Programmatically Configure Firewall

Similar Messages

• How to configure firewall access for ASA 5510

  Hi,
  This is my first time to use the Cisco ASA 5500 family. I have a request from a user to create an access rule, to allow all LAN traffic to Destination IP address 165.241.29.17, 165.241.31.254 with Destination TCP port 5060,5061,5070 and UDP port 50000-52399.
  I want to do this using ASDM, How do I accomplish this?
  Thanks,
  Jojo

  Hey Jojo I use the ASDM to manage my ASA... so below should get you a general access rule to allow what you need.
  •1.      Log into your ASA using ASDM.. on the top tabs look for "Configuration"
  •2.      Once you click "Configuration", on the left side panel down at the bottom you should see "Firewall".  Make sure you’re in the "Firewall" menu and at the top you should be viewing "Access Rules".  You should see a list of access rules applied to your ASA.
  •3.      At the top you should see a green "+Add" to add a new access rule to your ASA.  Once clicked you should identify…
       •a.      Interface -  INSIDE or OUTSIDE
       •b.      Action - PERMIT or DENY
       •c.      Source - Subnet that needs to talk to destination address
       •d.      Destination - use the [...] box to create a Network Object for 165.241.29.17 and 165.241.31.254 use /32 mask for specific ip address and not a range
       •e.      Service - Again use the [...] box to create TCP and UDP Service Groups for the specific ports
  •4.     You can then enter a description of the specific access rule and enable logging.
  This should be it... let me know how this works out for you!! 

• Trying to configure firewall rule but acl-drop is denied...what is my issue?

  I am trying to allow ip 162.213.47.1/24 and Ranges below.
  Firewall must allow access to our MarcomCentral® Servers
   CIDR Format: 162.213.47.0/24
   Netrange Format (Range of IP addresses): 162.213.47.1-254
   If desired ports can be restricted to 80 and 443 (required for traffic on internet)
  I am trying to get this company PTI that has the 162.213.47.0/24 address's to be able to access our outside network and pass data through.
  After setting up the rules I can that I am getting hits so data is moving. However when running a packet trace the acl-drop is denied by the #13  configured rule. I dont understand why my rule isn't working. It should allow those IP's to pass data to our side.

  could you try to issue a different packet tracer as follows:
  packet-tracer input outside tcp 162.213.47.129 1234 <your public IP> 80 detail
  If you are trying to allow web access via 80 and 443 to your internal servers, then you need to also make sure that they have static NAT and that the ASA has a route to their subnet if it is not directly connected to the ASA.
  Please remember to select a correct answer and rate helpful posts

• Configuring firewall on macbook for website

  I'm using OS 6.8 with a MacBook. Hostgator says my firewall needs to allow Port 2078 (SSL) and Port 2077 (Clear Text/Not Encrypted) I  so the Web Disc will work. I find firewall settings at System Preferences>Security>Advanced and see that by clicking + I can to allow ports by adding them. Elsewhere I had read to go to System Preferences>Sharing and click on Advanced tab. However, on my Mac, Advanced tab only happens on SP>Security not Sharing. Do just follow Hostgator instructions and click on WebDisc icon to put it on my desktop and by default the 2078 and 2077 ports will be allowed or do I have to be pepared to configure the firewall manually and how do I do that?

  http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v413/configuration/guide/cnfg/traffic.html

• Programmatically configure email instance settings

  I am looking to configure the Email Instance Settings of our Production apex environment and am hoping this can be done programmatically to reduce the complexity of the pending release.
  Is there an API, Procedure or Package I can call that will set the required values (Servername and Port) without having to unlock the builder, log into the INTERAL workspace and make the changes via the GUI?
  Thanks for any help.
  Duncs

  Hi Duncs,
  you may have a look into the APEX Administration Guide concerning managing runtime environments, especially section "Configuring Email in a Runtime Environment".
  http://download.oracle.com/docs/cd/E17556_01/doc/admin.40/e15521/adm_mg_service_set.htm#BEJBCEEH
  The above link is for APEX 4.0. If you use an older version of APEX, use the corresponding document.
  -Udo
  P.S.: I just found a little doc-bug. The documentation refers to
  BEGIN
     APEX_INSTANCE_ADMIN.GET_PARAMETER(PARAMETER_NAME, PARAMETER_VALUE);
  END;where of the call should be
  BEGIN
     APEX_INSTANCE_ADMIN.SET_PARAMETER(PARAMETER_NAME, PARAMETER_VALUE);
  END;Parameters SMTP_FROM, SMTP_HOST_ADDRESS and SMTP_HOST_PORT appear to be correct.
  Edited by: Udo on 13.10.2010 13:27

• Is there a way to programmatically configure Firefox to use Adobe Reader within the Firefox Browser?

  We have customers who are having difficulty saving their PDF files upon opening them from our web page because most of the time, they have "Use Adobe Reader (default)" set under Tools->Options->Applications. This causes the PDF file to be loaded into a standalone version of Adobe Reader where the Save icon is disabled.
  We can suggest to our users that they change this to "Use Adobe Acrobat (in Firefox)", which will give them the desired behavior of loading the PDF in a Firefox window with the Acrobat plug-in's Save icon enabled.
  However, we'd like to pro-actively change this configuration for our users via javascript if at all possible, so they don't have to go through the trouble of contacting us with the issue.
  Is this possible?

  I think that the built-in PDF Viewer only gets triggered with a specific MIME type (application/pdf) send by the server.
  *http://mxr.mozilla.org/mozilla-release/source/browser/components/preferences/in-content/applications.js
  Bug 845740 - The web site should be able to suggest that Firefox not to use the built-in PDF viewer

• SDM Error when Configuring Firewall on 851

  SDM V2.3.2 gives me an error when generating the Firewall for an 851. How do I get past this error?

  Hi Mike,
  It seems hat this pppoe error is not critical. According to the following Software Defect Report, some images do not give the user access to that command:
  CSCsq83872 - Memory Leak seen while unconfiguring pppoe
  (BTW, your IOS image has the fix for the above problem)
  Also, you are saying that your Internet is up, so the PPPoE piece seems to be fine.
  At this point, I would recommened that you open a TAC case so we can look at this issue in more detail:
  http://www.cisco.com/tac/caseopen
  Once you have the case number, please send it to me so I can track it. After the engineer provides you with the solution, I will post on the forum.
  Thanks,
  Marcos

• Firewall Configuration for Leopoard 10.5.2

  Hi Members,
  I would like to know how to configure firewall on my macbook?
  Any suggestion!
  Regards
  Vikram

  macworld article -Understanding and using Leopard Firewall
  But be aware that the gui in leopard configures an application firewall.
  If you want to configure IPFW the unix firewall that is also built into leopard take a look at water roof

• How to Invoke Oracle Configurator via URL Outside the APPS Firewall

  Hi Gurus,
  We would like to invoke Oracle Configurator via URL same as Oracle iStore. Please let me know the process/steps to meet the requirement.
  Thanks in Advance,
  Venky.

  There is no restriction that Oracle Configurator may only be executed from within an Oracle hosting application. Configurator may be invoked from any application that has the ability to call Configurator's UI servlet. As an example, Astec (now part of Emerson Network Power) has had a Configurator application they call their "Power Wizard" on their public website for nearly eight years (http://www.powerconversion.com/powerwizard/).
  Venky, I would recommend you search My Oracle Support for articles containing 'configurator firewall' or 'configurator ssl', and then filter the results to just EBS articles. If what you find there is not helpful, opening a Support Request to get information more tailored to your particular scenario may be advisable.
  Eogan

• Configuring Mac OS X Firewall for iChat

  I understand that one must configure the firewall in Mac OS X Tiger before using iChat. It is a mystery to me that Apple does not provide a pre-configured Firewall rule for iChat AV that the user can easily just turn on or off. (Apple does have a pre-configured rule for iChat Bonjour).
  There is a How-To article on Apple's web site (see http://docs.info.apple.com/article.html?artnum=93208 ) but this article appears to be out of date. The article tells you to open up certain ports but it does not tell you whether the ports are TCP or UDP.
  From what I am been able to figure out, one needs to open up the following ports in the Mac OS X Firewall for iChat to work:
  TCP Ports -- 5190, 5297, 5298
  UDP Ports -- 5060, 5190, 5676, 16384-16403
  Is this correct? Do I need to open up these ports in the Mac OS X Tiger Firewall before I can get iChat AV to work?
  (I prefer not to open uo any unnecessary ports).
  RobK

  By default the Mac OS X firewall doesn't block UDP traffic. So unless you have clicked on the "Advanced" button in your firewall settings and told the firewall to block UDP you don't need to bother with the UDP ports (and indeed, including them in your firewall rule they wont even be used).
  There is absolutely no need whatsoever to open up TCP ports 5222 or 5223.
  While ports 5222 and 5223 are used by XMPP/Jabber SERVERS iChat doesn't receive inbound connections on those ports. iChat will make an outbound connection on a random high port (mine's currently using port 54804 to connect to Google Talk on port 5223) and there's no need for a firewall rule for these (and it's impossible to predict what port iChat will use anyway).
  Port 5190 (TCP) is used for AIM server connection. Just like above iChat will use a random high port to connect to the AIM server on this port so this does not need to be opened.
  Port 5190 (UDP) is used for AIM file transfers i believe. It may be that iChat also uses it for XMPP/Jabber and Bonjour file transfers too (though i suspect not since the Bonjour firewall rule doesn't open up this port). If you haven't blocked UDP traffic you wont need to open this port.
  Port 5220. As far as i know this port has nothing to do with XMPP/Jabber. The only thing i can think of is that perhaps iChat uses it as a custom file transfer port (though since Bonjour is just serverless XMPP/Jabber and this port isn't opened the Bonjour rule i suspect not). There is probably no need to open this port.
  Port 5298. I believe this is used for message exchange via Bonjour. If you're not planning on using Bonjour you shouldn't need to open it.
  Anyway, after this long rambling post the conclusion is:
  So long as you haven't blocked UDP traffic in the Advanced section of your Mac OS X firewall you shouldn't need to open up any ports for iChat to work (on your Mac anyway. Gateway/router is another story).
  If you have blocked UDP you will need to open the following:
  UDP: 5060, 5190, 5297, 5298, 5353, 5678, 16384-16403
  No TCP ports should need to be opened.
  Forwarding the above UDP ports to your machine on your gateway or router should enable things to work perfectly.

• Configuring the cache programmatically

  I'm trying to find out if there is a way to configure the cache programmatically. I know that we can configure it via command line parameters (main problem is that this can only be used at VM startup, but we may want to shutdown the cache and start it up again with a different configuration, without restarting the web app or the VM), or via tangosol-coherence-override.xml (main problem is that this is problematic to change in a deployed war/jar, partly because the it would be destroyed/overwritten with a new release of our software). The ideal facility would allow our application to supply Coherence with the XML configuration data, programmatically, at runtime; that is, we would build the XML data ourself (e.g., from our own database that includes configuration data) and pass that to Coherence as a startup parameter. Is there any way to accomplish this kind of programmatic configuration at startup?
  Thanks!
  Trygve Isaacson
  Message was edited by: trygve

  Hi Trygve,
  You can use {system-property-name default-value} xml-override syntax, for example, you can create tangosol-coherence-override.xml which looks like this:
  <code>
  <coherence xml-override="{my.override}">
  </coherence>
  </code>
  and then specify an actual file name in your code:
  <code>
  System.setProperty("my.override", file_name);
  </code>
  Regards,
  Dimitri

• Programmat​ically configure Modbus server.

  Is it possible to programmatically configure an I/O server (e.g. Modbus Ethernet) in any way other than the Express VI provided with the DSC module? Many of the attributes are "hidden" in the dialog boxes, instead of being easily readable on the block diagram. Additionally, if I want to create a class encapsulating Modbus clients, there seems little ability to write accessors for attributes such as "maximum data points per command" or "first word low in 32-bit data types."
  Any help/thoughts are appreciated. If the functionality doesn't exist, then I hereby submit a feature request.

  I'm learning how to use the Actor Framework to build an application for controlling, monitoring and aquiring data from a large research facility. One thought for creating a hardware abstraction layer is to have a generic "Modbus client" class. Modbus clients all share general characteristics, such as the attribute settings currently rolled up in the Express VI for creating and configuring I/O servers. Certainly, one can imagine setting up each client "by hand," but then you're not saving yourself any work. If you could handle full setup programmatically, then when a new Modbus client object is instantiated, the work load should be lessened. There's also the issue of transparency to someone creating a new object. Since you can't write accessor methods for advanced attributes, the only way to interact with those attributes is via the dialog box, which obscures how the client is configured and subsequently behaves.
  Since I'm relatively new to the OOP stuff, it's possible that I'm overthinking the whole issue and making it harder than it needs to be. It still would be nice to be able to write a method to set the advanced attributes, instead of having to hunt through dialog boxes to find the options. I'm not generally a fan of Express VIs, because I'm often engaged in tasks that are beyond the functionality they provide and they obscure reading of code by failing to provide full disclosure about inputs and outputs.

• ASA 5510 FireWall Problem

  Hi All
  After some advise and direction
  Our ASA firewall using ASA version 8.4 has recently started presenting us with a problem to one external website
  called http://partners.highnet.com/login/  ip address 62.233.82.181.
  Our firewall is letting everything on our inside Trusted site 192.168.254.0/24 out through our outside interface on x.x.x.x
  to any website and brings back the details
  However when we try to reach http://partners.highnet.com/login/ we recently started receiving (Internet Explorer cannot display the webpage)
  on checking the ASA under Home TAB       -       Firewall Dashboard    -    and then under     -      Top 10 protected Servers under SYN attack we are receiving the below error.
  Rank        Server IP-Port           Interface     Average          Current                    Total                           Source IP (Last Attack Time)
  5
             62.233.82.181:80
        INSIDE
              0
                   0
                          8
                            192.168.254.130 (1 mins ago)
  I have tried rebooting the ASA firewall (Still did not resolve).
  I have also  disabled basic threat detection and threat detection statistics and then re-enabled after a period of time under > configuration > Firewall > threat detection  (Still did not resolve).
  Have created a number of access list both from the inside to outside and outside to inside allowing TCP just to the specific IP address 62.233.82.181 (Still did not resolve).
  Tried editing Global Policy for Http configuration > connection settings TCP and UDP connections and also Embryonic connections (Still did not resolve).
  Also tried using the shun command on the ASA to clear connection and statistics and (Still did not resolve).
  So you see there is nothing else I can think of doing, so that is why I have asked you for some pointers maybe someone has come across this sort of issue before.
  If you can help or advise it is much appreciated.

  Hi,
  Are you sending logs from your ASA to any Syslog server from which you could pull all the connection logs for that destination IP address?
  On the ASA you can naturally use "packet-tracer" also to simulate one such packet coming from your LAN towards this WAN IP address (of the server) and confirm that all rules are correct.
  packet-tracer input INSIDE tcp 192.168.254.130 12345 62.233.82.181 80
  You could maybe also try to generate TCP SYNs directly from the ASA
  ping tcp 62.233.82.181 80
  And see if the server replies
  - Jouni

• Oracle12c SQL*NET blocked by Windows 2008 firewall - what is the correct solution?

  Hello,
  I have a question with regards to the SQL*NET traffic being blocked by the Windows 2008 firewall. This document shows that disabling the firewall can resolve the problem:
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166773506396122&id=1472931.1&displayIndex=13&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_112
  Is this really the solution?
  From what I understand from other documents is that just enabling port 1521 will not resolve any issues, as SQL*NET can use redirection to other random ports. That is probably the reason why the Oracle installation does not alter any firewall settings.
  What other methods do people use to connect a client to a DB server?
  This document shows what other methods to use, but who uses them?
  https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=166043735580557&id=68652.1&_afrWindowMode=0&_adf.ctrl-state=o4dq0hlih_78
  Does anyone use the Oracle Connection Manager for example?
  Thanks
  Richard

  I configure firewall to allow DB Server to start new network connections

• Configure RVS4000 Behind 2700-Gateway Qwest DSL Router VPN

  I have my QWEST DSL Router 2700-Gateway using a static public IP address
  This is setup to be the DHCP and assigned 192.168.0.2-50
  I need some help how to connect my RVS4000 and utilize VPN so I can connect to my work network from home. The 2700-Gateway has some features like Transparent Bridging, etc, but not sure how to me this work. Can anyone point me to article even if it's configuring with another DSL Router.
  Here is how I tried with my medium knowledge of networking...
  I have configured the RVS4000 as:
  LAN Static IP
  192.168.0.115
  Configured as DHCP Relay
  the 2700-Gateway router saw the device so:
  Configured firewall on 2700-Gateway for PORT FORWARDING:
  TCP port 1723 for PPTP tunnel maintenance traffic
  UDP port 47 Generic Routing Encapsulation (GRE)
  UDP port 500 for Internet Key Exchange (IKE) traffic
  UDP port 1701 for L2TP traffic
  --> 192.168.0.115
  This did not work.

  gv,
  Thanks for your help. I discovered the EasyVPN works quite differently then I expected a IPSec to work. Thanks for the suggestions. I documented my finding and procedure below.
  The answer was to use the transparent bridging setting on my DSL modem model 2Wire GATEWAYHG-2700 and and turn off Search PCV,  then setup the PPPoE on the RVS4000 VPN router to accept and authenticate my public IP address.
  Once I had the modem and router configured, I then had my RVS4000 VPN router ready to test VPN client. The documentation is vague. But after doing some research on here and having some difficulty:
  My Finding:
  I already had latest Firmware 1.109 from purchase
  On the client, I discovered from reading that the EasyVPN uses 443. Well I have this forwarding to a exchange server to utilize RPC/HTTPS with outlook. This turns out that it was fixed with the lastest firmware
  The new firmware allows this, as they fixed the vpn listening port override to port 60443..
  I port forwarded this to my router gateway 192.168.1.1
  In order to use this port, you must have the lastest client from the downloads at RVS4000 version. 1.10 which adds a drop box Auto/443/60433. I found auto and 60443 to work with my configuration.
  This configuration let me connect successfully.
  If you read the readme that's included with the EasyVPN client download, you have to export the client cert under VPN, and copy the file *.pem to the root folder of the vpn client.exe stated in readme to get rid of the security popup. This worked for me.
  So everything seems to be connecting.. But know get "The remote gateway is not responding" popup.  I tried the suggested MTU setting with no luck.
  After establishing a network share under map drive, this seems to have stop responding as well once this popup occurs.
  Things like this should just not be so hard..
  So I found this post in regards to my problem and hoping to here if anyone else has found a solution or work around here. Good night, some things are just not worth staying up late for,
  http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=13651#M13651
  Message Edited by MOTOGEEK on 12-10-2007 11:01 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:04 PM
  Message Edited by MOTOGEEK on 12-10-2007 11:05 PM