Ports for Firewall rules
Hi,
can anybody point out which ports are to be opened on firewalls ?
Im am using a SunMC 4.0 server/console/agent on a v240 and need to monitor systems located behind firewalls.
Also NATing is involved.
I would like to know which ports I have to open from agents to server (and vice versa) and from server to java-console on a PC (and vice versa)
Hi,
You need to open firewall ports from 161-168. Also take a look at /var/opt/SUNWsymon/cfg/domain-config.x and make sure to open any ports within the "snmpPort" line of that file.
Take a look at this post on how to configure firewall ports for console to server communication: [http://forums.halcyoninc.com/showthread.php?t=7]
If you still have problems with adding the agents, you can take a look at the following post on troubleshooting agent icon creation: [http://forums.halcyoninc.com/showthread.php?t=92]
If you are using agents in NAT mode, it may not work very well as alarms would not show in the alarms tab. Please take a look at the following posts regarding this issue:
[http://forums.halcyoninc.com/showthread.php?t=186]
[http://forums.sun.com/thread.jspa?forumID=854&threadID=5363460]
Pegah Garousi, Halcyon Monitoring Solutions
[email protected]
http://www.HalcyonInc.com
Similar Messages
-
I have a question about how to open ports in Leopard's firewall. I have been having issues with iChat AV and Sightspeed that point to Leopard's firewall settings, but I am at a loss as to how to set ports.
I have a long history of trying to make iChat AV work for myself and for my friends and family, and I have long used the very helpful tips and suggestions provided by Ralph Johns and others. My current situation is this: I recently upgraded my iMac G5 to Leopard, and have successfully used iChat AV with several contacts, both before and after the upgrade. A friend recently purchased a new Intel iMac, and we cannot use iChat AV, and I suspect it is an ISP port blocking issue on his end, which he is attempting to check out. Meanwhile, I have had him download Sightspeed, and we have successfully used it to video chat using my MacBook with Tiger. However, when I try to video chat using Sightspeed on my iMac G5 with Leopard, I get an "Error: 503" message, which Sightspeed says may be related to firewall issues. Previously, I have used Sightspeed successfully using my iMac G5 with Tiger, and without any configuration issues. Since my MacBook uses my wireless home network, and can connect with Sightspeed, and since my iMac G5 USED to connect with Sightspeed before Leopard, I am leaning towards Leopard's firewall as the culprit. I want to make sure Leopard's firewall is allowing both incoming and outgoing Sightspeed traffic, but I don't know how to configure the firewall. Of course, I am always open to other troubleshooting ideas.
Thanks in advance for any suggestions, TomThe Leopard Firewall is now in System Preferences > Security.
The Allow Specifics setting needs to set anew if the 10.5.1 update has been done since any Allow Specifics was set.
It works on a application basis. Each app in the list is given what is called a Certificate by the OS and any ports it uses is then allowed.
So it needs to be set for iChat and Sightspeed.
9:01 PM Sunday; January 13, 2008 -
Alternative Ports for Firewall
The hotel I'm staying at has the port blocked. Are there alternative ports anyone would recommend???
Thank you!!!!text Chatting or A/V
Text Chatting - Go to iChat > Preferences > Accounts > Server settings Set the port to 443
A/V ports can not be changed.
Leopard will get round the 5060 issue.
11:08 PM Wednesday; November 21, 2007 -
Hello,
I am trying to set up a DMZ server. I have an internal LAN IP address (192.168.1.10) that I would like to make a DMZ server.
In the GUI, I set this IP address to be the DMZ server.
For firewall rules, I want to permit only one port from the WAN to the DMZ and none from the DMZ to the LAN.
In my firewall rules, I don't see any options for DMZ options. I only see WAN to LAN and LAN to WAN.
I presume the DMZ setting doesn't do anything per se execept allow the firewall rules to have a target. Is this correct?
I am running the latest firmware.
How do I get the DMZ firewall rules to show up?
Thanks,
JohnHello,
I have to say that this DMZ definition is not what I would excect Cisco to use.
Basically, my DMZ host is fully exposed to the internet and if someone penetrates it, they are fully on my LAN.
The manual says:
Configuring a DMZ Host
The Cisco RV120W supports DMZ options. A DMZ is a sub-network that is open to
the public but behind the firewall. DMZ allows you to redirect packets going to
your WAN port IP address to a particular IP address in your LAN. It is
recommended that hosts that must be exposed to the WAN (such as web or e-mail
servers) be placed in the DMZ network. Firewall rules can be allowed to permit
access to specific services and ports to the DMZ from both the LAN or WAN. In
the event of an attack on any of the DMZ nodes, the LAN is not necessarily
vulnerable as well.
You must configure a fixed (static) IP address for the endpoint that will be
designated as the DMZ host. The DMZ host should be given an IP address in the
same subnet as the router's LAN IP address but it cannot be identical to the IP
address given to the LAN interface of this gateway.
The bold section indicates that the LAN is not vulnerable if the DMZ host falls. This is different from what you were talking about. Can you double check this?
I would like to know if there is a plan to add DMZ firewall rules. Or, can I get into the box and use IPtables to create my own (knowing that I would be in an unsupported mode)?
Or, make port access control lists on the inter VLAN routing option?
Thanks for fully explaining this. The manually is woefully inadequate in discussing what exactly the DMZ does.
Can you please forward these concerns to product management. Basically the DMZ is a security hole that I can't mitigate. It provides no value to me beyond not having to port forward manually.
If I am mistaken, please provide the correct information.
Thanks,
John -
Hello,
Configuration: Windows Embedded 8 64-bit.
I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
I get the error when performing "hr = pFwRules->Add(pFwRule);".
We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
HRESULT hrComInit = S_OK;
HRESULT hr = S_OK;
INetFwPolicy2 *pNetFwPolicy2 = NULL;
INetFwRules *pFwRules = NULL;
INetFwRule *pFwRule = NULL;
long CurrentProfilesBitMask = 0;
BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
BSTR bstrRuleService = SysAllocString(L"myservicename");
BSTR bstrRuleLPorts = SysAllocString(L"135");
// Initialize COM.
hrComInit = CoInitializeEx(
0,
COINIT_APARTMENTTHREADED
// Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
// initialized with a different mode. Since we don't care what the mode is,
// we'll just use the existing mode.
if (hrComInit != RPC_E_CHANGED_MODE)
if (FAILED(hrComInit))
printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
goto Cleanup;
// Retrieve INetFwPolicy2
hr = WFCOMInitialize(&pNetFwPolicy2);
if (FAILED(hr))
goto Cleanup;
// Retrieve INetFwRules
hr = pNetFwPolicy2->get_Rules(&pFwRules);
if (FAILED(hr))
printf("get_Rules failed: 0x%08lx\n", hr);
goto Cleanup;
// Create a new Firewall Rule object.
hr = CoCreateInstance(
__uuidof(NetFwRule),
NULL,
CLSCTX_INPROC_SERVER,
__uuidof(INetFwRule),
(void**)&pFwRule);
if (FAILED(hr))
printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
goto Cleanup;
// Populate the Firewall Rule object
pFwRule->put_Name(bstrRuleName);
pFwRule->put_Description(bstrRuleDescription);
pFwRule->put_ApplicationName(bstrRuleApplication);
pFwRule->put_ServiceName(bstrRuleService);
pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
pFwRule->put_LocalPorts(bstrRuleLPorts);
pFwRule->put_Grouping(bstrRuleGroup);
pFwRule->put_Profiles(CurrentProfilesBitMask);
pFwRule->put_Action(NET_FW_ACTION_ALLOW);
pFwRule->put_Enabled(VARIANT_TRUE);
// Add the Firewall Rule
hr = pFwRules->Add(pFwRule);
if (FAILED(hr))
printf("Firewall Rule Add failed: 0x%08lx\n", hr);
goto Cleanup;
This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
issue.
According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
I'm not convinced that we ran out of memory.
Has someone experienced such an issue? How to avoid this?
Thank you in advance.
Regards, -Ruben-Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
Is Windows Embedded 8.1 industry an option?
www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET -
Closed port for torrent with no iptables.rules
I have a home system with internet connection over a router. Firewall in the router seems to be disabled. I had installed guarddog and selected all the protocols that I need. There is no iptables in deamons line of rc.conf nor there is any iptables.rules files. There are 2 files in /etc/iptables, empty.rules and simple_firewall.rules. So, I wonder if any firewall is working at all in my system since guarddog is a frontend to iptables (i guess) and also is there any need for firewall since almost all the ports are closed.
Secondly, the main issue. I was using ktorrent and it was working fine until a few days ago. Now, bittorrent is not working. its not connecting at all. I tried deluge from community repo and tested the ports with http://www.deluge-torrent.org/test-port.php?port=6881 and it gave me this result:
TCP port 6881 closed on 121.247.200.189
UDP port 6881 open on 121.247.200.189
121.247.200.189 seems to be the ip of my isp as I got a dynamic one.
I am able to reach surf net but not able to download using bitorrent, however, both is possible in windows.
Taking clue from forum, i did nmap.
nmap on my router
[shantanu@bluehead ~]$ nmap 192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:49 IST
Interesting ports on 192.168.1.1:
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 27.653 seconds
nmap on my ip
[shantanu@bluehead ~]$ nmap 192.168.1.5
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:48 IST
Interesting ports on 192.168.1.5:
Not shown: 1696 closed ports
PORT STATE SERVICE
6000/tcp open X11
Nmap finished: 1 IP address (1 host up) scanned in 0.519 seconds
nmap on isp's ip displayed above.
[shantanu@bluehead ~]$ nmap 121.247.200.189
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:50 IST
Interesting ports on 121.247.200.189.bang-dynamic-bb.vsnl.net.in (121.247.200.189):
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 30.573 seconds
Everywhere the bittorrent port seems to be closed. [b]How do I open this port?.[b/]
Last edited by ravisghosh (2007-06-25 21:09:55)@madeye, first of all thanks a lot for such elaborate help.
I used utorrent in windows and u r very much right that it uses UPnP. In deluge (bt client on arch), UPnP was there but disabled (shaded). Hence, I tried running utorrent using wine and it gave a error message "Unable to map UPnP port' and is not able to connect. So, UPnP is not working in my box.
Then I tried as you suggested "iptables -L" and it gave me the following results.
[shantanu@bluehead ~]$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT 0 -- 192.168.1.5 192.168.1.255
logaborted tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
nicfilt 0 -- anywhere anywhere
srcfilt 0 -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
srcfilt 0 -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
s1 0 -- anywhere anywhere
Chain f0to1 (3 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:6970:7170
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
logdrop 0 -- anywhere anywhere
Chain f1to0 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:6969 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:http-alt state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8008 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8000 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:8888 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:ftp state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:https state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:rtsp state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:7070 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:cvspserver state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:1755 state NEW
ACCEPT udp -- anywhere anywhere udp dpt:1755
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:11371 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5050 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:telnet state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
ACCEPT udp -- anywhere anywhere udp spts:1024:5999 dpt:5000
ACCEPT tcp -- anywhere anywhere tcp dpt:domain state NEW
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5222 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpt:5223 state NEW
ACCEPT tcp -- anywhere anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
logdrop 0 -- anywhere anywhere
Chain logaborted (1 references)
target prot opt source destination
logaborted2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
Chain logaborted2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
Chain logdrop (4 references)
target prot opt source destination
logdrop2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
DROP 0 -- anywhere anywhere
Chain logdrop2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
DROP 0 -- anywhere anywhere
Chain logreject (0 references)
target prot opt source destination
logreject2 0 -- anywhere anywhere limit: avg 1/sec burst 10
LOG 0 -- anywhere anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain logreject2 (1 references)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
DROP 0 -- anywhere anywhere
Chain nicfilt (1 references)
target prot opt source destination
RETURN 0 -- anywhere anywhere
RETURN 0 -- anywhere anywhere
RETURN 0 -- anywhere anywhere
logdrop 0 -- anywhere anywhere
Chain s0 (1 references)
target prot opt source destination
f0to1 0 -- anywhere 192.168.1.5
f0to1 0 -- anywhere 192.168.1.255
f0to1 0 -- anywhere bluehead.localdomain
logdrop 0 -- anywhere anywhere
Chain s1 (1 references)
target prot opt source destination
f1to0 0 -- anywhere anywhere
Chain srcfilt (2 references)
target prot opt source destination
s0 0 -- anywhere anywhere
That means iptables is not disabled and that firewall rules are setup by guarddog.
I removed guarding using "pacman -Rns guarddog" and rebooted. Still get the same results with utorrent and "iptables -L" and also the port test shows tcp 6881 is still closed.
Removed iptables and now bt clients seems to be able to connect and it works; however, port test still shows tcp 6881 closed.
Last edited by ravisghosh (2007-06-27 16:51:12) -
SA540 Firewall Rules Fail when Optional Port Configured to Failover
Today, I configured a client's SA540 for failover. The primary WAN port is FIOS with a static IP address. The optional port is Road Runner cable with a static IP address. The failover tested successfully. However, now the SA540 cannot be accessed on its internal IP address (https://192.168.1.1) and none of the firewall rules work any longer. There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server. Both rules use IP addresses different than the SA540's WAN IP address. Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.
Now here is the strange part. If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems. I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.
As you might imagine the client is upset about this. Anyone have any ideas?
The firmware is 2.1.18.
Tony
PS. About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server. Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration. Any help on this would be much appreciated. The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port. Again, this worked until failover with another ISP was configured.This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.
Tony Lombardi -
Firewall rule for Novell Client
My company recently purchased McAfee Desktop Firewall and I'm trying to
configure the rules prior to deployment but I'm having trouble getting
the Novell Client to cooperate. I've tried having the firewall "learn"
the client, addresses, ports, protocols, etc. but have had no luck.
My company is running a mix of Win2k/XP computers as well as Win95/98
computers so any assistance in creating a firewall rule to allow the
clients to log in is greatly apprecaited.
Thanks!
AshExcellent, thanks!!
> For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
> which are NCP over IP and SLP.
>
>
> --
> Edison Ortiz
> Novell Product Support Forum SysOp
> (No Email Support, Thanks !) -
What Specific Firewall Rules are Needed for the DPM Server?
Hello,
We want to confirm which firewall ports need to be opened on the DPM server (not protected servers) for all DPM processes, so that we can set these rules in group policy. Below are what we
think are the needed rules. Note that we have rules for both new DPM 2012 installs and upgrades from DPM 2010 to 2012, since these use different program paths.
Rule Name
Program Path
Protocol
Local Port
DPM 2012 DCOM Port
Any
TCP
135
DPM 2012 AM Port
Any
TCP
6075
DPM 2012 RTM Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.0.1908.0\dpmac.exe
Any
Any
DPM 2012 SP1 Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.1.3313.0\dpmac.exe
Any
Any
DPM 2012 R2 Agent Coordinator
C:\Windows\Microsoft Data Protection Manager\DPM\ProtectionAgents\AC\4.2.1205.0\dpmac.exe
Any
Any
DPM 2012 AM Service Host (New Install
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\AMSvcHost.exe
Any
Any
DPM 2012 AM Service Host (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\AMSvcHost.exe
Any
Any
DPM 2012 DPM AM Service (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMAMService.exe
Any
Any
DPM 2012 DPM AM Service (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMAMService.exe
Any
Any
DPM 2012 MSDPM (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\msdpm.exe
Any
Any
DPM 2012 MSDPM (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\msdpm.exe
Any
Any
DPM 2012 DPMRA (New Install)
%ProgramFiles%\Microsoft System Center 2012\DPM\DPM\bin\DPMRA.exe
Any
Any
DPM 2012 DPMRA (Upgrade Install)
%ProgramFiles%\Microsoft DPM\DPM\bin\DPMRA.exe
Any
Any
Questions:
Are any of these rules not needed?
We know the Agent Coordinator rules are needed on protected servers. Are they also needed on the DPM server (including if we use secondary DPM servers)?
The DPM Configuring Firewalls TechNet page says DCOM uses TCP 135 and the RPC Dynamic ports. Does that mean we also need a rule that opens all TCP RPC Dynamic ports for
any program? Or is this not necessary since we have rules for msdpm.exe and dpmra.exe? Reference:
http://technet.microsoft.com/en-us/library/hh757794
What other rules may be missing, if any?
Note that we do not include rules for ports 53 (DNS), 88 (Kerberos), 389 (LDAP), 137-139 & 445 (NetBIOS) because we already open these ports in other group policy objects.
Also, the below forums post says two exceptions for SQL Server are needed on the DPM server to allow the Remote Administrator console to work. Is there any documentation in the DPM TechNet site on these rules?
http://social.technet.microsoft.com/Forums/en-US/aa88fd00-6836-46d3-8a93-edb487109118/dpm-2012-remote-administration?forum=dataprotectionmanager
Thanks,
-TaylorboxDoes anyone have any comments on this post? We would especially appreciate some input from Microsoft reps to help us ensure we're setting up the correct firewall rules.
Thanks,
-Taylorbox -
Can't set port for IRC in Sharing/Firewall preferences...
I turned on the firewall and was able to specify ports for Bittorrent, but I want to use IRC (it keeps getting blocked, which I'm assuming has something to do with the firewall which I just activated), so I went into System Preferences-->Sharing-->Firewall, scrolled down to IRC and then Edit, for TCP number it has 194 (but grayed out) and UDP it's blank, but I can't alter either entry box.
It's my computer and I have whatever access privileges I need (I think) so at a loss here. Can anyone point me in the right direction?
P.S. Some of the IRC servers I wanted to set up accounts with had port listings of 6667 and the like, that's also why I wanted to specify the number.Create a new entry with a name such as IRC #2 and add the desired ports to that entry. You cannot alter the ports assigned to the default entries; you need to create new ones to specify additional ports.
(15661) -
Firewall Port for DHCP 2012 R2 Failover (Load Sharing mode)
Hi Everyone,
I was wondering if anyone can help me with finding a document for required Firewall Ports for DHCP 2012 R2 Failover (Load Sharing mode)
or just confirm if this is correct or not ?
TCP 647 for
DHCP failover messages between DHCP servers
TCP/UDP 67 and 68 initiate communication between the client and server
I am not sure if there is anything else
thanks in advance
Reza Negarestaniit was for a technical design document and I put this table for Firewall requirements what do you think ?
Direction
Port(s)
Bidirectional
TCP 647
Bidirectional
TCP 2535
UDP 2535
Bidirectional
TCP 67
TCP 68
UDP 67
UDP 68
Reza Negarestani -
Tiger kernel compiled for allow any to any ipfw firewall rules?
Hi everyone,
I was wondering about the kernel state for firewall connections in ipfw. If you run an ipfw list, you will see the last command as an allow any to any. This appears to be a default open state firewall configuration.
The man pages for ipfw state the following:
"An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action associated with the default rule can be either deny or allow depending on how the kernel is configured."
Is there a way to implement a default closed firewall with ipfw in the kernel in Tiger? Default allow any to any appears to be a bit of a security hole.
Thanks for your input, I greatly appreciate it!
-AllenOk, perhaps this is silly, for me to reply to my own thread, but I think the following will work:
in the firewall.conf, add a deny any to any before the default allow any to any... something like:
add 5400 deny log all from any to any in via en0
kudos goes to a user on macosxhints for suggesting this. Since ipfw rules will be run in order, this line will run before the default allow, and should trap all ip traffic not explicitly allowed in the firewall list already.
Hope this helps someone!
-Allen -
Names for Firewall Access Rules on RV42G!
In the very old version of this router (Linksys RV042 Firmware Version: 1.3.12.19-tm ) the Acces Rules have a "Policy Name", which is very useful to remember that function meets every rule created.
In the "new" version of this router (RV042 and RV042G from Cisco) the firewall rules have no way of identifying simple manner ; you can not put them name.
Please consider adding a "name" for each rule , thus it is easier to manage the router when you have many (in my case more than 25 ) different rules.You don't need to permit anything else beside the interesting traffic that is to be encrypted unless:
- The ASA terminating the tunnel is sitting behind another ASA/FW/Router. If that is the case then you will need to create some "permit" entries on that device
- You can an ACL attached on the "outside" that is only allowing the "outside" IP to communicate with a specific list of other public IPs
I hope this helps!
Thank you for rating helpful posts! -
Needed port for BI -firewall problem
hi,all:
i am on a POC project and the version is bi 4 sp04 . now we encounter a firewall problom.
the customer has a strict firewall policy. so we can't ask them to shut down the firewall. they can just apply the useful port access for test.
now the port 6400~6410、50000、8080、8005、3690 is available and we can log on CMC and Launchpad.but we can't log on client tools. (we have tested this in a no firewall enviroment, there is no problem)
which port should we apply for BI or any other advise?
regards!
AdHere is what you need to do:
Make sure the firewall is turned off:
1: Use a Tool like NetMon or Wireshark on client Machine to check the ports that Client tool is connecting to in all the workflows e.g. Login, import, export etc.
2: Go to the server and check the services that are listening on these ports.
On server, you may run a command ( netstat -anb >> output.txt)
List down all the services for the ports listed in point 1
3: Assign request ports for these services between 6401 -6410.
Turn on the firewall.
You should be able to log in now with Firewall On.
Regards,
Animesh Kumar -
Hi
Anyone has any firewall rules and ports to open between CVP and other network elements such as CM,GK,SIP PROXY, GW, ICM etc.
Many ThanksWhere is your firewall actually located? Surely not between CVP and CUCM?
I imagine it's between the gateway(s) at the branch office(s) and the CVP and SIP Proxy in the headquarters. Correct?
Regards,
Geoff
Maybe you are looking for
-
Firewire conflict? aka I don't know what's going on!
Running OS 10.4.9, QT 7.1.5, and FCP 5.1.4 on a PowerMac Dual 2Ghz G5 with a LACIE 500GB FWD and Sony DSR-11 attached via firewire. Brand new problem here: When I have the LACIE drive mounted and try and use my DSR-11 to 'View External Video' (over N
-
Installing Leopard On PC With Mac Install Disk?
I was just wondering if this is even possible, i'm looking to set up a dual-boot with Leopard running along side Vista? Any one have any suggestions on how to, where to, get Leopard or any versions of Mac OS? I know how to partition my drive, and all
-
Foreign Currency Revaluation concept
HI experts, I am an MM Consultant, I would like to know the concept behind Foreign Currency Revaluation, I want to know the process in depth with concept wise and configuration wise. good reply will be rewarded. Thanks in advance.
-
Why do we have to pay full license fee when upgrading to FMIS 4?
Just tried to order FMIS 4 but it's not possible to upgrade from FMSS 3.5 to FMIS 4. I know it was previously possible to upgrade from streaming editions to FMIS 3.5 and we paid only the upgrade fee (I think $3500) vs the full license fee ($4500). No
-
Problem in earlywatch report generation
Dear all, i installed a solution manager 4.0 sp12 and i would like to configure EWA self service using Solman 4.0. I did these steps in the configuration: A. In the satellite systems i configured the sld, using rz70, and connect the system to the sap