OS X Firewall isn't firewalling

Similar Messages

• TMG Traffic For a Specific IP isn't leaving the server despite valid routes and no firewall

  Hi,
   I'm struggling to troubleshoot a TMG networking issue:
  I have a TMG server setup in my DMZ. Inbound traffic hits the a 3rd party firewall router, goes to the TMG server and is then routed back through the 3rd party firewall router to my internal network. I've setup web publishing rules and listeners for IIS
  sites and SMTP traffic using a different IP to listen for 2 different websites and another IP for SMTP.
  The issue I have is that my TMG server can't ping a server on the internal network on a specific IP:
  TMG can ping 192.168.11.190
  TMG cannot ping 192.168.11.191
  Firewall rules are configured to permit traffic (no deny connections are shown in the monitor).
  tracert and pings to 192.168.11.190 hit the internal IP of the 3rd party router
  tracert to 192.168.11.191 simply responds with * * * * before timing out
  Monitoring from within TMG shows the correct IP is being used in both cases (internal NIC 192.168.10.10).
  A route print from TMG has a valid route to the internal network:
  (network)192.168.11.128 (mask) 255.255.255.128 (gateway) 192.168.10.126
  In summary:
   - TMG can ping 192.168.11.190, but not 192.168.11.191
   - Valid routes exists 
   - No firewall rules are blocking communication
   - Traffic to 192.168.11.191 doesn't seem to be leaving the TMG server 
  Any advice on solving this would be appreciated.
  Cheers

  It can have many reasons, but it appears to me you are having a routing issue. I can't say for sure, because I don't have the entire IP Addressing sheme. I assume you have used separate subnets for the External DMZ and Internal DMZ.
  Have you configured the 192.168.11.128/25 subnet as a correct 'Address' range 192.168.11.128 - 192.168.11.255 on the 'Internal' interface within TMG?
  Boudewijn Plomp | BPMi Infrastructure & Security
  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember, if you see a post that helped you please click "Vote as Helpful", and if it answered your question, please click "Mark as Answer".

• We use a Watchguard Firewall to Login to the Internet. It uses a Java Applet. Why isn't it loading properly after upgrading to 8.0

  This is what appears instead of the login Screen:
  <html><head><title>Watchguard Authentication Applet</title></head>
  <body BGCOLOR="#FFFFFF"><applet name="WatchGuard Authentication" code=Main width=600 height=250>
  <param name=HOST value=192.168.0.1>
  <param name=PORT value=4100>
  <param name=imagename value=logo.gif>
  </applet></body></html>

  Do you have another device to check if the router or your ipad.  It's good to check on another device if available.  If you don't go to Settings > Network > Reset all network settings.  I'm going from memory but think it's here.  This will prompt you to log in again like the first time.  Good luck. 

• VPN License question on 5505 ASA Firewall

  Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers.  Firewall was configured by someone else who isn't available. 
  Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers".  Can anyone elaborate on "Total VPN Peers"?  Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
  Thank you in advance,
  Jeff

  Hi Linda,
  The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
  -Mike

• Help with Firewall and Internet Sharing

  I’m trying to use my Mac Mini with an Airport Extreme card, which is connected to the internet using Siemens Speedstream 4100 DSL modem, for Internet Sharing with a Windows (work) laptop.
  So, in the Sharing preferences panel:
  Share connection from: Built in Ethernet
  To computers using: Airport
  I get the warning message:
  Other settings may interfere with Internet Sharing.
  The ‘More Info’ button gives the popup message:
  Your firewall settings will prevent computers sharing your internet connection from browsing the web. Enable Personal Web Sharing in the Services pane to allow computers sharing your connection to browse the web.
  I do that, turn the Airport card on, and the laptop can see the network, but can’t connect.
  If I turn the Firewall off, then I can connect fine, but then I don’t have a Firewall. Isn’t that risky if I’m using DSL? How can I do the internet sharing and still protect my computer?
  I realize I could buy a router with a built-in firewall, but isn’t there a way to set up the system using what I have?

  BDAqua wrote:
  We just need to figure out what port is needed. I'd goto Sharing>Firewall>New>Port Name... Other, and try Port 53 both UDP and TCP.
  Oh, and when you say the PC can't connect, could that just mean it can't browse?
  On the PC, put the IP of the Mac in DNS servers, or...
  208.67.222.222
  208.67.220.22
  Well, I'm unable to set the DNS server addresses, as this is a work computer and I don't have the administrative privileges.
  How bad is it to just turn the Firewall on the Mac off when I want to use the connection?

• So I was trying to enhance my firewall to the point of inoperability and...

  Situation:
  Like what all really cool people do on a Saturday night, I was perusing the bowels of my unix stuff on my Mac last night, and did a sudo ipfw list. I noticed that ports 67, 68, 69, 137, 138, and 139 were open from any to any. I know that 13x ports are used for Windoze sharing, and that /etc/services shows those ports are for something to do with netbios and tftp. Windows Sharing did not show up as being enabled in SysPrefs Sharing Services, and no other services using any of these six ports showed up as being enabled in SysPrefs Sharing Firewall.
  I have no idea how or why those ports would be enabled. At work, I have Macs. My sons and daughter have Macs. Nobody would be connecting to my home network, either internally or from the internet at large and doing anything windoze-like. And I never recall having ever seen this ports opened before when doing a ipfw list.
  So, I got scared. I figured that I would do a sudo ipfw flush, which I did, and then just use SysPrefs Sharing Firewall to click checkboxes to reenable the services that I want. Well, that was the start of my enhancing my firewall to the point of inoperability. When I go into the SysPrefs Sharing Firewall panel, I get a splash screen that says something to the tune of "another firewall is active on this computer, so if you want to do anything here on this Firewall panel, turn off the other firewall software."
  Fortunately, I had done a sudo ipfw list > portList.txt so I could at least manually sudo ipfw add back the ports that I thought I wanted (and the ports I thought I wanted denied). So that's where I'm at now. But now it's a real annoyance that I don't have "checkbox control" of services and ports through the SysPrefs Sharing Firewall panel anymore, and instead have to do the "sudo ipfw add/subtract/multiply/divide {rule#} {whatever}" thing now. I don't know how to regain control of my Apple firewall and the SysPrefs Sharing Firewall panel.
  Of course this doesn't address the issue of what opened those ports, and if it happens again, an "archive and reinstall" of the OS, along with an install of fink/macports tripwire, may be in order. But that's an inconvenience to have to do, and hopefully I can avoid having to do that. In the meantime, regaining control of my Apple firewall and the SysPrefs Sharing Firewall panel, would realy be nice, and that is my question. What do I do, and how do I do it?
  Thanks in advance.

  First, take a deep breath...
  For one, the System Preferences knows nothing about the command line ipfw changes that you made. It expects to be the interface for setting and changing firewall rules, so when you've changed them manually (ipfw flush) it sees that the current rules doesn't match what it expects and hence the error message.
  Secondly, the presence, or otherwise, of those ports does not mean they are active. Just that ipfw isn't blocking them. There still has to be some process on the machine listing to the port in order for anything to actually happen. It's akin to leaving a door open - it's fine when all that's behind that door is a brick wall.
  A better test is to see what's actually being used on your machine, and ipfw cannot tell you that (at least, not easily). Better tools include netstat and lsof.
  netstat -a will give you a list of every network connection in use. Just don't be shocked if there are more there that you expect - the OS uses a lot of them internally. What you're most interested in is the ports in LISTEN state (piping the output through 'grep LISTEN' is a simple solution).
  Now you can focus on which ports your machine will actually respond to (assuming the firewall also allows traffic through).
  If you have a port number that you don't recognize then you can invoke lsof which has the ability to list all open files, network ports, etc. To track a port number, use the form:
  <pre class=command>sudo lsof -i :port</pre>
  This will tell you any process that is using the specified port number. From there you should be able to determine whether or not there's an issue.

• ITunes no longer runs since buying Match. Within ten seconds of opening, it crashes, everytime. Firewall off, latest version of iTunes reinstalled, Windows updates/etc. on, no other software running at the same time. Error-report just says reinstall.

  I can no longer use iTunes whatsoever.
  I'm hoping to get a refund for the $25 wasted on match if my PC isn't compatible. But how the **** do I get iTunes as a whole to stop crashing?
  I'm on Windows 7 with AMD C-50 processor and 2GB RAM, 250GB hard disc.
  Never had an issue with Apple products before today.
  Windows error reporting claims that "an update to iTunes addresses the issue", but not only did I have 10.5.3 already, I went ahead and reinstalled it, too, and the 64bit version just for the **** of it in case that'd make difference. No luck.
  I mean, surely, the fact that this is only happening to me means it is a problem with my system. But I don't suppose its the usual stuff that way, way inexperienced computer users end up on these forums about. No viruses (are there PC viruses that only affect iTunes match? sounds far fetched.) No firewall issues. Not running outdated software. I imagine its my CPU, my hardware, thats just not compatible with Match.
  Anyways. The crash occurs about 20% into the progress bar of gathering info about your library for match. When restarting, it asks to log off and log back in to the itunes store. A few times I was able to do that, by getting to the little X and cutting off match before it could crash (still logging out and logging back in made no difference), but now the speed at which it gets to the 20% and crashes is so fast I can't beat it to it.
  Do you suppose the Apple store at the mall, since I just got a 4S with Apple Care+ might be able to help me, or would there be a fee? I can't afford a new computer right now, and if mine just could never work with match period, might I get a refund?

  How big is your library?  I would recommend the following troubleshooting steps:
  - Backup your library.  Always a good idea before messing with things.  
  - Create a new library.   Refer to this article for details:  http://support.apple.com/kb/HT1589.  This won't delete your old library, you're just creating a new empty one.  Also refer to this article to get back to your old library later.
  - Add a few albums into this new library.  Not everything, just a small sampling, as a test.
  - Activate Match on this new library.  You shouldn't have to re-pay, it should just say "Add Computer" or similar.
  - At this point, Match should run again. With just a few albums it should complete in just a few minutes.
  If iTunes doesn't crash at this point, then likely there's something about your original library that Match doesn't like - what that is I don't know, but at least you'll know it's not your PC.   If iTunes still crashes, then if could be a number of other things, but probably not your library.   My next suggestion (if you haven't already done this) is to uninstall / reinstall iTunes.   If that doesn't work, then my next ideas you won't like.   

• Help, please!  I've Been Hacked!  Firewall & Admin permissions changed?

  Running on 10.4
  MacBook Pro
  You guys have been great, and I tried to read as many threads as I could to solve the problem on my own, but I'm in way too over my head. Okay, I'm going to struggle through explaining this as best I can and just list the "highlights" of what has been going on. More details are below.
  Several events occurred simultaneously, and I'm not sure which did what damage.
  Scanned my machine with ClamXav. Trojan was found. I deleted the Trojan.
  I downloaded a script (against my better judgement), opened it and my machine started working hard. Activity monitor was going crazy. Immediately shut down Airport. Looked at my Firewall, and EVERYTHING was open. I always keep Firewall on. Looked at logs (and saved a few). Good thing I did because for some reason, I now do not have permission to view sa or security logs. Awesome.
  Here is a more detailed account of what happened. I know it's long, but I'm trying to answer any questions you guys might have.
  Two nights ago, I scanned my machine using Clam. It was the first time I had run the scan, and it found a Trojan in the form of an mp3. I located the file in Finder so that I would know where it was located to delete it, clicked on info, and iTunes opened, which I had not planned on because I had only selected info. I immediately force quit iTunes and deleted the file. I was never prompted for my password, so *was the virus executed*? I have since run Clam several times, and there are no infected files.
  Next thing: I downloaded a script which I'm 99% sure was malicious. I'm not a techie, and I know this was incredibly stupid given my lack of knowledge. After opening it, I saw that it was all in a different language (Portuguese, I think?), and immediately closed and deleted. Then my machine started running hard... I checked activity monitor, and things were going crazy. I immediately disconnected from Airport. I don't remember exactly what the numbers were, but there were a lot of page ins/page outs and data being read/written. (I don't even know what those mean exactly, but I check Activity Monitor fairly frequently to look at memory and see what programs are taking up space.) But I was also doing a scan with Clam and I had about 14 tabs open in Safari, so I'm not certain if the activity was correlated to the scan or to the script or to having so many things open and going at once.
  I checked my firewall, and it was off. I hadn't looked at it in a few months, but I'm fairly certain I had it activated. Remote access, FTP, etc. - basically all sharing options were enabled. I disabled everything and started the Firewall. I looked at the logs (even though I don't really know how to read them) and saved several of them which I would be glad to post here. One I saved was the Secure Log - I tried to look at any new activity today, and I got the message "You do not have permission to read this log file". What's strange is that my Firewall has logs dated for preceding days and months... but the Firewall was not activated when I initially checked it.?? That doesn't make a lot of sense to me.
  I created a Master Password (alphanumeric 17 characters) in File Vault, but I did not turn on Fire Vault... I'm not sure if this changed any settings and has to do with why I can't read certain log files.? To my knowledge, I'm still the admin.? How do I tell if that has been changed? I ran Disk Utility, and it changed a few permissions, fwiw, but I still don't have access to particular logs.
  I have Little Snitch running, and it hasn't shown anything abnormal. I looked at my DNS, and it's the same as what it always has been. I'll be glad to post the logs I have, but I don't know what's pertinent and what isn't. Here's a Big Problem: I don't have my installation disk. I know I will probably be advised to wipe everything and reload, but the disk is 500+ miles away tucked in a storage facility. This is killing me. I've been reading everything I can on this forum (you guys are awesome, btw), and was going to try to muddle through this on my own, but I'm way over my head. How can I reinstall if I don't have the installation disks? Or maybe I'm being paranoid and someone didn't get in to my system? Any help would be appreciated.

  If this helps, this is my Firewall plist. The plist was created on the day and around the time of all this happening. If everything is enabled to be editable, does that mean that they could have rewritten the codes after I locked everything down?
  <plist version="1.0">
  <dict>
  <key>allports</key>
  <array/>
  <key>alludpports</key>
  <array/>
  <key>firewall</key>
  <dict>
  <key>Apple Remote Desktop</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>3283</string>
  <string>5900</string>
  </array>
  <key>row</key>
  <integer>5</integer>
  <key>udpport</key>
  <array>
  <string>3283</string>
  <string>5900</string>
  </array>
  </dict>
  <key>FTP Access</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>21</string>
  </array>
  <key>row</key>
  <integer>4</integer>
  </dict>
  <key>Network Time</key>
  <dict>
  <key>editable</key>
  <integer>1</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>row</key>
  <integer>11</integer>
  <key>udpport</key>
  <array>
  <string>123</string>
  </array>
  </dict>
  <key>Personal File Sharing</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>548</string>
  <string>427</string>
  </array>
  <key>row</key>
  <integer>0</integer>
  </dict>
  <key>Personal Web Sharing</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>80</string>
  <string>427</string>
  <string>443</string>
  </array>
  <key>row</key>
  <integer>2</integer>
  </dict>
  <key>Printer Sharing</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>631</string>
  <string>515</string>
  </array>
  <key>row</key>
  <integer>7</integer>
  </dict>
  <key>Remote Apple Events</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>3031</string>
  </array>
  <key>row</key>
  <integer>6</integer>
  </dict>
  <key>Remote Login - SSH</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>22</string>
  </array>
  <key>row</key>
  <integer>3</integer>
  </dict>
  <key>Samba Sharing</key>
  <dict>
  <key>editable</key>
  <integer>0</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>139</string>
  </array>
  <key>row</key>
  <integer>1</integer>
  <key>udpport</key>
  <array>
  <string>137</string>
  <string>138</string>
  </array>
  </dict>
  <key>iChat Rendezvous</key>
  <dict>
  <key>editable</key>
  <integer>1</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>5297</string>
  <string>5298</string>
  </array>
  <key>row</key>
  <integer>8</integer>
  </dict>
  <key>iPhoto Rendezvous Sharing</key>
  <dict>
  <key>editable</key>
  <integer>1</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>8770</string>
  </array>
  <key>row</key>
  <integer>10</integer>
  </dict>
  <key>iTunes Music Sharing</key>
  <dict>
  <key>editable</key>
  <integer>1</integer>
  <key>enable</key>
  <integer>0</integer>
  <key>port</key>
  <array>
  <string>3689</string>
  </array>
  <key>row</key>
  <integer>9</integer>
  </dict>
  </dict>
  <key>loggingenabled</key>
  <integer>1</integer>
  <key>state</key>
  <true/>
  <key>stealthenabled</key>
  <integer>1</integer>
  <key>udpenabled</key>
  <integer>1</integer>
  </dict>
  </plist>

• How can i open a new Port on Firewall service (1200)

  Hello,
  i need to open a port 1200 for one Application on my macmini server 10.6..
  I have try to ad port to a Service and i did it, but is seams like the port
  dont exist.
  With Networkutility i make a port scan, but i don´t became succsses massage.
  What is the best Way to open a port on Mac OS X Server 10.6.

  You're probably working with broken client software (bad client test, bogus diagnostic, routing or IP error of some ilk), or the application server itself isn't starting correctly, or the firewall wasn't reconfigured correctly for the source address, or there's an intermediate firewall involved here.  
  If it's the Mac OS X Server firewall that's blocking the traffic, you should see accesses in the log file, depending on the settings.  (If you have an external gateway-firewall at the edge of your network and a private LAN, then drop the server firewall and try it from a local client.  That'll provide clear evidence of which components are culprits and which are merely bystanders.)
  If you're running the Mac OS X Server box as a gateway firewall, then IP routing errors can easily arise.
  If you want to see if something is bound to port 1200 on the Mac OS X Server box, then launch Terminal.app and issue the command:
  sudo lsof -i -P | grep -i ":1200"
  and see what turns up.  You'll need to specify your administrative password for the sudo.
  Port 1200 looks to be used for some Steam games and for some malware.  Most of the games seem to be UDP, though a few are both TCP and UDP.  The malware usually found on 1200 is reportedly largely using UDP.

• Cannot connect to the iTunes store. Get 'Error 11222'. Claims it is being blocked by Windows Firewall when it is allowed through.

  When an external application tries to connect to it through iTunes I get 'Error: 11222'. When I try to connect through the iTunes app it just continuously loads but nothing appears. Diagnostics says that Windows Firewall (Which is being managed by McAfee) is blocking it, even though it is allowed through both firewalls I have. Even when I turn WF off iTunes claims it is being blocked by it. I have done almost everything Apple's support pages have suggested but nothing has worked. I'm using it on an Acer Aspire laptop, and the main PC can use iTunes without trouble so it isn't the ISP. I have uninstalled and reinstalled iTunes twice. Here is a full diagnostics:
  Microsoft Windows 7 x64 Home Premium Edition Service Pack 1 (Build 7601)
  Acer Aspire 5738
  iTunes 10.6.3.25
  QuickTime 7.7.2
  FairPlay 1.14.43
  Apple Application Support 2.1.9
  iPod Updater Library 10.0d2
  CD Driver 2.2.0.1
  CD Driver DLL 2.1.1.1
  Apple Mobile Device 5.2.0.6
  Apple Mobile Device Driver not found.
  Bonjour 3.0.0.10 (333.10)
  Gracenote SDK 1.9.6.502
  Gracenote MusicID 1.9.6.115
  Gracenote Submit 1.9.6.143
  Gracenote DSP 1.9.6.45
  iTunes Serial Number 0042AD4403249D18
  Current user is an administrator.
  The current local date and time is 2012-08-23 23:19:38.
  iTunes is not running in safe mode.
  WebKit accelerated compositing is enabled.
  HDCP is supported.
  Core Media is supported.
  Video Display Information
  ATI Technologies Inc., ATI Mobility Radeon HD 4570
  **** External Plug-ins Information ****
  No external plug-ins installed.
  iPodService 10.6.3.25 (x64) is currently running.
  iTunesHelper 10.6.3.25 is currently running.
  Apple Mobile Device service 3.3.0.0 is currently running.
  **** Network Connectivity Tests ****
  Network Adapter Information
  Lease Expires:       Fri Aug 24 21:30:18 2012
  DNS Servers:         192.168.1.254
  Adapter Name:        {43E41B54-39BF-45DB-A846-41062D127AFE}
  Description:            Broadcom NetLink (TM) Gigabit Ethernet
  IP Address:             0.0.0.0
  Subnet Mask:          0.0.0.0
  Default Gateway:    0.0.0.0
  DHCP Enabled:      Yes
  DHCP Server:        
  Lease Obtained:     Thu Jan 01 00:00:00 1970
  Lease Expires:       Thu Jan 01 00:00:00 1970
  DNS Servers:        
  Active Connection: LAN Connection
  Connected:             Yes
  Online:                    Yes
  Using Modem:        No
  Using LAN:             Yes
  Using Proxy:           No
  Firewall Information
  Windows Firewall is on.
  iTunes is NOT enabled in Windows Firewall.
  Connection attempt to Apple web site was unsuccessful.
  The network connection timed out.
  Basic connection to the store failed.
  The network connection timed out.
  Connection attempt to Gracenote server was successful.
  The network connection timed out.
  iTunes has never successfully accessed the iTunes Store.
  Please help me!

  The 11222 errors can sometimes be produced by LSP trouble. One of the suspects with that is some versions of McAfee Family Protection. For troubleshooting advice, see the following document:
  Apple software on Windows: May see performance issues and blank iTunes Store

• Removing spyware from a computer with no firewall/antivirus software

  I got an e-mail I thought was suspect in regards to a company on line I buy from. I called their customer service and they told me the e-mail was a survey from them if it used my full name in the body of the text (and my name was in fact in the body of the text).
  I clicked on it by accident.
  What software can I use to see if it installed spyware on my hard drive. I did not have a firewall or virus software installed. After the fact, I installed Norton Antivirus 9.0 on my hard drive and live updated to the most current version-but I know Norton has stopped supporting Macs, so I'm afraid their software won't be capable of catching the most current spyware. What can I do the ensure no spyware is on my hard drive?

  There really isn't any spyware for Macs, unless you count tracking cookies from websites. Application installations or system changes have to be authorised by you entering your password, so unless you did so at the time, you're almost certainly fine.
  In any case, I don't think NAV checks for spyware. If you want a good current antivirus application, I recommend ClamXAV. And you can turn on your Mac's built-in firewall in System Preferences - Sharing (although it doesn't protect you from downloading malware).
  Matt

• Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Can't update iOS 8 on my iPhone5 through iTunes on Windows 8 (error 3004, 3194). Updated host file, opened port 80, 443; turned off security system and firewall, etc. But nothing works. How to solve this problem?

  Hi the_mad_movies,
  It seems like this article will be the best option for addressing this issue:
  Error 3194, Error 17, or "This device isn't eligible for the requested build"
  http://support.apple.com/kb/ts4451
  Thanks for coming to the Apple Support Communities!
  Cheers,
  Braden

• Does Firewall do SPI?  If not, what does it do?

  Does Time Capsule have a firewall? Does it do SPI? What else does qualifies it as a firewall? NAT isn't really much protection? Would it be better to put TC upstream of a router that has a true firewall?

  NAT firewalls _+*DO NOT*+_ do SPI. Please research the differences.
  NAT simply opens IP addresses and ports, it does not track any information crossing the translation.
  SPI does track the session information to validate that the response was part of an existing session flow.
  Hackers attack cable modems all the time. It is a great place to hack into PC's that are unaware of the threat, then turn those PC's into attack tools to create distributed denial of service (DDoS) attacks.
  As far as resetting the router, you will likely obtain the same IP address during a router reset, unless there is an extended amount of time that the router is powered off. The DHCP server lease time, would have to expire during the power down interval, and the router IP address would have to be returned to the DHCP pool.
  Cisco, Linksys, Linux based - there are a lot of firewalls out there. Please make sure you are using a SPI firewall on your system at a minimum.

• Apple's Firewall opens the wrong ports!

  This is a follow up question to a problem posted in another forum here. There are a couple of screenshots in the last post that illustrate the problem.
  In System Preferences > Sharing > Firewall, checking Apple Remote Desktop opens TCP and UDP ports 3238. The problem is that Apple Remote Desktop needs ports 3283 (not 3238 - note the last two digits are transposed) and 5900. I've already worked around this issue by creating a new firewall entry that opens the correct ports, but I'd really like to get my Sharing Preferences corrected. Plus it bothers me that I can't block port 3238 by unchecking Apple Remote Desktop since that will prevent ARD from working, even though it opens the wrong ports.
  This isn't really an Apple Remote Desktop problem, it's something wrong with the firewall in this system's version of OS X. Any idea how I can fix it, other than the ugly workaround I'm using, and short of reinstalling OS X?

  Editing the .plist file is easy with xcode's Property List Editor, which I just installed. However, before I did that I simply copied a "correct" /Library/Preferences/com.apple.sharing.firewall.plist file from another computer. That was even easier

• I could previously open my itunes program on my computer. Not now as when it asks, Do you want to allow this program to make changes to your computer and I select, Yes, it shuts down.  I have removed and re-installed itunes, checked firewall. Pls help

  I could previously open my itunes program on my computer and sync with ipad, ipod and iphone but no longer. When I select itunes a dialogue box opens  with question - "Do you want to allow this program to make changes to your computer"  When I select YES, it just shuts down.   I have removed and reinstalled itunes. have checked firewall and spent hours trying to fix. Please help.

  A possible cause of this error is that Firefox is set to run as Administrator.
  Check that Firefox isn't set to run as Administrator.
  Right-click the Firefox desktop shortcut and choose "Properties".
  Make sure that all items are deselected in the "Compatibility" tab of the Properties window.
  * Privilege Level: "Run this program as Administrator" should not be selected
  * "Run this program in compatibility mode for:" should not be selected
  Also check the Properties of the firefox.exe program in the Firefox program folder (C:\Program Files\Mozilla Firefox\).