Ports for Firewall rules

Similar Messages

• Ports for Firewall in Leopard

  I have a question about how to open ports in Leopard's firewall. I have been having issues with iChat AV and Sightspeed that point to Leopard's firewall settings, but I am at a loss as to how to set ports.
  I have a long history of trying to make iChat AV work for myself and for my friends and family, and I have long used the very helpful tips and suggestions provided by Ralph Johns and others. My current situation is this: I recently upgraded my iMac G5 to Leopard, and have successfully used iChat AV with several contacts, both before and after the upgrade. A friend recently purchased a new Intel iMac, and we cannot use iChat AV, and I suspect it is an ISP port blocking issue on his end, which he is attempting to check out. Meanwhile, I have had him download Sightspeed, and we have successfully used it to video chat using my MacBook with Tiger. However, when I try to video chat using Sightspeed on my iMac G5 with Leopard, I get an "Error: 503" message, which Sightspeed says may be related to firewall issues. Previously, I have used Sightspeed successfully using my iMac G5 with Tiger, and without any configuration issues. Since my MacBook uses my wireless home network, and can connect with Sightspeed, and since my iMac G5 USED to connect with Sightspeed before Leopard, I am leaning towards Leopard's firewall as the culprit. I want to make sure Leopard's firewall is allowing both incoming and outgoing Sightspeed traffic, but I don't know how to configure the firewall. Of course, I am always open to other troubleshooting ideas.
  Thanks in advance for any suggestions, Tom

  The Leopard Firewall is now in System Preferences > Security.
  The Allow Specifics setting needs to set anew if the 10.5.1 update has been done since any Allow Specifics was set.
  It works on a application basis. Each app in the list is given what is called a Certificate by the OS and any ports it uses is then allowed.
  So it needs to be set for iChat and Sightspeed.
  9:01 PM Sunday; January 13, 2008

• Alternative Ports for Firewall

  The hotel I'm staying at has the port blocked. Are there alternative ports anyone would recommend???
  Thank you!!!!

  text Chatting or A/V
  Text Chatting - Go to iChat > Preferences > Accounts > Server settings Set the port to 443
  A/V ports can not be changed.
  Leopard will get round the 5060 issue.
  11:08 PM Wednesday; November 21, 2007

• RV120w DMZ Firewall Rules

  Hello,
  I am trying to set up a DMZ server.  I have an internal LAN IP address (192.168.1.10) that I would like to make a DMZ server. 
  In the GUI, I set this IP address to be the DMZ server.
  For firewall rules, I want to permit only one port from the WAN to the DMZ and none from the DMZ to the LAN.
  In my firewall rules, I don't see any options for DMZ options.  I only see WAN to LAN and LAN to WAN.
  I presume the DMZ setting doesn't do anything per se execept allow the firewall rules to have a target.  Is this correct?
  I am running the latest firmware.
  How do I get the DMZ firewall rules to show up?
  Thanks,
  John

  Hello,
  I have to say that this DMZ definition is not what I would excect Cisco to use.
  Basically, my DMZ host is fully exposed to the internet and if someone penetrates it, they are fully on my LAN.
  The manual says:
  Configuring a DMZ Host
  The Cisco RV120W supports DMZ options. A DMZ is a sub-network that is open to
  the public but behind the firewall. DMZ allows you to redirect packets going to
  your WAN port IP address to a particular IP address in your LAN. It is
  recommended that hosts that must be exposed to the WAN (such as web or e-mail
  servers) be placed in the DMZ network. Firewall rules can be allowed to permit
  access to specific services and ports to the DMZ from both the LAN or WAN. In
  the event of an attack on any of the DMZ nodes, the LAN is not necessarily
  vulnerable as well.
  You must configure a fixed (static) IP address for the endpoint that will be
  designated as the DMZ host. The DMZ host should be given an IP address in the
  same subnet as the router's LAN IP address but it cannot be identical to the IP
  address given to the LAN interface of this gateway.
  The bold section indicates that the LAN is not vulnerable if the DMZ host falls.  This is different from what you were talking about.  Can you double check this?
  I would like to know if there is a plan to add DMZ firewall rules.  Or, can I get into the box and use IPtables to create my own (knowing that I would be in an unsupported mode)?
  Or, make port access control lists on the inter VLAN routing option?
  Thanks for fully explaining this.  The manually is woefully inadequate in discussing what exactly the DMZ does.
  Can you please forward these concerns to product management.  Basically the DMZ is a security hole that I can't mitigate.  It provides no value to me beyond not having to port forward manually. 
  If I am mistaken, please provide the correct information.
  Thanks,
  John

• 0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

  Hello,
  Configuration: Windows Embedded 8 64-bit.
  I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
   I get the error when performing "hr = pFwRules->Add(pFwRule);".
  We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
  HRESULT hrComInit = S_OK;
  HRESULT hr = S_OK;
  INetFwPolicy2 *pNetFwPolicy2 = NULL;
  INetFwRules *pFwRules = NULL;
  INetFwRule *pFwRule = NULL;
  long CurrentProfilesBitMask = 0;
  BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
  BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
  BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
  BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
  BSTR bstrRuleService = SysAllocString(L"myservicename");
  BSTR bstrRuleLPorts = SysAllocString(L"135");
  // Initialize COM.
  hrComInit = CoInitializeEx(
  0,
  COINIT_APARTMENTTHREADED
  // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
  // initialized with a different mode. Since we don't care what the mode is,
  // we'll just use the existing mode.
  if (hrComInit != RPC_E_CHANGED_MODE)
  if (FAILED(hrComInit))
  printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
  goto Cleanup;
  // Retrieve INetFwPolicy2
  hr = WFCOMInitialize(&pNetFwPolicy2);
  if (FAILED(hr))
  goto Cleanup;
  // Retrieve INetFwRules
  hr = pNetFwPolicy2->get_Rules(&pFwRules);
  if (FAILED(hr))
  printf("get_Rules failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Create a new Firewall Rule object.
  hr = CoCreateInstance(
  __uuidof(NetFwRule),
  NULL,
  CLSCTX_INPROC_SERVER,
  __uuidof(INetFwRule),
  (void**)&pFwRule);
  if (FAILED(hr))
  printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Populate the Firewall Rule object
  pFwRule->put_Name(bstrRuleName);
  pFwRule->put_Description(bstrRuleDescription);
  pFwRule->put_ApplicationName(bstrRuleApplication);
  pFwRule->put_ServiceName(bstrRuleService);
  pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
  pFwRule->put_LocalPorts(bstrRuleLPorts);
  pFwRule->put_Grouping(bstrRuleGroup);
  pFwRule->put_Profiles(CurrentProfilesBitMask);
  pFwRule->put_Action(NET_FW_ACTION_ALLOW);
  pFwRule->put_Enabled(VARIANT_TRUE);
  // Add the Firewall Rule
  hr = pFwRules->Add(pFwRule);
  if (FAILED(hr))
  printf("Firewall Rule Add failed: 0x%08lx\n", hr);
  goto Cleanup;
  This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
  issue.
  According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
  I'm not convinced that we ran out of memory.
  Has someone experienced such an issue? How to avoid this?
  Thank you in advance.
  Regards, -Ruben-

  Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
  Is Windows Embedded 8.1 industry an option?
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• Closed port for torrent with no iptables.rules

  I have a home system with internet connection over a router. Firewall in the router seems to be disabled. I had installed guarddog and selected all the protocols that I need. There is no iptables in deamons line of rc.conf nor there is any iptables.rules files. There are 2 files in /etc/iptables, empty.rules and simple_firewall.rules. So, I wonder if any firewall is working at all in my system since guarddog is a frontend to iptables (i guess) and also is there any need for firewall since almost all the ports are closed.
  Secondly, the main issue. I was using ktorrent and it was working fine until a few days ago. Now, bittorrent is not working. its not connecting at all. I tried deluge from community repo and tested the ports with http://www.deluge-torrent.org/test-port.php?port=6881 and it gave me this result:
  TCP port 6881 closed on 121.247.200.189
  UDP port 6881 open on 121.247.200.189
  121.247.200.189 seems to be the ip of my isp as I got a dynamic one.
  I am able to reach surf net but not able to download using bitorrent, however, both is possible in windows.
  Taking clue from forum, i did nmap.
  nmap on my router
  [shantanu@bluehead ~]$ nmap 192.168.1.1
  Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:49 IST
  Interesting ports on 192.168.1.1:
  Not shown: 1679 filtered ports
  PORT STATE SERVICE
  21/tcp open ftp
  23/tcp open telnet
  53/tcp closed domain
  80/tcp open http
  443/tcp closed https
  554/tcp closed rtsp
  1755/tcp closed wms
  2401/tcp closed cvspserver
  5000/tcp closed UPnP
  5001/tcp closed commplex-link
  5050/tcp closed mmcc
  6881/tcp closed bittorent-tracker
  6969/tcp closed acmsoda
  7070/tcp closed realserver
  8000/tcp closed http-alt
  8080/tcp closed http-proxy
  8888/tcp closed sun-answerbook
  11371/tcp closed pksd
  Nmap finished: 1 IP address (1 host up) scanned in 27.653 seconds
  nmap on my ip
  [shantanu@bluehead ~]$ nmap 192.168.1.5
  Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:48 IST
  Interesting ports on 192.168.1.5:
  Not shown: 1696 closed ports
  PORT STATE SERVICE
  6000/tcp open X11
  Nmap finished: 1 IP address (1 host up) scanned in 0.519 seconds
  nmap on isp's ip displayed above.
  [shantanu@bluehead ~]$ nmap 121.247.200.189
  Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:50 IST
  Interesting ports on 121.247.200.189.bang-dynamic-bb.vsnl.net.in (121.247.200.189):
  Not shown: 1679 filtered ports
  PORT STATE SERVICE
  21/tcp open ftp
  23/tcp open telnet
  53/tcp closed domain
  80/tcp open http
  443/tcp closed https
  554/tcp closed rtsp
  1755/tcp closed wms
  2401/tcp closed cvspserver
  5000/tcp closed UPnP
  5001/tcp closed commplex-link
  5050/tcp closed mmcc
  6881/tcp closed bittorent-tracker
  6969/tcp closed acmsoda
  7070/tcp closed realserver
  8000/tcp closed http-alt
  8080/tcp closed http-proxy
  8888/tcp closed sun-answerbook
  11371/tcp closed pksd
  Nmap finished: 1 IP address (1 host up) scanned in 30.573 seconds
  Everywhere the bittorrent port seems to be closed. [b]How do I open this port?.[b/]
  Last edited by ravisghosh (2007-06-25 21:09:55)

  @madeye, first of all thanks a lot for such elaborate help.
  I used utorrent in windows and u r very much right that it uses UPnP. In deluge (bt client on arch), UPnP was there but disabled (shaded). Hence, I tried running utorrent using wine and it gave a error message "Unable to map UPnP port' and is not able to connect. So, UPnP is not working in my box.
  Then I tried as you suggested "iptables -L" and it gave me the following results.
  [shantanu@bluehead ~]$ sudo iptables -L
  Chain INPUT (policy DROP)
  target prot opt source destination
  ACCEPT 0 -- anywhere anywhere
  ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
  ACCEPT 0 -- 192.168.1.5 192.168.1.255
  logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
  ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
  ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
  ACCEPT icmp -- anywhere anywhere icmp time-exceeded
  ACCEPT icmp -- anywhere anywhere icmp parameter-problem
  nicfilt 0 -- anywhere anywhere
  srcfilt 0 -- anywhere anywhere
  Chain FORWARD (policy DROP)
  target prot opt source destination
  ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
  ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
  ACCEPT icmp -- anywhere anywhere icmp time-exceeded
  ACCEPT icmp -- anywhere anywhere icmp parameter-problem
  srcfilt 0 -- anywhere anywhere
  Chain OUTPUT (policy DROP)
  target prot opt source destination
  ACCEPT 0 -- anywhere anywhere
  ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
  ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
  ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
  ACCEPT icmp -- anywhere anywhere icmp time-exceeded
  ACCEPT icmp -- anywhere anywhere icmp parameter-problem
  s1 0 -- anywhere anywhere
  Chain f0to1 (3 references)
  target prot opt source destination
  ACCEPT udp -- anywhere anywhere udp dpts:6970:7170
  ACCEPT icmp -- anywhere anywhere icmp echo-reply
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
  logdrop 0 -- anywhere anywhere
  Chain f1to0 (1 references)
  target prot opt source destination
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
  ACCEPT tcp -- anywhere anywhere tcp dpt:rtsp state NEW
  ACCEPT tcp -- anywhere anywhere tcp dpt:7070 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:cvspserver state NEW
  ACCEPT tcp -- anywhere anywhere tcp dpt:1755 state NEW
  ACCEPT udp -- anywhere anywhere udp dpt:1755
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:11371 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
  ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:5000
  ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
  ACCEPT udp -- anywhere anywhere udp dpt:domain
  ACCEPT icmp -- anywhere anywhere icmp echo-request
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5222 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5223 state NEW
  ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
  logdrop 0 -- anywhere anywhere
  Chain logaborted (1 references)
  target prot opt source destination
  logaborted2 0 -- anywhere anywhere limit: avg 1/sec burst 10
  LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
  Chain logaborted2 (1 references)
  target prot opt source destination
  LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
  ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
  Chain logdrop (4 references)
  target prot opt source destination
  logdrop2 0 -- anywhere anywhere limit: avg 1/sec burst 10
  LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
  DROP 0 -- anywhere anywhere
  Chain logdrop2 (1 references)
  target prot opt source destination
  LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
  DROP 0 -- anywhere anywhere
  Chain logreject (0 references)
  target prot opt source destination
  logreject2 0 -- anywhere anywhere limit: avg 1/sec burst 10
  LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
  REJECT tcp -- anywhere anywhere reject-with tcp-reset
  REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
  DROP 0 -- anywhere anywhere
  Chain logreject2 (1 references)
  target prot opt source destination
  LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
  REJECT tcp -- anywhere anywhere reject-with tcp-reset
  REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
  DROP 0 -- anywhere anywhere
  Chain nicfilt (1 references)
  target prot opt source destination
  RETURN 0 -- anywhere anywhere
  RETURN 0 -- anywhere anywhere
  RETURN 0 -- anywhere anywhere
  logdrop 0 -- anywhere anywhere
  Chain s0 (1 references)
  target prot opt source destination
  f0to1 0 -- anywhere 192.168.1.5
  f0to1 0 -- anywhere 192.168.1.255
  f0to1 0 -- anywhere bluehead.localdomain
  logdrop 0 -- anywhere anywhere
  Chain s1 (1 references)
  target prot opt source destination
  f1to0 0 -- anywhere anywhere
  Chain srcfilt (2 references)
  target prot opt source destination
  s0 0 -- anywhere anywhere
  That means iptables is not disabled and that firewall rules are setup by guarddog.
  I removed guarding using "pacman -Rns guarddog" and rebooted. Still get the same results with utorrent and "iptables -L" and also the port test shows tcp 6881 is still closed.
  Removed iptables and now bt clients seems to be able to connect and it works; however, port test still shows tcp 6881 closed.
  Last edited by ravisghosh (2007-06-27 16:51:12)

• SA540 Firewall Rules Fail when Optional Port Configured to Failover

  Today, I configured a client's SA540 for failover.  The primary WAN port is FIOS with a static IP address.  The optional port is Road Runner cable with a static IP address.  The failover tested successfully.  However, now the SA540 cannot be accessed on its internal IP address (https://192.168.1.1) and none of the firewall rules work any longer.  There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server.  Both rules use IP addresses different than the SA540's WAN IP address.  Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.
  Now here is the strange part.  If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems.  I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.
  As you might imagine the client is upset about this.  Anyone have any ideas? 
  The firmware is 2.1.18.
  Tony
  PS.  About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server.  Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration.  Any help on this would be much appreciated.  The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port.   Again, this worked until failover with another ISP was configured.

  This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.
  Tony Lombardi

• Firewall rule for Novell Client

  My company recently purchased McAfee Desktop Firewall and I'm trying to
  configure the rules prior to deployment but I'm having trouble getting
  the Novell Client to cooperate. I've tried having the firewall "learn"
  the client, addresses, ports, protocols, etc. but have had no luck.
  My company is running a mix of Win2k/XP computers as well as Win95/98
  computers so any assistance in creating a firewall rule to allow the
  clients to log in is greatly apprecaited.
  Thanks!
  Ash

  Excellent, thanks!!
  > For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
  > which are NCP over IP and SLP.
  >
  >
  > --
  > Edison Ortiz
  > Novell Product Support Forum SysOp
  > (No Email Support, Thanks !)

• What Specific Firewall Rules are Needed for the DPM Server?

  Hello,
  We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we
  think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.
  Rule Name
  Program Path
  Protocol
  Local Port
  DPM 2012 DCOM Port
  Any
  TCP
  135
  DPM 2012 AM Port
  Any
  TCP
  6075
  DPM 2012 RTM Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe
  Any
  Any
  DPM 2012 SP1 Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe
  Any
  Any
  DPM 2012 R2 Agent Coordinator
  C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe
  Any
  Any
  DPM 2012 AM Service Host (New Install
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe
  Any
  Any
  DPM 2012 AM Service Host (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe
  Any
  Any
  DPM 2012 DPM AM Service (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe
  Any
  Any
  DPM 2012 DPM AM Service (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe
  Any
  Any
  DPM 2012 MSDPM (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe
  Any
  Any
  DPM 2012 MSDPM (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe
  Any
  Any
  DPM 2012 DPMRA (New Install)
  %ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe
  Any
  Any
  DPM 2012 DPMRA (Upgrade Install)
  %ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe
  Any
  Any
  Questions:
  Are any of these rules not needed?
  We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
  The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for
  any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference:
  http://technet.microsoft.com/en-us/library/hh757794
  What other rules may be missing, if any?
  Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.
  Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?
  http://social.technet.microsoft.com/Forums/en-US/aa88fd00-6836-46d3-8a93-edb487109118/dpm-2012-remote-administration?forum=dataprotectionmanager
  Thanks,
  -Taylorbox

  Does anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.
  Thanks,
  -Taylorbox

• Can't set port for IRC in Sharing/Firewall preferences...

  I turned on the firewall and was able to specify ports for Bittorrent, but I want to use IRC (it keeps getting blocked, which I'm assuming has something to do with the firewall which I just activated), so I went into System Preferences-->Sharing-->Firewall, scrolled down to IRC and then Edit, for TCP number it has 194 (but grayed out) and UDP it's blank, but I can't alter either entry box.
  It's my computer and I have whatever access privileges I need (I think) so at a loss here. Can anyone point me in the right direction?
  P.S. Some of the IRC servers I wanted to set up accounts with had port listings of 6667 and the like, that's also why I wanted to specify the number.

  Create a new entry with a name such as IRC #2 and add the desired ports to that entry. You cannot alter the ports assigned to the default entries; you need to create new ones to specify additional ports.
  (15661)

• Firewall Port for DHCP 2012 R2 Failover (Load Sharing mode)

  Hi Everyone,
  I was wondering if anyone can help me with finding a document for required Firewall Ports for DHCP 2012 R2 Failover (Load Sharing mode)
  or just confirm if this is correct or not ?
  TCP 647 for
  DHCP failover messages between DHCP servers
  TCP/UDP 67 and 68 initiate communication between the client and server
  I am not sure if there is anything else
  thanks in advance
  Reza Negarestani

  it was for a technical design document and I put this table for Firewall requirements what do you think ?
  Direction
  Port(s)
  Bidirectional
  TCP 647
  Bidirectional
  TCP 2535
  UDP 2535
  Bidirectional
  TCP 67
  TCP 68
  UDP 67
  UDP 68
  Reza Negarestani

• Tiger kernel compiled for allow any to any ipfw firewall rules?

  Hi everyone,
  I was wondering about the kernel state for firewall connections in ipfw. If you run an ipfw list, you will see the last command as an allow any to any. This appears to be a default open state firewall configuration.
  The man pages for ipfw state the following:
  "An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action associated with the default rule can be either deny or allow depending on how the kernel is configured."
  Is there a way to implement a default closed firewall with ipfw in the kernel in Tiger? Default allow any to any appears to be a bit of a security hole.
  Thanks for your input, I greatly appreciate it!
  -Allen

  Ok, perhaps this is silly, for me to reply to my own thread, but I think the following will work:
  in the firewall.conf, add a deny any to any before the default allow any to any... something like:
  add 5400 deny log all from any to any in via en0
  kudos goes to a user on macosxhints for suggesting this. Since ipfw rules will be run in order, this line will run before the default allow, and should trap all ip traffic not explicitly allowed in the firewall list already.
  Hope this helps someone!
  -Allen

• Names for Firewall Access Rules on RV42G!

  In the very old version of this router (Linksys RV042  Firmware Version: 1.3.12.19-tm ) the Acces Rules have a "Policy Name", which is very useful to remember that function meets every rule created.
  In the "new" version of this router (RV042 and RV042G from Cisco) the firewall rules have no way of identifying simple manner ; you can not put them name.
  Please consider adding a "name" for each rule , thus it is easier to manage the router when you have many (in my case more than 25 ) different rules.

  You don't need to permit anything else beside the interesting traffic that is to be encrypted unless:
  - The ASA terminating the tunnel is sitting behind another ASA/FW/Router. If that is the case then you will need to create some "permit" entries on that device
  - You can an ACL attached on the "outside" that is only allowing the "outside" IP to communicate with a specific list of other public IPs
  I hope this helps!
  Thank you for rating helpful posts!

• Needed port for BI -firewall problem

  hi,all:
      i am on a POC project and the version is bi 4 sp04 . now we encounter a firewall problom.
      the customer has a strict firewall policy. so we can't ask them to shut down the firewall. they can just apply the useful port access for test.
      now the port 6400~6410、50000、8080、8005、3690 is available and we can log on CMC and Launchpad.but we can't log on client tools. (we have tested this in a no firewall enviroment, there is no problem)
      which port should we apply for BI or any other advise?
  regards!
  Ad

  Here is what you need to do:
  Make sure the firewall is turned off:
  1: Use a Tool like NetMon or Wireshark on client Machine to check the ports that Client tool is connecting to in all the workflows e.g. Login, import, export etc.
  2: Go to the server and check the services that are listening on these ports.
  On server, you may run a command ( netstat -anb >> output.txt)
  List down all the services for the ports listed in point 1
  3: Assign request ports for these services between 6401 -6410.
  Turn on the firewall.
  You should be able to log in now with Firewall On.
  Regards,
  Animesh Kumar

• Firewall Rules for CVP

  Hi
  Anyone has any firewall rules and ports to open between CVP and other network elements such as CM,GK,SIP PROXY, GW, ICM etc.
  Many Thanks

  Where is your firewall actually located? Surely not between CVP and CUCM?
  I imagine it's between the gateway(s) at the branch office(s) and the CVP and SIP Proxy in the headquarters. Correct?
  Regards,
  Geoff