Ports to be opened on Outer firewall in DMZ

Similar Messages

• WRT350N Leaving Port 21 Wide Open with SPI Firewall Enabled

  I just ran Shields Up and noticed port 21 (FTP) is wide open, while all the other ports marked as stealthed.
  The router is a Linksys WRT350N with the latest firmware 1.03.2.  SPI Firewall is enabled and it's blocking "Anonymous Internet Request."
  Am I missing something here?  Why isn't port 21 being stealthed along with all the other ports?  I've run this test before with other Linksys routers and all the ports are stealthed so I'm concerned now.
  https://www.grc.com/x/ne.dll?bh0bkyd2
  Anyone else with the same router and configuration please run the Shields Up port scan at GRC to see if your port 21 is open and report back.  Thanks!

  Linksys told me that that port had to "stay" open, it is part of the FTP service when you attach the USB storage device.  After a lengthy amount of time on the phone, I had to suggest maybe a flash update.  But they would not put anyone on the phone to convince me they had a grasp on thiss issue, SO I FIGURED IT OUT.  Access the router.  Select "Storage", then select "Administration",  There you find "Internet Access".  Unselect "Enable" and obviously select "Disable".  Port 21 now in Stealth.  Now who can take it futher and figure out port forwarding/triggering for when one will start to use server?  Max

• Required ports to be open on the firewall?

  Hello everyone,
  I'm sure this question has been answered earlier but I wasn't lucky enough to find it! I evern tried to look into metalink but I couldn't find anything useful.
  I have an OCS Rel2 installation ready and it is time to have it public on the internet. I have my servers placed in DMZ but I want to know what ports need to be open on the firewall? Are they 7777 and 7778 only?! I doubt it!
  I would really appreciate a point to a relevant document or whatsoever.
  Thanks in advance.

  Depends on what parts of OCS you are going to need remotely...If you go to http://yoursite:7778/ and then go to the Ports tab, there will be a listing...
  For my config we have the following ports open...but if you are just going to use the webmail/webcal then you only need 7777-7779
  smtp - 25
  imap - 143
  5730 - cal server
  7777-7779 - Apache Midtier
  2400 - iMeeting

• Port info needed to sort out firewall issues

  A firewall has been set up in my school. I now find that I cannot connect via iChat, Apple software update, Limewire. Does anyone know what ports need to be opened to let me out?????
  There is also a wireless network but on my laptop the airport router defaults to 192.168.0.1 even though its using DCHP. It should be I am told 192.168.0.2
  Any help would be great
  Thanks
  Dave

  I don't know offhand what ports those tools use, but maybe I can help you find out. Open a Terminal window, type the following line EXCEPT the carriage return;netstat -n -p tcp | grep SYN_SENTStart one of the tools in question, wait a moment, then hit the carriage return in the Terminal window. I tested this using 'telnet 78.32.198.5' as a "tool", and gottcp4 0 0 10.20.31.105.64498 78.32.198.5.23 SYN_SENTThe fourth column (10.20.31.105.64498) is the local IP/port used by my "tool"; the fifth column is the remote address and port. As you can see, the remote port used for telnet is 23; you should be able to find the remote ports used by iChat, Software Update, and Limewire similarly.

• MySQL port open in Leopard firewall (and in ipfw) but can't access

  Hi There,
  I'm trying to allow MySQL access to a Mac Mini dev server I've setup using MAMP Pro. I've installed OS 10.5 server because I couldn't open a port manually using the Terminal under a Snow Leopard client install.
  *MAMP Pro:*
  - "Allow local access only" is unticked under MySQL
  *Leopard Server Admin:*
  - MySQL port 3306 is open for "any"
  - I can also see it's open if I run this from the terminal "$ sudo ipfw list"
  *Querious Database App:*
  - If I try to connect to the database from a client machine using Querious via 3306 or tunnel via ssh I can't connect
  *Network Utility:*
  - If I do a port scan from my client machine no ports are open on the Mac Mini
  *Other info:*
  - Stealth mode is off
  - The Firewall is the only service which is running in Server Admin
  - I can connect via ssh/terminal from this same client machine
  - I'm just trying to connect on a local network (so not through a router etc)
  Obviously I thought this would be much simpler than it is! Are there other things that need to be configured - do I have to forward the port onto MAMP Pro somehow?
  Not sure how it all works sorry so any help would be much appreciated.
  Cheers
  Ben

  Hi Ben,
  I have done some brief digging on MAMP and it would appear that you're trying to override the inherent features in OS X Server by using MAMP instead. Apache, MySQL and PHP are all inherent parts of OS X Server, minus the unified interface of MAMP. (phpMyAdmin is open-source and can be installed independently.) This may have been necessary on a non-server (client) version of OS X, but not for Server. As Harry pointed out, removing those elements from OS X Server are not simple tasks and you would be far better off using the built-in versions over trying to bypass them to run MAMP.
  3306 is the default port for MySQL, so your pings are reaching the mysql service. You may run into the same problem as I did when trying to establish external connections to mysql from anywhere other than on the host machine (whether that be across a LAN or via the Internet though PHP commands to the mysql service) since requests from anything other than the localhost will be rejected. Working around that with MAMP is not well documented. phpMyAdmin doesn't get under the hood to make the changes needed to allow requests from other hosts.
  The MAMP documentation is also lacking on how one can get under the hood of its mysql service, other than that you can access it through Terminal at:
  /Applications/MAMP/Library/bin/mysql
  in which case all normal mysql commands should work when working in that directory:
  +/Applications/MAMP/Library/bin/mysql --host=localhost -uroot -proot+
  All in all, though, I think it would be far easier to use the built-in versions. OS X Server is configured to work with what is already there and Apple's support documentation is built around that. Trying to get MAMP working means that you're pretty much on your own trying to figure out the whats, hows and whys when things aren't working. The Server Admin application gives you access to all those services (at least at a base level, excluding phpMyAdmin).
  For 10.5 Server, the built-in version of MySQL is 5.0.91; PHP version is 5.2.14; Apache version is 2.2.14, all of which are mostly-current, stable releases.
  I don't have any /mysql/msql directories inside the /var/ directory.
  That is really odd, as they should be there for an installation of Server.
  -Doug

• What are the ports need to open at firewall

  What are the ports need to open at firewall to access Oracle EBS R12 through internet?

  All these following ports need to open at firewall??
  Database Port : 1521
  RPC Port : 1626
  Web SSL Port : 4443
  ONS Local Port : 6100
  ONS Remote Port : 6200
  ONS Request Port : 6500
  Web Listener Port : 8000
  Active Web Port : 8000
  Forms Port : 9000
  Metrics Server Data Port : 9100
  Metrics Server Request Port : 9200
  JTF Fulfillment Server Port : 9300
  MSCA Server Port : 10200-10205
  MCSA Telnet Server Port : 10200,10202,10204
  MSCA Dispatcher Port : 10800
  Java Object Cache Port : 12345
  OC4J JMS Port Range for Oacore : 23000-23004
  OC4J JMS Port Range for Forms : 23500-23504
  OC4J JMS Port Range for Home : 24000-24004
  OC4J JMS Port Range for Oafm : 24500-24504
  OC4J AJP Port Range for Oacore : 21500-21504
  OC4J AJP Port Range for Forms : 22000-22004
  OC4J AJP Port Range for Home : 22500-22504
  OC4J AJP Port Range for Oafm : 25000-25004
  OC4J RMI Port Range for Oacore : 20000-20004
  OC4J RMI Port Range for Forms : 20500-20504
  OC4J RMI Port Range for Home : 21000-21004
  OC4J RMI Port Range for Oafm : 25500-25504
  DB ONS Local Port : 6300
  DB ONS Remote Port : 6400
  Oracle Connection Manager Port : 1521

• Ports and IPs to be open/permitted in firewall to download and work in creative cloud

  What is the complete list of ports and IP addresses to be open/permited in our enterprise firewall in order to let internal PCs download and work with creative cloud applications?

  Our firewall only supports IP configuration (not URL). Do you have IP list?
  From: Rajshree [email protected]
  Sent: miércoles, 06 de noviembre de 2013 17:23
  To: Simon, Mariano
  Subject: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
  Re: Ports and IPs to be open/permitted in firewall to download and work in creative cloud
  created by Rajshree <http://forums.adobe.com/people/Rajshree>  in Adobe Creative Cloud - View the full discussion <http://forums.adobe.com/message/5819892#5819892

• What ports are required to be open on a firewall for UCCX ver7 Backups

  I'm trying to setup a backup location on UCCX version 7.
  The backup storage location and the UCCX server are seperated by a firewall.
  What ports are required to be opened on the firewall to allow the backups through to the backup location.
  Can't find any info online

  Try it locally on the server itself.
  You just need to create a shared directory backup oon the server on C:\ drive.
  \\127.0.0.1\C$\backup
  This should work.
  Link to port utilization guide:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_7_0/configuration/guide/uccx70prtuti.pdf
  Regards,
  Chuck
  Please rate helpful posts and identify correct answers.

• Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplayer?

  Which TCP/UDP ports need to be opened on a firewall for adobe reader and flashplaer to operate properly? This would include updating, linking, and any subset of features.

  The Acrobat Family uses TCP HTTP/HTTPS for all traffic. The following processes and ports may be active on a Windows client machine:
  AdobeARM.exe - automatic updates - port 443
  AcroRd32.exe - brand messages - port 443
  AcroRd32.exe - links in documents - anything specified in the URL
  Acrobat.exe - brand messages - port 443
  Acrobat.exe - links in documents - anything specified in the URL
  AdobeCollabSync.exe - Tracker review data - port 443
  The same ports are used by the  program components on OS X.
  There are no inbound listening ports for any elements of the Acrobat Family. Automatic updates are not pushed and there are no server processes within the software.

• Can only port forward port 80, other ports does not open.

  I am trying to open three ports on my AE (7.6.1), but the only port that actually opens (if set) is port 80.
  - The Airport Extreme is the router and no additional router is in place
  - I have given the three cameras (that I want to access from Internet) static IP
  - I have trired to open three ports for those (45101, 45102, 45103)
  None of above ports open, but if I change one port to 80, that port opens and one camera can work. This is really strange and any suggestions or help is much appreciated!

  As you don't want to use the modem as router I would recommend to reconfigure your modem into "bridge" mode. In bridge mode it works like a simple modem. You then have to configure your WRT for your internet connection (usually PPPoE for DSL or DHCP for cable). With this setup, you don't have these chained routers and the WRT has a direct connection into the internet (i.e. the WRT shows your public IP address on the Status page).
  Some chained router setups shows problems with drop outs, connection loss and similar. I recommend to use only one router in home setups.
  On a sidenote: port forwarding is not related to firewall functions. The reason why you need port forwarding is because a router does "NAT" (Network Address Translation). You use private IP addresses inside your LAN (e.g. 192.168.1.*). Private IP addresses are not routed into the internet. Any internet router will immediately drop packets with a private IP addresses. Thus, your router does NAT to map your private IP address to your single public IP address. It's in the nature of this mapping that unsolicited incoming traffic from the internet is dropped unless you configure port forwarding. That's simply because the router would not know where to sent a packet on a port 1234 received on its public IP address unless you tell it. Thus disabling the firewall on a router won't change a thing.

• FTPEx: 425 Possible PASV port theft, cannot open data connection..

  Hi All,
  I am getting the below the error while comminicating to FTP server.
  Delivery of the message to the application using connection File_http://sap.com/xi/XI/System failed, due to: com.sap.aii.af.ra.ms.api.RecoverableException: Possible PASV port theft, cannot open data connection.: com.sap.aii.adapter.file.ftp.FTPEx: 425 Possible PASV port theft, cannot open data connection..
  This error is random. Some times service is working is fine and some times its failed to process.
  Can any one suggest me the peramnent solution for this.
  Thanks & regards,
  Kartikeya

  Hi
    The reason for the error is
  The ip address (+port) is not same for both these operations
      - Control connection
      - Data Connection
  Changing active/passive mode settings might help (as a common solution).
  Problem can occur due to below settings,
     - FTP server/ Firewall on its side (affects Passive Mode)
     - FTP client/ Firewall on its side (affects Active Mode)
  After Initial Control connection is made, the below happens for Data connection
  When Active, the CLIENT opens a dynamic port for DC on which it would be listening, for the server to bind its source port
  When Passive, the SERVER opens a dynamic port for DC on which it would be listening for the client to bind its source port
  when the firewall on Server side does not have these ports open, you get the above error.
  The error could be because of other reasons also, but I suspect that the dynamic port is out range of the ports opened at your FTP server firewall.
  So now I think you are one step forward to fix the issue
  Regards
  Vishnu

• Manual port-forwarding to Time Capsule behind firewall (NVG589)

  A happy new year to all. I'm writing seeking help with my computer setup in a well-connected home. In short, here is what I want to do: I want to get access to my latest-gen Time Capsule (wireless AC) from outside my house, so that I can read or write files on the 2TB HD on my time capsule, using the Back to My Mac feature in the Time Capsule (with my Apple ID). I have no interest in sharing screens or anything else, just in the data on the drive.
  Now, my current setup, which otherwise works like a charm.
  ATT Uverse's Motorola NVG589 is the incoming modem/gateway/firewall for my entire house (using their 'Power' service, the fastest): it is possible via various tricks and hacks to put the NVG589 into 'near-bridge mode' or to root the modem via and exploit and through it into full bridge mode (which the Motorola NVG589 is capable of, but ATT does not expose that functionality [imagine the tech calls!]). I'm resisting the temptation to do so, because I don't want to the run the risk of messing up service to our house, and a call to ATT tech support. If it ain't broke, don't fix it.
  The Motorola NVG589 has its DHCP service on and doles out IP addresses to everything else in the network (thankfully it also has a hidden mDNS system, too, allowing me Bonjour functionality inside my whole house). The Time Capsule, however, has a static-IP that I've assigned, and I also have a DHCP reservation for the Time Capsule in the NVG589's DHCP table.
  One crucial thing is that the Motorola NVG589 does not expose UPnP or NAT-PMP to the user, which means that I'll have to do the work manually to allow externally-originating traffic to pass through the Motorola NVG589 to the Time Capsule.
  Apple's latest Time Capsule 2TB unit, in bridge mode, so that its IP address is the one given it by the Motorola NVG589 (192.168.1.x, not the usual 10.0.0.x that the TC would give out were it the router). No double-NAT, in other words. The Time Capsule is solely a wireless access point and a passive shared disk (and my target for Time Machine on my Mac).
  Nothing else on my home network needs to be accessed from the outside world, no gaming, no servers, no Back to My Mac for any individual Mac computer (we have four).
  So what I'm looking for is help knowing what holes to poke into the NVG589's firewall to direct to my time capsule. I've searched through many docs here on Apple's support site, and the number of potential ports I could open is dizzying. Security concerns require that I open the necessary ports, and no more.
  I'd be grateful for any help.

  LaPastenague,
  I connected one of devices that I was trying to reach directly to the U-Verse modem and the port forwarding doesnt work anymore.  This must be somthing in the way I reconfigured the U-Verse modem to work with my new TC, becuase it used to work jsut fine.
  I have a U-Verse modem model number 3801HGV.  I have a new TC with a 3TB HD but I don't know the specifcs of what generation is it.  It is new and dual band WiFi...  that is why I am trying to use it as a wireless access point behind my At&T modem/router.
  As far as the details go, I will explain.  The port forwarding worked before I added the TC, so I'm sure I just dont have them working together yet.  The devices that I want to reach from my iPhone and iPad are a Foscam 8910W IP camera, and a Neptune Apex aquarium controller.  Both devices have static IPs and configured with ports 8080, and 8090 respectivly.  The IP camera is connected to the TC wirelessly and the Apex is a little different...it is connected to a Sonos (wireless music media) bridge via a ethernet patch cable.  The Sonos bridge is connected to the Sonos wireless network (assume it is a dedicated frequency) which originates at another Bridge that is physically connected to the TC with a ethernet cable.  Sounds weird, but it works as that is one of the features the the Sonos has is to offer.  I think it is similar to a wirless gaming adapter in that sense.
  As far as port fowarding goes, I configured within the U-Verse router to open up the two IP ports 192.168.X.X:8080 for the Apex and 192.168.Y.Y:8090 for the Foscam in the Firewall section called "Applications, pinholes and DMZ".  I would use my cellphone when away from home by putting my public IP along with the correct port number to get access to the assocated device (ex.99.56.289.34:8080).  The phone was on a cellular signal and not tethered to the wireless network.  My public IP always stays the same so I don't have to worry about that variable.
  Again, all this used to work, but now when I added the TC I cant access it externally.  Any suggestions to get this to work would be apprected.
  Best Regards

• Ports to be open for iTunes U

  Hi,
  I have an issue in my institution. I can't browse my iTunes U content, especially videos. Videos never start and also block iTunes 30 seconds later.
  Do you know which ports need to be open ? My institution is behing a very narrow firewall, we also use a proxy (which is well configurated I guess).
  I've been told that 80 and 443 ports should be open (http and https) but it doesn't help, videos are not launching.
  Are there other ports to be open ?
  Thanks for your help.

  Hello psavoyaud
  Check out the article below to go over other ports that are used by Apple and its services. 
  Well known TCP and UDP ports used by Apple software products
  http://support.apple.com/kb/TS1629
  Regards,
  -Norm G.

• How do I port forward or open a port on the Airport time capsule to hook p a security system?

  I have an airport time capsule and a security system.  The installer doesn't know anything about using routers etc, especially on a mac.  They say I have to port forward or open a port specifically of this device.  I have very few skills when doing this IT type.  Is this hard to do?  Can I do it myself?  He wants to get an IT guy out?  $55 an hour, how long would it take?  Thanks in advance for anyone who can help!

  The method is here.
  AirPort - Port Mapping Basics using AirPort Utility v6.x
  If you need to get someone in, it depends.. The TC can be recalcitrant.. due to your setup of it following the apple guides.. and it depends on the security system and how simple that is.
  There are multiple issues.. for example how do you find your IP address from the web when you have dynamic IP from your ISP.
  Do you intend to setup dynamic DNS? Can the camera /dvr system handle Dynamic DNS?
  I recommend you read very carefully the instructions for what has been installed.. because merely opening the port is only a small part of the issues involved in remote access to the security system.

• What inetd services causes port to be opened?

  Hello.
  I'd like to find out, what inetd-controlled service is causing a certain port to be opened by inetd. In particular, I'd like to know, why port 6112 is opened.
  adm@winds02 ~ $ getent services 6112
  dtspc                6112/tcpThis means, that "dtspc" is assigned port 6112, doesn't it?
  adm@winds02 ~ $ inetadm | grep dts
  enabled   maintenance    svc:/network/dtspc/tcp:default
  adm@winds02 ~ $ inetadm -l svc:/network/dtspc/tcp:default
  SCOPE    NAME=VALUE
           name="dtspc"
           endpoint_type="stream"
           proto="tcp"
           isrpc=FALSE
           wait=FALSE
           exec="/usr/dt/bin/dtspcd"
           arg0="/usr/dt/bin/dtspcd"
           user="root"
  default  bind_addr=""
  default  bind_fail_max=-1
  default  bind_fail_interval=-1
  default  max_con_rate=-1
  default  max_copies=-1
  default  con_rate_offline=-1
  default  failrate_cnt=40
  default  failrate_interval=60
  default  inherit_env=TRUE
  default  tcp_trace=FALSE
  default  tcp_wrappers=FALSENow I'm disabling dtspc and run pcp <http://www.unix.ms/pcp/> again:
  adm@winds02 ~ $ sudo bin/./pcp -p 6112
  PID     Process Name and Port
  274     /usr/lib/inet/inetd     6112
          sockname: AF_INET 0.0.0.0  port: 6112
  1546    /usr/lib/inet/inetd     6112
          sockname: AF_INET 0.0.0.0  port: 6112
  1595    /usr/lib/inet/inetd     6112
          sockname: AF_INET 0.0.0.0  port: 6112
  _________________________________________________________Question: Why is port 6112 still open?
  adm@winds02 ~ $ inetadm
  ENABLED   STATE          FMRI
  disabled  disabled       svc:/application/x11/xfs:default
  enabled   online         svc:/application/font/stfsloader:default
  disabled  disabled       svc:/application/print/rfc1179:default
  enabled   online         svc:/network/rpc/gss:default
  disabled  disabled       svc:/network/rpc/cde-calendar-manager:default
  enabled   online         svc:/network/rpc/cde-ttdbserver:tcp
  enabled   online         svc:/network/rpc/ocfserv:default
  disabled  disabled       svc:/network/rpc/smserver:default
  disabled  disabled       svc:/network/rpc/mdcomm:default
  enabled   online         svc:/network/rpc/meta:default
  disabled  disabled       svc:/network/rpc/metamed:default
  enabled   online         svc:/network/rpc/metamh:default
  disabled  disabled       svc:/network/rpc/rex:default
  enabled   online         svc:/network/rpc/rstat:default
  disabled  disabled       svc:/network/rpc/rusers:default
  disabled  disabled       svc:/network/rpc/spray:default
  disabled  disabled       svc:/network/rpc/wall:default
  enabled   online         svc:/network/security/ktkt_warn:default
  disabled  disabled       svc:/network/security/krb5_prop:default
  disabled  disabled       svc:/network/swat:default
  enabled   online         svc:/network/cde-spc:default
  enabled   online         svc:/network/tname:default
  enabled   online         svc:/network/telnet:default
  enabled   online         svc:/network/nfs/rquota:default
  disabled  disabled       svc:/network/uucp:default
  disabled  disabled       svc:/network/chargen:dgram
  disabled  disabled       svc:/network/chargen:stream
  disabled  disabled       svc:/network/daytime:dgram
  disabled  disabled       svc:/network/daytime:stream
  disabled  disabled       svc:/network/discard:dgram
  disabled  disabled       svc:/network/discard:stream
  disabled  disabled       svc:/network/echo:dgram
  disabled  disabled       svc:/network/echo:stream
  disabled  disabled       svc:/network/time:dgram
  disabled  disabled       svc:/network/time:stream
  enabled   online         svc:/network/ftp:default
  disabled  disabled       svc:/network/comsat:default
  disabled  disabled       svc:/network/finger:default
  disabled  disabled       svc:/network/login:eklogin
  disabled  disabled       svc:/network/login:klogin
  enabled   online         svc:/network/login:rlogin
  enabled   online         svc:/network/rexec:default
  enabled   online         svc:/network/shell:default
  disabled  disabled       svc:/network/shell:kshell
  disabled  disabled       svc:/network/talk:default
  disabled  disabled       svc:/network/stdiscover:default
  disabled  disabled       svc:/network/stlisten:default
  enabled   online         svc:/network/rpc-100083_1/rpc_tcp:default
  enabled   online         svc:/network/rpc-100235_1/rpc_ticotsord:default
  disabled  disabled       svc:/network/dtspc/tcp:default
  enabled   online         svc:/network/rpc-100068_2-5/rpc_udp:default
  disabled  disabled       svc:/network/bpcd/tcp:default
  disabled  disabled       svc:/network/vnetd/tcp:default
  disabled  disabled       svc:/network/vopied/tcp:default
  disabled  disabled       svc:/network/bpjava-msvc/tcp:default
  disabled  disabled       svc:/network/swat/tcp:defaultThanks a lot,
  Alexander

  Darren_Dunham,
  Even if something's binding to port 6112 in a ngz, why should that matter to the global zone? After all, those are different IPs, and binding means, that something binds to an IP+Port combination (or NIC+Port).So they are. But Zones have a different concept of "ADDR_ANY" than the global zone does, and this difference is not readily apparent in 'pfiles' output.
  So a ngz can run an application that binds to ADDR_ANY (0.0.0.0), but it's really bound only to the IP addresses visible inside the zone.
  The thing is that from the global zone, 'ps' will see all the processes (including those in ngzs), and 'pfiles' will show that both processes are bound to the same port (and not via a specific IP address).
  This document below is really focusing more on exclusive IP zones, but if you look at page 7 and page 8, it shows two normal processes joining a standard TCP stack and two processes in separate shared-IP zones using their own TCP stacks (with the crucial difference that the app can bind to 0.0.0.0 and get different IPs)
  http://blogs.sun.com/aland/resource/ipinstances-svosug.pdf
  Darren