was looking into resetting the clock, I found out that openntpd is deprecated so I've switched to ntp, configured the daemon, reset the time with ntpd -q, and started the daemon. The time is not accurate again.
    I remember back when I first installed Arch I tried to set up ntp but it didn't seem to work, so I tried openntpd and stuck with that. I reached the conclusion that ntp required open ports, which I felt was unnecessary given that openntpd could do the same thing without open ports.
    Now that I'm looking at it again, I can't find any definitive answer...
    Do I need to open ports for ntp if I only want to sync the system that it's running on?

    ISC ntpd (the ntp package) will open UDP 123 on all your interfaces regardless of what you do with it. It will work anyway even if you block this port in iptables, assuming that you're allowing responses to established traffic as usual - your outbound mobilization requests to your chosen servers will be enough to allow the responses, and the same with further traffic sent for the lifetime of ntpd. Using iptables like this is probably the easiest way to secure ntpd.
    There's also some defense in depth you can do:
    - run ntpd as non-root
    - run it chrooted to some safe directory (really only makes sense when doing non-root as well, since root can break out of a chroot)
    - apply ntpd's built-in access controls (see examples in ntpd.conf, and full docs in ntp_acc(5))
    I accomplish the first two of these by chowning /var/lib/ntp (and any contents) to ntp:ntp (so ntpd can write ntp.drift there when non-root), by using a driftfile path relative to the chroot in ntp.conf, and by setting NTPD_ARGS="-g -i /var/lib/ntp -u ntp:ntp" in /etc/conf.d/ntp-client.conf.
    For the third, I chose to not allow any remote traffic to initiate anything with my ntpd, with this /etc/ntp.conf:
    server ac-ntp0.net.cmu.edu iburst
    server ac-ntp1.net.cmu.edu iburst
    server ac-ntp2.net.cmu.edu iburst
    server ac-ntp3.net.cmu.edu iburst
    server ac-ntp4.net.cmu.edu iburst
    restrict default nomodify nopeer noquery
    restrict 127.0.0.1
    driftfile /ntp.drift
    Note the two "restrict" lines. The first shuts out remote access of most kinds, and the second allows the local machine all the access that would also be denied to it as well otherwise by the first rule. Note also the driftfile path, relative to the chroot of /var/lib/ntp/.
    With all these security features, ISC ntpd can be just as safe as openntpd.
    The use of the "iburst" keyword on the server lines to recover more quickly from out-of-contact conditions is also quite nice, and not rude to the remotes like "burst" would be.
    One of the nicest other features of ISC ntpd is that it's smart enough to notice when network state changes occur, like bringing a VPN up/down, changing routes, or switching from wired to wireless and back. openntpd tended to just lose connections in these cases.

  • Cannot open ports!

    Hello,
    I thought I should come here as a last resort so here I go...
    I have been using a WRT54G for quite some time, I find it does the job smoothly and quickly...
    However, I cannot open ports (or at least a specific one)...
    I am looking to host a game server on the port '43594'. I went though the router settings and "Applications and Gaming" and enabled the port...
    However 'canyouseeme.org' says:
    Error: I could not see your service on 58.178.203.117 on port (43594)
    Reason: Connection timed out
    Any leads as to why this is? It's a small Java game by the way, so not a major server. Could it actually be my modem? (which is not a linksys so I wont ask)..
    Could it be my ISP? iPrimus?
    Sorry if I can't explain well...
    If you need more information, just tell me what your looking for.
    - Morsolo

    Try updating your firmware then reset the defualt settings and reconfiguring it.  If all fails set your PC as the DMZ if you have to.  It sounds like you are doing everything you need to.  I have hosted a few on-line dedicated game servers using this basic configuration.
    Richard Aichner (Ikester)

  • Open ports for WebAccess

    I have BM 3.8
    Two interfaces. NAT (dynamic only).
    What ports should I open from outside to see or save attachements from my
    mailbox when I connected via WebAccess?
    GW6.5 SP7
    All agents (except GWIA) are on private interface.
    I can login to my account via WebAccess, I see messages. Almost everythink
    works fine.But I can not see or save attachements.
    In my browser I see a message that it can't download a file from address
    "myserveraddress.com" (public interface).
    Any suggestion?

    Mike,
    > I have BM 3.8
    > Two interfaces. NAT (dynamic only).
    > What ports should I open from outside to see or save attachements from my
    > mailbox when I connected via WebAccess?
    >
    > GW6.5 SP7
    > All agents (except GWIA) are on private interface.
    > I can login to my account via WebAccess, I see messages. Almost everythink
    > works fine.But I can not see or save attachements.
    > In my browser I see a message that it can't download a file from address
    > "myserveraddress.com" (public interface).
    >
    > Any suggestion?
    how do you connect to webaccess if you're running dynamic only NAT? Is
    the webaccess component running on BM?
    Cat
    NSC Volunteer Sysop

  • Couldn't open port com

    HI,
         I am using LabVIEW 8.6 to
    control an pump through USB (computer) to RS-232 adaptor (pump side) using
    COM 4. The first time the VI runs fine. But After I quit the VI, and
    restart the VI. The pump does not respond to the initialize command. Another program (from the manufacturer of the pump) reported that it 'couldn't open port COM 4'. Did I miss anything in
    closing the com port or in the initiation the com port. My VI is
    attached. Thanks.
    Attachments:
    Pump_Control_USB7.vi ‏22 KB

    RyanWu wrote:
    Another program (from the manufacturer of the pump) reported that it 'couldn't open port COM 4'. 
    Open up MAX (measurement and automation explorer) and look under 'Devices and Interfaces'.
    You might want to check that the equipment is still assigned to COM 4. If so, it should say:
    COM4              ASRL4 (blah blah blah)        Settings
    It may have been assigned to a new com port if you unplugged and replugged in the equipment.
    If it is still COM4, please post the code for the subVI you mentioned earlier so I can take a look at what is going on in there.
    Cory K

  • Error -214746726​2 "No such interface supported" when open an ActiveX automation reference to proprietar​y DLL, why?

    I got the error -2147467262 "No such interface supported" when open an ActiveX automation reference to a proprietary DLL. I check the forum which suggested solutions related to comcat.dll and IE6.0. I also tried to re-reqister the dll by regsvr32.exe, still does not work. However, I did nto get any luck. I was told that the DLL support iDispatch interface and should work ok with ActiveX in labview. Any suggestions? I appreciate it.

    Hello, Nandini,
    I am using the WinXP and I am calling the DLL provided by Pirouette for their chemometrics software. I just solved the error -2147467262, but the new error comes out is :
    Error code: -2147467259 Exception occured in IxAsObjs.CoSIMCAPredict.1, Language Server QueryInterface failed: No such interface supported.
    Here is a few word for the problem from priouette:
    " just a few more words that might help you understand the nature of the problem. your LabView client talks to AlgSuite.dll using IDispatch interfaces AlgSuite.dll communicates with the language server on an IUnknown interface.
    Your client knows nothing about the internal workings of AlgSuite.AlgSuite communicating with objects that do not have IDispatch interfaces should be irrelevant to your client."
    Since the VB demo works fine in my machine, so they though it is percular to labview. Any comments? I appreciate it.
    LvvL

  • Need some direction on FW Redundancy and opening ports

    I would appreciate any advice on the current ways of connecting 2 Firewalls directly for redundancy and also the best practice for allowing data through the firewall. Do firewalls have a stacking technology similar to StackWise or FlexStack? I need to allow specific ports through my network into another private network. Although this won't be connected to the internet the same type of security as if it were, is important. Sorry if this is a generic question but what methods would be best for allowing data to and from through my network firewall? I would grealty appreciate any sample configurations (I don't plan on configuring zones) or documentation on the current way of allowing these functions. Thanks for your help!

    Hi,
    There are 2 different options to my knowledge to have firewall redundancy with Cisco firewalls.
    The most common one is Active/Standby Failover which you have 2 identical (hardware & software) Cisco firewalls connected by a Failover link. One of the the firewalls is the Active unit and handles traffic while the other unit is Standby monitoring the state of the Active device (and vice versa). When the Active unit fails the Standby unit will take the Active role.
    Another option is Active/Active which basically means that you would be running multiple virtual Firewalls inside the actual hardware firewall. Some virtual firewalls would be Active on hardware unit 1 and some virtual firewalls would be Active unit would be Active on hardware unit 2. Hence the term Active/Active, both firewalls would be handling traffic.
    ASA 9.0 Configuration Guide section on Failover
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_overview.html
    The second and new option is Cluster setup where you essentially combine multiple identical firewalls together. This is a subject though that I have not gotten to test myself so my knowledge is very limited. Though to my understanding this is available only with high end ASA5585-X units so it might not be an option for most.
    ASA 9.0 Configuration Guide section on Cluster
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ha_cluster.html
    So most likely you will be using Active/Standby Failover with 2 identical Cisco firewalls.
    Their configuration format compared to a standalone firewall doesnt differ much.
    You will configure a "standby" IP address also on the ASA that will be the IP address that the Standby unit uses
    You will configure the actual Failover interface
    You will configure general Failover related settings
    You can tune the Failover settings and define which interfaces are monitored (and can effect the Failover) and set some other additional parameters
    So there is not that much to configure compared to the standalone Cisco firewall setup.
    Your post seems to indicate that this firewall or firewall pair would be used for Internal network usage. I mean a firewall between 2 LAN/DMZ networks. This would in turn mean that unless you specifically need NAT between these network segments, you could actually leave the NAT configuration of the firewall completely blank and only configure the Routing&Firewalling related settings.
    How you would configure access between the 2 different network segments would naturally depend on your own setup.
    From what I understood from your above post it would seem to me that you should configure ACLs on both interfaces connected to their own network segments. These ACLs would be configured in Inbound direction (which would control traffic heading towards the firewall from that segment and into the other segment). You could then configure both ACLs in the manner that ONLY the required source/destination IP addresses/networks/ports are allowed and all other traffic is blocked.
    I am not really sure what kind of example configuration we could give you as we dont really know what the whole setup is going to be.
    Hope this helps
    - Jouni

Maybe you are looking for

  • Photo thumbnails not displaying in Media Browser

    Every time I open a program that features the Media Browser (which is just about everything in Leopard, these days), I never see thumbnails for my iPhoto images. I just see exclamation point icons-- in other words, the images themselves are never dis

  • Unable to Populate Table

    Create a View Object (Not Based on Entity). Created a Custom Page With Table, columns under the table ref. To populate the Table Added Rows to the View , but the records don't appear on the Table. Should I be doing more to view the rows in the Table.

  • Redemptio code is invalid

    I just bought Acrobat PRO XI in best buy. I got a CD along with the redemption code. When I tried to get serial #, I got message that redemption code is invalid and to contact support.  I have been waiting on support on line for about 5 hours now wit

  • IPhoto not exporting correct dimensions

    I need to export a .png image that is exactly 256 X 256 for another application. However, when I select a custom size in the file export options and enter in "256," the file keeps coming out as 255 X256. Does anyone know why this is happening?

  • BPS BW 3.5  - Editing style for web layouts

    Hello all. I am trying to find out how to change style for web layout on BPS on BW 3.5 Does an old system with custom css files no longer work? Where could I find info about unified rendering and how to change styles in it?