Security for bridge connectivity

Similar Messages

• Both radios useable for bridge connection

  Hi,
  I have 2 1242 Accesspoints.
  1 is the Root Bridge and the other the Nonrootbridge.
  My question is can i use both radios for the link?
  At the moment it works only with one radio.
  It works with both g od. a Standart but not with both together.
  If i turn on the second radio i have no connection.
  best regard Dieter

  Thanks for your answer.
  Hope you could help me with the configs.
  I think it is a problem with the bridge-groups but i have no idea to solve this.
  This is my root Bridge Config.
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname root
  enable secret 5 $1$XYrB$xov2WG/kNnnH1ldFMJEHz.
  no aaa new-model
  dot11 syslog
  dot11 ssid test
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii 7 071B245F5A1D1C1603
  power inline negotiation prestandard source
  username Cisco password 7 062506324F41
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid test
  channel 2412
  station-role root bridge
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid test
  no dfs band block
  channel dfs
  station-role root bridge
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.1 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end
  And this the Non-Root Bridge:
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname non-root
  enable secret 5 $1$LSB2$q0iBDYt3eciyALsil0yf50
  no aaa new-model
  dot11 syslog
  dot11 ssid test
     authentication open
     authentication key-management wpa version 2
     infrastructure-ssid optional
     wpa-psk ascii 7 131112011F1801393F
  username Cisco password 7 062506324F41
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  shutdown
  encryption mode ciphers aes-ccm
  ssid test
  station-role non-root bridge
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid test
  station-role non-root bridge
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.0.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end
  best regards Dieter

• Security for WIfi connection

  How would I lock my Wifi connection to prevent other close outside computers from using it?

  https://customer.xfinity.com/help-and-support/internet/wireless-gateway-username-and-password/

• Site to site vpn for multipoint bridged connection

  I have a point to multipoint wireless bridge connection that the customer wants to secure with an ASA 5505 at each location. Keep in mind that each remote is just an extension of the host network, all on the same IP range.
  I was thinking that I could just setup an ipsec tunnel to each location from the host. Every example I see uses a different IP range for each location.
  My question is, is that possible and how would I do that?

  No, the ASA can't bridge across IPSec VPN connections (I don't believe any IPSec implementation by any vendor directly supports bridging), so I don't think there's an easy solution. If you had IOS routers you could configure bridging across GRE tunnels, even that's not supported by Cisco so you'd still be pushing your luck a little bit. Probably the best solution would be to just bite the bullet, re-address the remote sites, and configure traditional site-to-site VPNs. You could try to get fancy and do NAT across the VPNs so that all the remote hosts would appear to be on the same subnet as the main site, but I think you'd just be asking for trouble doing that.

• How do I enable the security for my wireless connection?

  How do I enable the security for my wireless connection?

  Enter the setup page (192.168.1.1),  hit the Wireless Tab, then the Security tab.

• Security requirement for dialup connection

  Dear All,
  I have installed Cisco 3745 router with NM 8A/S module at central location which is connected to the PSTN network for dialup connectivity. Now remote users are connecting to central location through PSTN dialup connection.
  Is it possible to do some configuration at central cisco 3745 router so that a specific telephone number subscriber can only make dialup connection to a specific NM 8A/S port.i.e. is it possible to restrict the diaiup users based on their telephoine number at the central router.
  Also is it possible to create GRE or IPSec tunnel in this dialup connection.
  With Regards
  Anand

  Check out the following link...
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800d984a.html

• WRT54GS router to WET54G bridge question, bridge connect to a wired router?

  Hello Everyone,
  I have a Wireless-G LAN set up using a WRT54GS router.  The existing wireless devices on the LAN are 2 PCs, a TiVo unit (using the TiVo wireless adapter), and 2 WET54G wireless bridges.  One bridge connects by ethernet wire to a LAN printer.  The other bridge connects by ethernet wire to a Sony BDP-S550 Blu-Ray player.
  The security is WPA2-AES.  so far all of that works OK, believe it or not, though I grew a lot older making it happen.
  Now here's what I'd like to do: I'd like to add another wired LAN device where the second WET54G bridge connects to the Blu-Ray player.  The bridge only has one ethernet wire connection, so I have to come up with some other way to get the two devices connected to the wireless LAN.
  I have two other LinkSys devices kicking around here that I can use.  One is a BEFSR41 wired Router.  The other is a WAP54G wireless Access Point.   If I can use one or both of those somehow, I won't have to buy another device.  That's the agenda so far.
  Right now it looks like this:
  WRT54GS Router wireless to WET54G Bridge wire to WAN input of BEFSR41 Router wires to the two LAN devices.
  I'm having trouble making this work, assuming it can even be done.  Can I get this config to work, or do I have to add the Access Point where the bridge is now, or.... ?
  Thanks for your time,
  Big Al Mintaka
  Solved!
  Go to Solution.

  You already have a network working with your existing devices. What you are trying to include in your network is possible and can be done. Instead of connecting the cable from the WET54G to the WAN port on the router, connect the cable the LAN port on the router. Disable the DHCP  and change the lan ip in the range of your existing network. It should work.

• Bridge connection problem.

  I'm trying to connect a bridge connection between my laptop and USB connected android phone using this guide:
  http://blog.mycila.com/2010/06/reverse- … id-22.html
  My internet interface is wlan0, not eth0.
  However, I run into problem:
  $ sudo ifconfig wlan0 0.0.0.0
  $ sudo ifconfig usb0 0.0.0.0
  $ sudo brctl addbr br0
  $ sudo brctl addif br0 wlan0
  can't add wlan0 to bridge br0: Operation not supported
  I also tried doing it this way:
  On PC:
  sudo ifconfig usb0 192.168.42.1
  # enable routing
  sysctl net.ipv4.ip_forward=1
  # enable nat
  iptables -t nat -I POSTROUTING -s 192.168.42.129 -j MASQUERADE -o wlan0
  And issue this command on the phone:
  route add -net default gw 192.168.42.1
  But I can't even ping localhost from the phone
  # ping 192.168.42.129
  PING 192.168.42.129 (192.168.42.129) 56(84) bytes of data.
  ^C
  --- 192.168.42.129 ping statistics ---
  161 packets transmitted, 0 received, 100% packet loss, time 160105ms
  # ping localhost
  PING localhost (127.0.0.1) 56(84) bytes of data.
  ^C
  --- localhost ping statistics ---
  4 packets transmitted, 0 received, 100% packet loss, time 2999ms
  # busybox ping localhost
  PING localhost (127.0.0.1): 56 data bytes
  Last edited by Lockheed (2013-01-28 11:37:21)

  Ok, so here's my conf:
  # You should put this config-file in /etc/arno-iptables-firewall/ #
  # --------------------------- Configuration file ------------------------------
  # -= Arno's iptables firewall =-
  # Single- & multi-homed firewall script with DSL/ADSL support
  # (C) Copyright 2001-2012 by Arno van Amersfoort
  # Co-authors : Lonnie Abelbeck & Philip Prindeville
  # Homepage : http://rocky.eld.leidenuniv.nl/
  # Freshmeat : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
  # Email : arnova AT rocky DOT eld DOT leidenuniv DOT nl
  # (note: you must remove all spaces and substitute the @ and the .
  # at the proper locations!)
  # This program is free software; you can redistribute it and/or
  # modify it under the terms of the GNU General Public License
  # version 2 as published by the Free Software Foundation.
  # This program is distributed in the hope that it will be useful, but WITHOUT
  # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
  # more details.
  # You should have received a copy of the GNU General Public License along with
  # this program; if not, write to the Free Software Foundation Inc., 59 Temple
  # Place - Suite 330, Boston, MA 02111-1307, USA.
  # External (internet) interface settings #
  # The external interface(s) that will be protected (and used as internet
  # connection). This is probably ppp+ or dsl+ for non-transparent(!) (A)DSL
  # modems otherwise it's probably "ethX" (eg. eth0). Multiple interfaces should
  # be space separated.
  EXT_IF="eth0 wlan0"
  # Enable if THIS machines (dynamically) obtains its IP through (IPv4) DHCP
  # and/or (IPv6) DHCPv6 (from your ISP)
  EXT_IF_DHCP_IP=1
  # (EXPERT SETTING!) Here you can specify your external(!) IPv4 subnet(s). You
  # should only use this if you for example have a corporate network and/or
  # running a DHCP server on your external(!) interface. Home users should
  # normally NOT touch this setting. Multiple subnets should be space separated.
  # Don't forget to specify a proper subnet masker (eg. /24, /16 or /8)!
  #EXTERNAL_NET=""
  # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
  # on your external subnet. You only need to set this option if you want to use
  # the BROADCAST_XXX_NOLOG variables AND you use a non-standard broadcast
  # address (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
  # this empty should work fine. Multiple addresses should be space separated.
  #EXT_NET_BCAST_ADDRESS=""
  # Enable this if THIS MACHINE is running an IPv4 DHCP(BOOTP) server for a subnet
  # on the external(!) interface. Note that you don't need this for internal
  # subnets, as for these nets everything is accepted by default. Don't forget to
  # configure the EXTERNAL_NET variable, to make this work. (IPv4 Only)
  EXTERNAL_DHCP_SERVER=0
  # Enable this if THIS MACHINE is running an IPv6 DHCPv6 server for a Link-Local
  # address on the external(!) interface. Note that you don't need this for internal
  # subnets, as for these nets everything is accepted by default. (IPv6 Only)
  EXTERNAL_DHCPV6_SERVER=0
  # Internal (LAN) interface settings #
  # Specify here your internal network (LAN) interface(s). Multiple(!) interfaces
  # should be space separated. Remark this if you don't have any internal network
  # interfaces. Note that by default ALL traffic is accepted from these
  # interfaces.
  INT_IF="usb0 usb1"
  # Specify here the internal IPv4 subnet(s) which is/are connected to the
  # internal interface(s). For multiple interfaces(!) you can either specify
  # multiple subnets here or specify one big subnet for all internal interfaces.
  # Note that this variable is mainly used for antispoofing.
  INTERNAL_NET="10.1.3.0/24"
  # Set this variable to 0 to disable antispoof checking for the internal nets
  # (EXPERT SETTING!)
  INTERNAL_NET_ANTISPOOF=1
  # (EXPERT SETTING!) Here you can specify the IPv4 address used for broadcasts
  # on your internal subnet. You only need to set this option if you want to use
  # the MAC filter AND you use a non-standard broadcast address
  # (not *.255.255.255, *.*.255.255 or *.*.*.255)! So normally leaving
  # this empty should work fine. Multiple addresses (if you have multiple
  # internal nets) should be space separated.
  #INT_NET_BCAST_ADDRESS=""
  # DMZ (aka DeMilitarized Zone) settings #
  # Put in the following variable the network interfaces that are DMZ-classified.
  # You can also use this interface if you want to shield your Wireless network
  # from your LAN.
  DMZ_IF=""
  # Specify here the subnet which is connected to the DMZ interface (DMZ_IF).
  # For multiple interfaces(!) you can either specify multiple subnets here or
  # specify one big subnet for all DMZ interfaces.
  DMZ_NET=""
  # Set this variable to 0 to disable antispoof checking for the dmz nets
  # (EXPERT SETTING!)
  DMZ_NET_ANTISPOOF=1
  # NAT (Masquerade, SNAT, DNAT) settings (IPv4 only!) #
  # Enable this if you want to perform NAT (masquerading) for your internal
  # network (LAN) (eg. share your internet connection with your internal
  # net(s) connected to eg. INT_IF)
  NAT=1
  # (EXPERT SETTING!) In case you would like to use SNAT instead of
  # MASQUERADING then uncomment and set the IP or IPs here of your static
  # external address(es). Note that when multiple IPs are specified, SNAT
  # multiroute is enabled (load balancing over multiple external (internet)
  # interfaces, check the README file for more info). Note that the order of IPs
  # should match the order of interfaces (they belong to) in $EXT_IF!
  #NAT_STATIC_IP="193.2.1.1"
  # (EXPERT SETTING!) Use this variable only if you want specific subnets or
  # hosts to be able to access the internet. When no value is specified, your
  # whole internal net will have access. In both cases it's obviously only
  # meaningful when NAT is enabled. Note that you can also use this variable if
  # you want to use NAT for your DMZ.
  NAT_INTERNAL_NET="$INTERNAL_NET"
  # (EXPERT SETTING!) Enable this if you want to be able to redirect local ports
  # or protocols on your gateway using NAT forwards.
  NAT_LOCAL_REDIRECT=0
  # NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to
  # an internal client through (D)NAT. Note that you can also use these
  # variables to forward ports to DMZ hosts.
  # TCP/UDP form:
  # "{SRCIP1,SRCIP2,...~}PORT1,PORT2-PORT3,...>DESTIP1{~port} \
  # {SRCIP3,...~}PORT3,...>DESTIP2{~port}"
  # IP form:
  # "{SRCIP1,SRCIP2,...~}PROTO1,PROTO2,...>DESTIP1 \
  # {SRCIP3~}PROTO3,PROTO4,...>DESTIP2"
  # TCP/UDP port forward examples:
  # Simple (forward port 80 to internal host 192.168.0.10):
  # NAT_FORWARD_xxx="80>192.168.0.10 20,21>192.168.0.10"
  # Advanced (forward port 20 & 21 to 192.168.0.10 and
  # forward from 1.2.3.4 port 81 to 192.168.0.11 port 80:
  # NAT_FORWARD_xxx="1.2.3.4~81>192.168.0.11~80"
  # IP protocol forward example:
  # (forward protocols 47 & 48 to 192.168.0.10)
  # NAT_FORWARD_IP="47,48>192.168.0.10"
  # NOTE 1: {~port} is optional. Use it to redirect a specific port to a
  # different port on the internal client.
  # NOTE 2: {SRCIPx} is optional. Use it to restrict access for specific source
  # (inet) IP addresses.
  # (IPv4 Only)
  NAT_FORWARD_TCP=""
  NAT_FORWARD_UDP=""
  NAT_FORWARD_IP=""
  # TCP/UDP/IP forwards. Forward IPv6 and non-NAT'ed IPv4 ports or protocols
  # from the gateway to an internal client. Note that you can also use these
  # variables to forward ports to DMZ hosts.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1{~port} \
  # SRCIP3,...>DESTIP2{~port}"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~PROTO \
  # SRCIP3,...>DESTIP2~PROTO"
  # TCP/UDP port forward examples:
  # Simple (IPv6 forward port 80 to internal host 2001:db8::2):
  # INET_FORWARD_TCP="::/0>2001:db8::2~80"
  # Simple (IPv4 non-NAT forward port 80 to internal host 192.168.0.10):
  # INET_FORWARD_TCP="0/0>192.168.0.10~80"
  # Advanced (forward all UDP ports for 2000::/3 net to 2001:db8::/32 net):
  # INET_FORWARD_UDP="2000::/3>2001:db8::/32"
  # IP protocol forward example:
  # (forward protocol 58 (ICMPv6) to 2001:db8::2)
  # INET_FORWARD_IP="::/0>2001:db8::2~58"
  # (IPv6 and non-NAT'ed IPv4 Only)
  INET_FORWARD_TCP=""
  INET_FORWARD_UDP=""
  INET_FORWARD_IP=""
  # General settings #
  # (EXPERT SETTING!) Location of the iptables-binary (use 'locate iptables' or
  # 'whereis iptables' to manually locate it), required for (default) IPv4 support
  IP4TABLES="/usr/sbin/iptables"
  # (EXPERT SETTING!) Location of the ip6tables-binary (use 'locate ip6tables' or
  # 'whereis ip6tables' to manually locate it), required for IPv6 support
  IP6TABLES="/usr/sbin/ip6tables"
  # (EXPERT SETTING!) Location of the environment file
  ENV_FILE="/usr/share/arno-iptables-firewall/environment"
  # (EXPERT SETTING!) Location of plugin binary & config files
  PLUGIN_BIN_PATH="/usr/share/arno-iptables-firewall/plugins"
  PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
  # Most people don't want to get any firewall logs being spit to the console.
  # This option makes the kernel ring buffer only log messages with level
  # "panic".
  DMESG_PANIC_ONLY=1
  # Enable this if you want TOS mangling (RFC)
  MANGLE_TOS=0
  # Enable this if you want to set the maximum packet size via the
  # Maximum Segment Size(through MSS field)
  SET_MSS=1
  # Enable this if you want to increase the TTL value by one in the prerouting
  # chain. This hides the firewall when performing eg. traceroutes to internal
  # hosts. (IPv4 only!)
  TTL_INC=0
  # (EXPERT SETTING!) Enable this if you want to set the TTL value for packets in
  # the OUTPUT & FORWARD chain. Note that this only works with newer 2.6 kernels
  # (2.6.14 or better) or patched 2.4 kernels, which have netfilter TTL target
  # support. Don't mess with this unless you really know what you are doing!
  # (IPv4 only!)
  #PACKET_TTL="64"
  # Enable this to support the IRC-protocol.
  USE_IRC=0
  # (EXPERT SETTING!) Loosen the forward chain for the external interface(s).
  # Enable it to allow the use of protocols like UPnP. Note that it *could* be
  # less secure.
  LOOSE_FORWARD=0
  # (EXPERT SETTING!) Enable (1) to allow IPv6 Link-Local addresses to be
  # forwarded between interfaces. (IPv6 Only)
  FORWARD_LINK_LOCAL=0
  # (EXPERT SETTING!) Disable (0) to not drop all IPv6 packets with
  # Routing Header Type 0. Enabled by default. (IPv6 Only)
  IPV6_DROP_RH_ZERO=1
  # (EXPERT SETTING!) Enable this if you want to drop packets originating from a
  # private address.
  # Note: To enable logging of dropped private addresses set RESERVED_NET_LOG=1
  RESERVED_NET_DROP=0
  # (EXPERT SETTING!) Protect this machine from being abused for a DRDOS-attack
  # ("Distributed Reflection Denial Of Service"-attack). (STILL EXPERIMENTAL!)
  DRDOS_PROTECT=0
  # Enable (1) if you want to enable mixed IPv4/IPv6 traffic support
  # Disable (0) if you want to enable only IPv4 traffic support
  IPV6_SUPPORT=0
  # This option fixes problems with SMB broadcasts when using nmblookup
  NMB_BROADCAST_FIX=0
  # Set this to 0 to suppress "assuming module is compiled in kernel" messages
  COMPILED_IN_KERNEL_MESSAGES=1
  # (EXPERT SETTING!) You can choose the default policy for the INPUT & FORWARD
  # chain here (1=DROP, 0=ACCEPT). The default policy is DROP. This means that
  # when there are no rule(s) available (yet), the packet will be DROPPED. In
  # practice this rule only does something while the firewall is starting. Once
  # it's started and all rules are in place, the default policy doesn't do
  # anything anymore. People that use eg. NFS and let their clients boot from NFS
  # (diskless client systems) probably want to disable this option to fix
  # "NFS server not responding" etc. errors on their clients.
  DEFAULT_POLICY_DROP=1
  # (EXPERT SETTING!) (Other) trusted network interfaces for which ALL IP
  # traffic should be ACCEPTED. (multiple(!) interfaces should be space
  # separated). Be warned that anything TO and FROM these interfaces is allowed
  # (ACCEPTED) so make sure it's NOT routable(accessible) from the outside world
  # (internet)! And of course putting one of your external interfaces here would
  # be extremely stupid.
  TRUSTED_IF=""
  # (EXPERT SETTING!) Put here the interfaces that should trust
  # each other (accept forward traffic). You can use | (piping-sign) to create
  # seperate interface groups. And (again) of course putting one of your external
  # interfaces here would be extremely stupid.
  IF_TRUSTS=""
  # Location of the custom iptables rules file (if any).
  CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
  # Location of the local (user/global) configuration file, if used
  LOCAL_CONFIG_FILE=""
  # (EXPERT SETTING!) Set this (to 1) to disable the use of iptables-save and
  # iptables-restore to add rules in batch rather than one-by-one. Much slower
  # when disabled. BLOCK_HOSTS and BLOCK_HOSTS_FILE utilizes this feature.
  DISABLE_IPTABLES_BATCH=0
  # (EXPERT SETTING!) Set this (to 1) to enable tracing
  TRACE=0
  # Logging options - All logging is rate limited to prevent log flooding #
  # Enable logging for explicitly blocked hosts.
  BLOCKED_HOST_LOG=1
  # Enable logging for various stealth scans (reliable).
  SCAN_LOG=1
  # Enable logging for possible stealth scans (less reliable).
  POSSIBLE_SCAN_LOG=1
  # Enable logging for TCP-packets with bad flags.
  BAD_FLAGS_LOG=1
  # Enable logging of invalid TCP packets. Keep disabled (0) by default to reduce
  # INVALID packets being logged because of lost (legimate) connections. When
  # debugging any problems, you should enable it (temporarily)!
  INVALID_TCP_LOG=0
  # Enable logging of invalid UDP packets. Keep disabled (0) by default to reduce
  # INVALID packets being logged because of lost (legimate) connections. When
  # debugging any problems, you should enable it (temporarily)!
  INVALID_UDP_LOG=0
  # Enable logging of invalid ICMP packets. Keep disabled (0) by default to reduce
  # INVALID packets being logged because of lost (legimate) connections. When
  # debugging any problems, you should enable it (temporarily)!
  INVALID_ICMP_LOG=0
  # Enable (1) logging of source IPs with reserved or private addresses.
  RESERVED_NET_LOG=0
  # Enable logging of fragmented packets.
  FRAG_LOG=1
  # Enable logging of denied local (OUTPUT) connections.
  INET_OUTPUT_DENY_LOG=1
  # Enable logging of denied LAN output (FORWARD) connections.
  LAN_OUTPUT_DENY_LOG=1
  # Enable logging of denied LAN INPUT connections.
  LAN_INPUT_DENY_LOG=1
  # Enable logging of denied DMZ output (FORWARD) connections.
  DMZ_OUTPUT_DENY_LOG=1
  # Enable logging of denied DMZ input (FORWARD) connections.
  DMZ_INPUT_DENY_LOG=1
  # Enable logging of dropped FORWARD packets.
  FORWARD_DROP_LOG=1
  # Enable logging of dropped IPv6 Link-Local forwarded packets.
  # Note: requires FORWARD_LINK_LOCAL=0 (IPv6 Only)
  LINK_LOCAL_DROP_LOG=1
  # Enable logging of dropped ICMP-request packets (ping).
  ICMP_REQUEST_LOG=1
  # Enable logging of dropped "other" ICMP packets.
  ICMP_OTHER_LOG=1
  # Enable logging of normal connection attempts to privileged TCP ports.
  PRIV_TCP_LOG=1
  # Enable logging of normal connection attempts to privileged UDP ports.
  PRIV_UDP_LOG=1
  # Enable logging of normal connection attempts to unprivileged TCP ports.
  UNPRIV_TCP_LOG=1
  # Enable logging of normal connection attempts to unprivileged UDP ports.
  UNPRIV_UDP_LOG=1
  # Enable logging of IPv4 IGMP packets
  IGMP_LOG=1
  # Enable logging of normal connection attempts to "other-IP"-protocols (non
  # TCP/UDP/ICMP/IGMP).
  OTHER_IP_LOG=1
  # Enable logging for ICMP flooding.
  ICMP_FLOOD_LOG=1
  # (EXPERT SETTING!) The location of the dedicated firewall log file. When
  # enabled the firewall script will also log start/stop etc. info to this file
  # as well. Note that in order to make this work, you should also configure
  # syslogd to log firewall messages to this file (see LOGLEVEL below for further
  # info).
  #FIREWALL_LOG="/var/log/firewall.log"
  # (EXPERT SETTING!) Current log-level ("info": default kernel syslog level)
  # "debug": can be used to log to /var/log/firewall.log, but you have to configure
  # syslogd accordingly (see included syslogd.conf examples).
  LOGLEVEL="info"
  # Put in the following variables which hosts you want to log certain incoming
  # connection attempts for.
  # TCP/UDP port format (LOG_HOST_INPUT_xxx):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (LOG_HOST_INPUT_IP):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  LOG_HOST_INPUT_TCP=""
  LOG_HOST_INPUT_UDP=""
  LOG_HOST_INPUT_IP=""
  # Put in the following variables which hosts you want to log certain outgoing
  # connection attempts for.
  # TCP/UDP port format (LOG_HOST_OUTPUT_xxx):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (LOG_HOST_OUTPUT_IP):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  LOG_HOST_OUTPUT_TCP=""
  LOG_HOST_OUTPUT_UDP=""
  LOG_HOST_OUTPUT_IP=""
  # Put in the following variables which services you want to log incoming
  # connection attempts for.
  LOG_INPUT_TCP=""
  LOG_INPUT_UDP=""
  LOG_INPUT_IP=""
  # Put in the following variables which services you want to log outgoing
  # connection attempts for.
  LOG_OUTPUT_TCP=""
  LOG_OUTPUT_UDP=""
  LOG_OUTPUT_IP=""
  # Put in the following variable which hosts you want to log incoming connection
  # (attempts) for.
  LOG_HOST_INPUT=""
  # Put in the following variable which hosts you want to log outgoing connection
  # (attempts) to.
  LOG_HOST_OUTPUT=""
  # sysctl based settings (EXPERT SETTINGS!) #
  # Enable for synflood protection (through /proc/.../tcp_syncookies).
  SYN_PROT=1
  # Enable this to reduce the ability of others DOS'ing your machine.
  REDUCE_DOS_ABILITY=1
  # Enable to ignore all ICMP echo-requests (IPv4) on ALL interfaces.
  ECHO_IGNORE=0
  # Enable to log packets with impossible addresses to the kernel log.
  LOG_MARTIANS=0
  # Only disable this if you're NOT using forwarding (required for NAT etc.) for
  # increased security.
  # Note: If enabled and IPV6 enabled, local IPv6 autoconf will be disabled.
  IP_FORWARDING=1
  # (EXPERT SETTING!) Only disable this if IP_FORWARDING is disabled and
  # you do not use autoconf to obtain your IPv6 address.
  # Note: This is ignored if IP_FORWARDING is enabled. (IPv6 Only)
  IPV6_AUTO_CONFIGURATION=1
  # Enable if you want to accept ICMP redirect messages. Should be set to "0" in
  # case of a router.
  ICMP_REDIRECT=0
  # Enable/modify this if you want to be a able to handle a larger (or smaller)
  # number of simultaneous connections. For high traffic machines I recommend to
  # use a value of at least 16384 (note that a higher value (obviously) also uses
  # more memory).
  CONNTRACK=16384
  # Enable ECN (Explicit Congestion Notification) TCP flag. Disabled by default,
  # as some routers are still not compatible with this.
  ECN=0
  # Enable to drop connections from non-routable IPs, eg. prevent source
  # routing. By default the firewall itself also provides rules against source
  # routing. Note than when you use eg. VPN (Freeswan), you should probably
  # disable this setting.
  RP_FILTER=1
  # Protect against source routed packets. Attackers can use source routing to
  # generate traffic pretending to be from inside your network, but which is
  # routed back along the path from which it came, namely outside, so attackers
  # can compromise your network. Source routing is rarely used for legitimate
  # purposes, so normally you should always leave this enabled(1)!
  SOURCE_ROUTE_PROTECTION=1
  # Here we set the local port range (ports from which connections are
  # initiated from our site). Don't mess with this unless you really know what
  # you are doing!
  LOCAL_PORT_RANGE="32768 61000"
  # Here you can change the default TTL used for sending packets. The value
  # should be between 10 and 255. Don't mess with this unless you really know
  # what you are doing!
  DEFAULT_TTL=64
  # In most cases pmtu discovery is ok, but in some rare cases (when having
  # problems) you might want to disable it.
  NO_PMTU_DISCOVERY=0
  # Firewall policies for the LAN (EXPERT SETTINGS!) #
  # LAN_xxx = LAN->localhost(this machine) input access rules #
  # Note that when both LAN_OPEN_xxx & LAN_HOST_OPEN_xxx are NOT used, the #
  # default policy for this chain is accept (unless denied through #
  # LAN_DENY_xxx and/or LAN_HOST_DENY_xxx)! #
  # Enable this to allow for ICMP-requests(ping) from your LAN
  LAN_OPEN_ICMP=1
  # Put in the following variables the TCP/UDP ports or IP protocols TO
  # (remote end-point) which the LAN hosts are permitted to connect to.
  LAN_OPEN_TCP=""
  LAN_OPEN_UDP=""
  LAN_OPEN_IP=""
  # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  # end-point) which LAN hosts are NOT permitted to connect to.
  LAN_DENY_TCP=""
  LAN_DENY_UDP=""
  LAN_DENY_IP=""
  # Put in the following variables the TCP/UDP ports or IP
  # protocols TO (remote end-point) which certain LAN hosts are
  # permitted to connect to.
  # TCP/UDP port format (LAN_INPUT_HOST_OPEN_xxx):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (LAN_INPUT_HOST_OPEN_xxx):
  # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  LAN_HOST_OPEN_TCP=""
  LAN_HOST_OPEN_UDP=""
  LAN_HOST_OPEN_IP=""
  # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  # end-point) which certain LAN hosts are NOT permitted to connect to.
  # TCP/UDP port format (LAN_INPUT_HOST_DENY_xxx):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (LAN_INPUT_HOST_DENY_xxx):
  # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  LAN_HOST_DENY_TCP=""
  LAN_HOST_DENY_UDP=""
  LAN_HOST_DENY_IP=""
  # LAN_INET_xxx = LAN->internet access rules (forward) #
  # Note that when both LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx are NOT #
  # used, the default policy for this chain is accept (unless denied #
  # through LAN_INET_DENY_xxx and/or LAN_INET_HOST_DENY_xxx)! #
  # Enable this to allow for ICMP-requests(ping) for LAN->INET
  LAN_INET_OPEN_ICMP=1
  # Put in the following variables the TCP/UDP ports or IP
  # protocols TO (remote end-point) which the LAN hosts are
  # permitted to connect to via the external (internet) interface.
  LAN_INET_OPEN_TCP=""
  LAN_INET_OPEN_UDP=""
  LAN_INET_OPEN_IP=""
  # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  # end-point) which the LAN hosts are NOT permitted to connect to
  # via the external (internet) interface. Examples of usage are for blocking
  # IRC (TCP 6666:6669) for the internal network.
  LAN_INET_DENY_TCP=""
  LAN_INET_DENY_UDP=""
  LAN_INET_DENY_IP=""
  # Put in the following variables which LAN hosts you want to allow to certain
  # hosts/services on the internet. By default all services are allowed.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple:
  # (Allow port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  # Advanced:
  # (Allow port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  # allow port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  # LAN_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 192.168.0.10>80"
  # IP protocol example:
  # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0))
  # LAN_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  LAN_INET_HOST_OPEN_TCP=""
  LAN_INET_HOST_OPEN_UDP=""
  LAN_INET_HOST_OPEN_IP=""
  # Put in the following variables which DMZ hosts you want to deny to certain
  # hosts/services on the internet.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple (Deny port 80 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
  # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all LAN hosts(0/0) and
  # deny port 80 on INET host 1.2.3.4 for LAN host 192.168.0.10 (only)):
  # LAN_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 192.168.0.10>1.2.3.4~80"
  # IP protocol example:
  # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all LAN hosts(0/0)):
  # LAN_INET_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  LAN_INET_HOST_DENY_TCP=""
  LAN_INET_HOST_DENY_UDP=""
  LAN_INET_HOST_DENY_IP=""
  # Firewall policies for the DMZ (EXPERT SETTINGS!) #
  # DMZ_xxx = DMZ->localhost(this machine) input access rules #
  # Enable this to allow ICMP-requests(ping) from the DMZ
  DMZ_OPEN_ICMP=1
  # Put in the following variables which DMZ hosts are permitted to connect to
  # certain the TCP/UDP ports, IP protocols or ICMP. By default all (local)
  # services are blocked for DMZ hosts.
  DMZ_OPEN_TCP=""
  DMZ_OPEN_UDP=""
  DMZ_OPEN_IP=""
  # Put in the following variables which DMZ hosts you want to allow for certain
  # services. By default all (local) services are blocked for DMZ hosts.
  # TCP/UDP port format (DMZ_HOST_OPEN_TCP & DMZ_HOST_OPEN_UDP):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (DMZ_HOST_OPEN_IP):
  # "host1,host2~proto1,proto2 host3,host4~proto3,proto4 ..."
  DMZ_HOST_OPEN_TCP=""
  DMZ_HOST_OPEN_UDP=""
  DMZ_HOST_OPEN_IP=""
  # INET_DMZ_xxx = Internet->DMZ access rules (forward) #
  # Note: As of Version 2.0.0 the default policy has changed to DROP #
  # Previous to Version 2.0.0 the default policy was ACCEPT #
  # Enable this to make the default policy allow for ICMP(ping) for INET->DMZ
  INET_DMZ_OPEN_ICMP=0
  # Put in the following variables which INET hosts are permitted to connect to
  # certain the TCP/UDP ports or IP protocols in the DMZ.
  INET_DMZ_OPEN_TCP=""
  INET_DMZ_OPEN_UDP=""
  INET_DMZ_OPEN_IP=""
  # Put in the following variables which INET hosts are NOT permitted to connect
  # to certain the TCP/UDP ports or IP protocols in the DMZ.
  INET_DMZ_DENY_TCP=""
  INET_DMZ_DENY_UDP=""
  INET_DMZ_DENY_IP=""
  # Put in the following variables which INET hosts you want to allow to certain
  # hosts/services on the DMZ net. By default all services are dropped.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple (Allow port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  # Advanced (Allow port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  # allow port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  # INET_DMZ_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  # IP protocol example:
  # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts )
  # INET_DMZ_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  INET_DMZ_HOST_OPEN_TCP=""
  INET_DMZ_HOST_OPEN_UDP=""
  INET_DMZ_HOST_OPEN_IP=""
  # Put in the following variables which INET hosts you want to deny to certain
  # hosts/services on the DMZ net.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple (Deny port 80 on DMZ host 1.2.3.4 for all INET hosts(0/0)):
  # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~80"
  # Advanced (Deny port 20 & 21 on DMZ host 1.2.3.4 for all INET hosts(0/0) and
  # deny port 80 on DMZ host 1.2.3.4 for INET host 5.6.7.8 (only)):
  # INET_DMZ_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  # IP protocol example:
  # (Deny protocols 47 & 48 on DMZ host 1.2.3.4 for all INET hosts):
  # INET_DMZ_HOST_DENY_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  INET_DMZ_HOST_DENY_TCP=""
  INET_DMZ_HOST_DENY_UDP=""
  INET_DMZ_HOST_DENY_IP=""
  # DMZ_INET_xxx = DMZ->internet access rules (forward) #
  # Note that when both DMZ_INET_OPEN_xxx & DMZ_INET_HOST_OPEN_xxx are NOT #
  # used, the default policy for this chain is accept (unless denied #
  # through DMZ_INET_DENY_xxx and/or DMZ_INET_HOST_DENY_xxx)! #
  # Enable this to make the default policy allow for ICMP(ping) for DMZ->INET
  DMZ_INET_OPEN_ICMP=1
  # Put in the following variables the TCP/UDP ports or IP
  # protocols TO (remote end-point) which the DMZ hosts are
  # permitted to connect to via the external (internet) interface.
  DMZ_INET_OPEN_TCP=""
  DMZ_INET_OPEN_UDP=""
  DMZ_INET_OPEN_IP=""
  # Put in the following variables the TCP/UDP ports or IP protocols TO (remote
  # end-point) which the DMZ hosts are NOT permitted to connect to
  # via the external (internet) interface. Examples of usage are for blocking
  # IRC (TCP 6666:6669) for the internal network.
  DMZ_INET_DENY_TCP=""
  DMZ_INET_DENY_UDP=""
  DMZ_INET_DENY_IP=""
  # Put in the following variables which DMZ hosts you want to allow to certain
  # hosts/services on the internet. By default all services are allowed.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~sprotocol"
  # TCP/UDP examples:
  # Simple (Allow port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  # Advanced (Allow port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
  # allow port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
  # DMZ_INET_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  # IP protocol example:
  # (Allow protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts):
  # DMZ_INET_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  DMZ_INET_HOST_OPEN_TCP=""
  DMZ_INET_HOST_OPEN_UDP=""
  DMZ_INET_HOST_OPEN_IP=""
  # Put in the following variables which DMZ hosts you want to deny to certain
  # hosts/services on the internet.
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple (Deny port 80 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~80"
  # Advanced (Deny port 20 & 21 on INET host 1.2.3.4 for all DMZ hosts(0/0) and
  # deny port 80 on INET host 1.2.3.4 for DMZ host 5.6.7.8 (only)):
  # DMZ_INET_HOST_DENY_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  # IP protocol example:
  # (Deny protocols 47 & 48 on INET host 1.2.3.4 for all DMZ hosts(0/0)):
  # DMZ_INET_HOST_DENY_IP="0/0>1.2.3.4:47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  DMZ_INET_HOST_DENY_TCP=""
  DMZ_INET_HOST_DENY_UDP=""
  DMZ_INET_HOST_DENY_IP=""
  # DMZ_LAN_xxx = DMZ->LAN access rules (forward) #
  # Enable this to make the default policy allow for ICMP(ping) for DMZ->LAN
  DMZ_LAN_OPEN_ICMP=0
  # Put in the following variables which DMZ hosts you want to allow to certain
  # hosts/services on the LAN (net).
  # TCP/UDP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~port \
  # SRCIP3,...>DESTIP2~port"
  # IP form:
  # "SRCIP1,SRCIP2,...>DESTIP1~protocol \
  # SRCIP3,...>DESTIP2~protocol"
  # TCP/UDP examples:
  # Simple (Allow port 80 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
  # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~80"
  # Advanced (Allow port 20 & 21 on LAN host 1.2.3.4 for all DMZ hosts (0/0) and
  # allow port 80 for DMZ host 5.6.7.8 (only) on LAN host
  # 1.2.3.4):
  # DMZ_LAN_HOST_OPEN_xxx="0/0>1.2.3.4~20,21 5.6.7.8>1.2.3.4~80"
  # IP protocol example:
  # (Allow protocols 47 & 48 on LAN host 1.2.3.4 for all DMZ hosts(0/0)):
  # DMZ_LAN_HOST_OPEN_IP="0/0>1.2.3.4~47,48"
  # NOTE 1: If no SRCIPx is specified, any source host is used
  # NOTE 2: If no port is specified, any port is used
  DMZ_LAN_HOST_OPEN_TCP=""
  DMZ_LAN_HOST_OPEN_UDP=""
  DMZ_LAN_HOST_OPEN_IP=""
  # Firewall policies for the external (inet) interface (default policy = drop) #
  # Put in the following variable which hosts (subnets) you want have full access
  # via your internet (EXT_IF) connection(!). This is especially meant for
  # networks/servers which use NIS/NFS, as these protocols require all ports
  # to be open.
  # NOTE: Don't mistake this variable with the one used for internal nets.
  FULL_ACCESS_HOSTS=""
  # Put in the following variable which TCP/UDP ports you don't want to
  # see broadcasts from (eg. DHCP (67/68) on your EXTERNAL interface. Note that
  # to make this properly work you also need to set "EXTERNAL_NET"!
  BROADCAST_TCP_NOLOG=""
  #BROADCAST_UDP_NOLOG="67 68"
  # Put in the following variables which hosts you want to allow for certain
  # services.
  # TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (HOST_OPEN_IP):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  # ICMP protocol format (HOST_OPEN_ICMP):
  # "host1 host2 ...."
  HOST_OPEN_TCP=""
  HOST_OPEN_UDP=""
  HOST_OPEN_IP=""
  HOST_OPEN_ICMP=""
  # Put in the following variables which hosts you want to DENY(DROP) for certain
  # services (and logged).
  # to DENY(DROP) for certain hosts.
  # TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (HOST_DENY_IP):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  # ICMP protocol format (HOST_DENY_ICMP):
  # "host1 host2 ...."
  HOST_DENY_TCP=""
  HOST_DENY_UDP=""
  HOST_DENY_IP=""
  HOST_DENY_ICMP=""
  # Put in the following variables which hosts you want to DENY(DROP) for certain
  # services but NOT logged.
  # TCP/UDP port format (HOST_DENY_xxx_NOLOG):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (HOST_DENY_IP_NOLOG):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  # ICMP protocol format (HOST_DENY_ICMP_NOLOG):
  # "host1 host2 ...."
  HOST_DENY_TCP_NOLOG=""
  HOST_DENY_UDP_NOLOG=""
  HOST_DENY_IP_NOLOG=""
  HOST_DENY_ICMP_NOLOG=""
  # Put in the following variables which hosts you want to REJECT (instead of
  # DROP) for certain TCP/UDP ports.
  # TCP/UDP port format (HOST_REJECT_xxx):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  HOST_REJECT_TCP=""
  HOST_REJECT_UDP=""
  # Put in the following variables which hosts you want to REJECT (instead of
  # DROP) for certain services but NOT logged.
  # TCP/UDP port format (HOST_REJECT_xxx_NOLOG):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  HOST_REJECT_TCP_NOLOG=""
  HOST_REJECT_UDP_NOLOG=""
  # Put in the following variables which services THIS machine is NOT
  # permitted to connect TO (remote end-point) via the external (internet)
  # interface. For example for blocking IRC (tcp 6666:6669).
  DENY_TCP_OUTPUT=""
  DENY_UDP_OUTPUT=""
  DENY_IP_OUTPUT=""
  # Put in the following variables to which hosts THIS machine is NOT
  # permitted to connect TO for certain services (remote end-point)
  # via the external (internet) interface. In principle you can also
  # use this to put your machine in a "virtual-DMZ" by blocking all traffic
  # to your local subnet.
  # TCP/UDP port format (HOST_DENY_TCP_OUTPUT & HOST_DENY_UDP_OUTPUT):
  # "host1,host2~port1,port2 host3,host4~port3,port4 ..."
  # IP protocol format (HOST_DENY_IP_OUTPUT):
  # "host1,host2~proto1,proto2 host3,host4~proto4,proto4 ..."
  HOST_DENY_TCP_OUTPUT=""
  HOST_DENY_UDP_OUTPUT=""
  HOST_DENY_IP_OUTPUT=""
  # Enable (1) to make the default policy allow for IPv4 ICMP (ping) for INET access
  # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
  OPEN_ICMP=0
  # Disable (0) to make the default policy drop IPv6 ICMPv6 for INET access
  # Note: Other ICMP variables apply to both IPv4 and IPv6 unless otherwise noted.
  OPEN_ICMPV6=1
  # Put in the following variables which ports or IP protocols you want to leave
  # open to the whole world.
  OPEN_TCP=""
  OPEN_UDP=""
  OPEN_IP=""
  # Put in the following variables the TCP/UDP ports you want to DENY(DROP) for
  # everyone (and logged). Also use these variables if you want to log connection
  # attempts to these ports from everyone (also trusted/full access hosts).
  # In principle you don't need these variables, as everything is already blocked
  # (denied) by default, but just exists for consistency.
  DENY_TCP=""
  DENY_UDP=""
  # Put in the following variables which ports you want to DENY(DROP) for
  # everyone but NOT logged. This is very useful if you have constant probes on
  # the same port(s) over and over again (code red worm) and don't want your logs
  # flooded with it.
  DENY_TCP_NOLOG=""
  DENY_UDP_NOLOG=""
  # Put in the following variables the TCP/UDP ports you want to REJECT (instead
  # of DROP) for everyone (and logged).
  REJECT_TCP=""
  REJECT_UDP=""
  # Put in the following variables the TCP/UDP ports you want to REJECT (instead
  # of DROP) for everyone but NOT logged.
  REJECT_TCP_NOLOG=""
  REJECT_UDP_NOLOG=""
  # Put in the following variable which hosts you want to block (blackhole,
  # dropping every packet from the host).
  BLOCK_HOSTS=""
  # Blocked Hosts are by default blocked in both Inbound and Outbound directions.
  # If only Inbound blocking is desired, set to 0 to disable bidirectional blocking.
  BLOCK_HOSTS_BIDIRECTIONAL=1
  # Uncomment & specify here the location of the file that contains a list of
  # hosts(IPs) that should be BLOCKED. IP ranges can (only) be specified as
  # w.x.y.z1-z2 (eg. 192.168.1.10-15). Note that the last line of this file
  # should always contain a carriage-return (enter)!
  #BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
  Service status:
  $ 0.status arno-iptables-firewall.service
  arno-iptables-firewall.service - A secure stateful firewall for both single and multi-homed machine
  Loaded: loaded (/usr/lib/systemd/system/arno-iptables-firewall.service; enabled)
  Active: active (exited) since Tue 2013-02-19 12:45:30 CET; 38s ago
  Main PID: 7781 (code=exited, status=0/SUCCESS)
  CGroup: name=systemd:/system/arno-iptables-firewall.service
  which is a bit confusing as it says 'active' and 'exited' at the same time...
  and then I get into my phone through adb shell, and I run:
  root@android:/ # su
  root@android:/ # netcfg usb0 dhcp
  action 'dhcp' failed (Timer expired)
  So apparently something is wrong,

• Scan for and connect to networks from an openbox pipe menu (netcfg)

  So the other day when i was using wifi-select (awesome tool) to connect to a friends hot-spot, i realized "hey! this would be great as an openbox pipe menu."  i'm fairly decent in bash and i knew both netcfg and wifi-select were in bash so why not rewrite it that way?
  Wifi-Pipe
  A simplified version of wifi-select which will scan for networks and populate an openbox right-click menu item with available networks.  displays security type and signal strength.  click on a network to connect via netcfg the same way wifi-select does it.
  zenity is used to ask for a password and notify of a bad connection.  one can optionally remove the netcfg profile if the connection fails.
  What's needed
  -- you have to be using netcfg to manage your wireless
  -- you have to install zenity
  -- you have to save the script as ~/.config/openbox/wifi-pipe and make it executable:
  chmod +x ~/.config/openbox/wifi-pipe
  -- you have to add a sudoers entry to allow passwordless sudo on this script and netcfg (!)
  USERNAME ALL=(ALL) NOPASSWD: /usr/bin/netcfg
  USERNAME ALL=(ALL) NOPASSWD: /home/USERNAME/.config/openbox/wifi-pipe
  -- you have to adjust  ~/.config/openbox/menu.xml like so:
  <menu id="root-menu" label="Openbox 3">
  <menu id="pipe-wifi" label="Wifi" execute="sudo /home/USERNAME/.config/openbox/wifi-pipe INTERFACE" />
  <menu id="term-menu"/>
  <item label="Run...">
  <action name="Execute">
  <command>gmrun</command>
  </action>
  </item>
  where USERNAME is you and INTERFACE is probably wlan0 or similar
  openbox --reconfigure and you should be good to go.
  The script
  #!/bin/bash
  # pbrisbin 2009
  # simplified version of wifi-select designed to output as an openbox pipe menu
  # required:
  # netcfg
  # zenity
  # NOPASSWD entries for this and netcfg through visudo
  # the following in menu.xml:
  # <menu id="pipe-wifi" label="Wifi" execute="sudo /path/to/wifi.pipe interface"/>
  # the idea is to run this script once to scan/print, then again immediately to connect.
  # therefore, if you scan but don't connect, a temp file is left in /tmp. the next scan
  # will overwrite it, and the next connect will remove it.
  # source this just to get PROFILE_DIR
  . /usr/lib/network/network
  [ -z "$PROFILE_DIR" ] && PROFILE_DIR='/etc/network.d/'
  # awk code for parsing iwlist output
  # putting it here removes the wifi-select dependency
  # and allows for my own tweaking
  # prints a list "essid=security=quality_as_percentage"
  PARSER='
  BEGIN { FS=":"; OFS="="; }
  /\<Cell/ { if (essid) print essid, security, quality[2]/quality[3]*100; security="none" }
  /\<ESSID:/ { essid=substr($2, 2, length($2) - 2) } # discard quotes
  /\<Quality=/ { split($1, quality, "[=/]") }
  /\<Encryption key:on/ { security="wep" }
  /\<IE:.*WPA.*/ { security="wpa" }
  END { if (essid) print essid, security, quality[2]/quality[3]*100 }
  errorout() {
  echo "<openbox_pipe_menu>"
  echo "<item label=\"$1\" />"
  echo "</openbox_pipe_menu>"
  exit 1
  create_profile() {
  ESSID="$1"; INTERFACE="$2"; SECURITY="$3"; KEY="$4"
  PROFILE_FILE="$PROFILE_DIR$ESSID"
  cat > "$PROFILE_FILE" << END_OF_PROFILE
  CONNECTION="wireless"
  ESSID="$ESSID"
  INTERFACE="$INTERFACE"
  DESCRIPTION="Automatically generated profile"
  SCAN="yes"
  IP="dhcp"
  TIMEOUT="10"
  SECURITY="$SECURITY"
  END_OF_PROFILE
  # i think wifi-select should adopt these perms too...
  if [ -n "$KEY" ]; then
  echo "KEY=\"$KEY\"" >> "$PROFILE_FILE"
  chmod 600 "$PROFILE_FILE"
  else
  chmod 644 "$PROFILE_FILE"
  fi
  print_menu() {
  # scan for networks
  iwlist $INTERFACE scan 2>/dev/null | awk "$PARSER" | sort -t= -nrk3 > /tmp/networks.tmp
  # exit if none found
  if [ ! -s /tmp/networks.tmp ]; then
  rm /tmp/networks.tmp
  errorout "no networks found."
  fi
  # otherwise print the menu
  local IFS='='
  echo "<openbox_pipe_menu>"
  while read ESSID SECURITY QUALITY; do
  echo "<item label=\"$ESSID ($SECURITY) ${QUALITY/.*/}%\">" # trim decimals
  echo " <action name=\"Execute\">"
  echo " <command>sudo $0 $INTERFACE connect \"$ESSID\"</command>"
  echo " </action>"
  echo "</item>"
  done < /tmp/networks.tmp
  echo "</openbox_pipe_menu>"
  connect() {
  # check for an existing profile
  PROFILE_FILE="$(grep -REl "ESSID=[\"']?$ESSID[\"']?" "$PROFILE_DIR" | grep -v '~$' | head -n1)"
  # if found use it, else create a new profile
  if [ -n "$PROFILE_FILE" ]; then
  PROFILE=$(basename "$PROFILE_FILE")
  else
  PROFILE="$ESSID"
  SECURITY="$(awk -F '=' "/$ESSID/"'{print $2}' /tmp/networks.tmp | head -n1)"
  # ask for the security key if needed
  if [ "$SECURITY" != "none" ]; then
  KEY="$(zenity --entry --title="Authentication" --text="Please enter $SECURITY key for $ESSID" --hide-text)"
  fi
  # create the new profile
  create_profile "$ESSID" "$INTERFACE" "$SECURITY" "$KEY"
  fi
  # connect
  netcfg2 "$PROFILE" >/tmp/output.tmp
  # if failed, ask about removal of created profile
  if [ $? -ne 0 ]; then
  zenity --question \
  --title="Connection failed" \
  --text="$(grep -Eo "[\-\>]\ .*$" /tmp/output.tmp) \n Remove $PROFILE_FILE?" \
  --ok-label="Remove profile"
  [ $? -eq 0 ] && rm $PROFILE_FILE
  fi
  rm /tmp/output.tmp
  rm /tmp/networks.tmp
  [ $(id -u) -ne 0 ] && errorout "root access required."
  [ -z "$1" ] && errorout "usage: $0 [interface]"
  INTERFACE="$1"; shift
  # i added a sleep if we need to explicitly bring it up
  # b/c youll get "no networks found" when you scan right away
  # this only happens if we aren't up already
  if ! ifconfig | grep -q $INTERFACE; then
  ifconfig $INTERFACE up &>/dev/null || errorout "$INTERFACE not up"
  while ! ifconfig | grep -q $INTERFACE; do sleep 1; done
  fi
  if [ "$1" = "connect" ]; then
  ESSID="$2"
  connect
  else
  print_menu
  fi
  Screenshots
  removed -- Hi-res shots available on my site
  NOTE - i have not tested this extensively but it was working for me in most cases.  any updates/fixes will be edited right into this original post.  enjoy!
  UPDATE - 10/24/2009: i moved the awk statement from wifi-select directly into the script.  this did two things: wifi-select is no longer needed on the system, and i could tweak the awk statement to be more accurate.  it now prints a true percentange.  iwlist prints something like Quality=17/70 and the original awk statement would just output 17 as the quality.  i changed to print (17/70)*100 then bash trims the decimals so you get a true percentage.
  Last edited by brisbin33 (2010-05-09 01:28:20)

  froli wrote:
  I think the script's not working ... When I type
  sh wifi-pipe
  in a term it returns nothing
  well, just to be sure you're doing it right...
  he above is only an adjustment to the OB script's print_menu() function, it's not an entire script to itself.  so, if the original OB script shows output for you with
  sh ./wifi-pipe
  then using the above pint_menu() function (with all the other supporting code) should also show output, (only really only changes the echo's so they print the info in the pekwm format).
  oh, and if neither version shows output when you rut it in a term, then you've got other issues... ;P
  here's an entire [untested] pekwm script:
  #!/bin/bash
  # pbrisbin 2009
  # simplified version of wifi-select designed to output as an pekwm pipe menu
  # required:
  # netcfg
  # zenity
  # NOPASSWD entries for this and netcfg through visudo
  # the following in pekwm config file:
  # SubMenu = "WiFi" {
  # Entry = { Actions = "Dynamic /path/to/wifi-pipe" }
  # the idea is to run this script once to scan/print, then again immediately to connect.
  # therefore, if you scan but don't connect, a temp file is left in /tmp. the next scan
  # will overwrite it, and the next connect will remove it.
  # source this to get PROFILE_DIR and SUBR_DIR
  . /usr/lib/network/network
  errorout() {
  echo "Dynamic {"
  echo " Entry = \"$1\""
  echo "}"
  exit 1
  create_profile() {
  ESSID="$1"; INTERFACE="$2"; SECURITY="$3"; KEY="$4"
  PROFILE_FILE="$PROFILE_DIR$ESSID"
  cat > "$PROFILE_FILE" << END_OF_PROFILE
  CONNECTION="wireless"
  ESSID="$ESSID"
  INTERFACE="$INTERFACE"
  DESCRIPTION="Automatically generated profile"
  SCAN="yes"
  IP="dhcp"
  TIMEOUT="10"
  SECURITY="$SECURITY"
  END_OF_PROFILE
  # i think wifi-select should adopt these perms too...
  if [ -n "$KEY" ]; then
  echo "KEY=\"$KEY\"" >> "$PROFILE_FILE"
  chmod 600 "$PROFILE_FILE"
  else
  chmod 644 "$PROFILE_FILE"
  fi
  print_menu() {
  # scan for networks
  iwlist $INTERFACE scan 2>/dev/null | awk -f $SUBR_DIR/parse-iwlist.awk | sort -t= -nrk3 > /tmp/networks.tmp
  # exit if none found
  if [ ! -s /tmp/networks.tmp ]; then
  rm /tmp/networks.tmp
  errorout "no networks found."
  fi
  # otherwise print the menu
  echo "Dynamic {"
  IFS='='
  cat /tmp/networks.tmp | while read ESSID SECURITY QUALITY; do
  echo "Entry = \"$ESSID ($SECURITY) $QUALITY%\" {"
  echo " Actions = \"Exec sudo $0 $INTERFACE connect \\\"$ESSID\\\"\"</command>"
  echo "}"
  done
  unset IFS
  echo "}"
  connect() {
  # check for an existing profile
  PROFILE_FILE="$(grep -REl "ESSID=[\"']?$ESSID[\"']?" "$PROFILE_DIR" | grep -v '~$' | head -n1)"
  # if found use it, else create a new profile
  if [ -n "$PROFILE_FILE" ]; then
  PROFILE=$(basename "$PROFILE_FILE")
  else
  PROFILE="$ESSID"
  SECURITY="$(awk -F '=' "/$ESSID/"'{print $2}' /tmp/networks.tmp | head -n1)"
  # ask for the security key if needed
  if [ "$SECURITY" != "none" ]; then
  KEY="$(zenity --entry --title="Authentication" --text="Please enter $SECURITY key for $ESSID" --hide-text)"
  fi
  # create the new profile
  create_profile "$ESSID" "$INTERFACE" "$SECURITY" "$KEY"
  fi
  # connect
  netcfg2 "$PROFILE" >/tmp/output.tmp
  # if failed, ask about removal of created profile
  if [ $? -ne 0 ]; then
  zenity --question \
  --title="Connection failed" \
  --text="$(grep -Eo "[\-\>]\ .*$" /tmp/output.tmp) \n Remove $PROFILE_FILE?" \
  --ok-label="Remove profile"
  [ $? -eq 0 ] && rm $PROFILE_FILE
  fi
  rm /tmp/output.tmp
  rm /tmp/networks.tmp
  [ $(id -u) -ne 0 ] && errorout "root access required."
  [ -z "$1" ] && errorout "usage: $0 [interface]"
  INTERFACE="$1"; shift
  # i added a sleep if we need to explicitly bring it up
  # b/c youll get "no networks found" when you scan right away
  # this only happens if we aren't up already
  if ! ifconfig | grep -q $INTERFACE; then
  ifconfig $INTERFACE up &>/dev/null || errorout "$INTERFACE not up"
  sleep 3
  fi
  if [ "$1" = "connect" ]; then
  ESSID="$2"
  connect
  else
  print_menu
  fi
  exit 0

• ASA 5505 configured for WebVPN connecting to Citrix Web Interface

  ASA 5505 configured for WebVPN connecting to Citrix Web Interface.
  i have a ASA 5505 that I am attempting to configure for WebVPN with passthrough into Web Interface .  The user authenticates into WebVPN OK and gets the option to click on the Citrix Link (which is i add bookmark  citrix server http:// 172.30.40.5.) i enter the citrix and then for example  i want to open to outlook it can not open. (when i want to open some application no application is open)).there is no alarm at asa. how i solve this issue?
  thanks.

  Teymur,
  Can you confim that after disabling the ssl/tls on the Citrix server (secure connectivity) that you are getting exactly the same error.  It is possible that it is generating a different error.
  The bug where we have see the existing error was CSCtf06303 but that has been fixed in 8.4.1.  Can you confirm the exact version of code you are running on the ASA.
  If you have confirmed the above two notes it may be adventageous to open a TAC case as we may need to do some live additional troubleshooting.
  Thanks
  -Jay

• How to change the NAT type to Open on a Imac using bridged connections

  Hey everyone I have a problem. I play xbox live with my friends and i just moved and dont have a wireless adapter anymore. so i have bridged connections with my imac and xbox via ethernet. It works perfectly, but the only problem is that when i connect it say that my NAT type is strict. To play with all my friends i need a open NAT type. Does anyone know how to make the NAT type on the Imac open. And i do have a D-link router model DIR-625. When i called D-link they said to port forward, i did and it still didnt work, they said it must be the fire wall on the mac, microsoft said the same thing, that it might be the fire wall. I checked the fire wall and it said "All Incoming connections are allowed".
  I would really much appreciate it if someone helped me. Thank you!

  Yes, most likely. Microsoft has provided a list of XBox LIVE!-compatible routers. Since the OS X Internet Sharing feature is limited, there is no way to configure port mapping or placing the XBox in a DMZ with it. Typically, you either use a compatible router or configure port mapping/DMZ for non-compatible routers.

• Need opinions/links/etc... regarding Oracle security for a custom app

  Okay it's an open ended question but I need some help figuring out what we should be doing.
  We have an old legacy Sybase system written in Powerbuilder which they want to move to a web app. Great! That means we get new toys. Problem, it's a standalone system now being merged into a web system. We're looking at Oracle 10.2 and App Server to run everything. We're not sure about reporting yet.
  Here's my question. What/how is everyone using for user account security? I'll have say 5000 users at different locations in the world. Let's say you have sites A, B and C. I'll ultimately need to be able to allow Mr. Smith at Site A to create info which nobody at site B or C is allowed to see. But then Mr. Smith's manager should be allowed to see all the work done by his people so he technically has visibility to everything at site A regardless if he created it or not. The company VP & Presidents need to see everything from sites A, B and C. (Also possibly allow someone to 'grant' access to another person's info. ie - someone at site A allowing someone at site B to view their info by some interface setting)
  Now there's a second level of sensitivity. Say unclassified, classified and top secret. Each employee, regardless of where they sit in the heirarchy tree above, can only see documents up to their sensitivity level. So someone with classified access can see unclassified and classified items, but not top secret.
  Now I've looked at Oracle row level security and it looks like exactly what I'll need but that means that every user, needs to be a database user? I've never worked with something like that. The only other way I'm aware of doing this, would be have the application developers code all the checks into the system based on user info. That leaves lots of maintenance headaches and we will need a reporting tool so then we have to recreate all that info on the report side as well. (which is actually the way the current standalone system works. One main user to do the connections, then we have a "user table" to check rights, password & so forth).
  Is it unheard of to create a custom app (that's the key, there is no COTS for this), then have all the user accounts be stored as actual Oracle users? For a web app, I'm used to a single user being the "pass through" for any connections to the database then pass that back to the user. Are there any considerations or tricks to integrate Oracle user creation into the system or it's as simple as have the app run the correct sql from an account with the correct permissions?
  How else can this be done or how else is everyone doing it? Any links to info would be great and most appreciated. Stories and how you did it type of info is also real good!
  Thanks.

  Pierre,
  That helped a lot. I ended up ordering one of Tom's recommended books on security. I also was able to find a few examples (once I figured what I needed to be looking for) that got me up and running with a test instance to play with.
  Thank you very much!

• AnyConnect: No Address Available for SVC Connection on Cisco ASA 5505

  Get Error
  The secure gateway has rejected the connection attempt.   A new connection attempt to the same or another secure gateway is needed, which requires re-authentication.   The follow message was received from the secure gateway:    No address available for SVC connection.
  ip local pool VPN 192.168.250.50-192.168.250.60 mask 255.255.255.0
  tunnel-group SSL type remote-access
  tunnel-group SSL general-attributes
  address-pool VPN
  tunnel-group Any-Connect type remote-access
  tunnel-group Any-Connect general-attributes
  address-pool VPN
  I have a VPN pool
  I can make a clientless SSL connection

  Hi,
  Maybe you are not falling into that tunnel-group SSL? By default, you will fall into the DefaultWebvpnGroup unless you choose the TG via a dropdown or directly access the group via a groupurl.
  Example: When no 'tunnel-group-list' or 'group-url' is configured:
  Accessing https:// will take you to DefaultWebvpnGroup.
  When 'tunnel-group-list enable' is configured under webvpn, you will get a dropdown of tunnel-groups to choose from [provided you have an alias defined for the group]
  When group-url is configured for a particular TG, say https:///test , on accessing that URL, you are taken to that group directly.
  So basically, you would need to check which group you are hitting. Running 'debug webvpn 255' should also show you this.
  Thanks
  Rahul

• BW authorizations for universe connections

  Hello experts,
  Is it possible to use a universe without giving the user 0BI_ALL authorization? We want the same user to connect via BICS and universe and if we use 0BI_ALL for universe connections, the analysis authorizations for BICS doesn't work.
  Any idea on how to have row security levels on both connections at same time?
  We are using BW 7.0 and BO 4.0 SP5.
  Many thanks in advance.

  Hello David,
  using BI Authorizations in BW and then adding data level security in the Universe on top of that will only lead to situations like you have now.
  Data Level security goes into BW alone or into the Universe alone, mixing both will lead to issues and remember that the Universe has far less capabilities in this area.
  0BI_ALL is only related to data level security, so the fact that you see the request for 0BI_ALL in the trace clearly shows that your defined data level security entries contradict each other somehow and that BW then requires 0BI_ALL for the user to give the data that was requested.
  like I said above, not a good idea to mix those data level security concepts. all data level security should be in BW already.
  Also - why even use the Universe inbetween ?
  regards
  Ingo Hilgefort, SAP

• "Photoshop" Waiting for Bridge CS6... on a MAC BOOK PRO help

      I have a Mac book Pro, with retina display running on OS X version 10.9.4. and I cannot get mini-bridge to run.  Adobe first told me the problem was with Apple, I contacted Apple and the problem was not with them.  Adobe told me the problem was with my service provider and passwords and firewalls on my internet connection, check with Rogers and no problems.  Now I am told by Adobe this problem is with switchboard (Adobe owns this).
       I have tried everything on the FAQ page to fix the problem and I have also spent days on the phone with Adobe.  They have had me uninstall and reinstall all of my Adobe programs numerous times and I have spent hours at a time on the phone trying all kinds of “fixes”.  Adobe has told me on three separate occasions they have escalated this problem to the highest level of technical support and I still have no resolution. We (Adobe and I) have been at this for well over a month now and It’s gotten so, now Adobe doesn't even call me back anymore.
      The reason I so need this fixed is, as I explained to Adobe, I am in night school (now) for Photoshop and I require mini-bridge in class.  I am hoping that someone else out there has had this problem and knows what the fix is because I have no options open to me this time.  When Photoshop is launched and I clicked on mini-bridge all I see is waiting for Bridge CS6… Nothing more happens, Photoshop is version 13.0.6 X64.  I have stayed home the past few times Adobe has said they would call and nobody has called, it's getting costly at work.
  If anyone can help, it would be greatly appreciated and thank you.
  Help :-(

  Hello Gener7,
       I did try everything on the FAQ page (all steps) I also did them a few more times with "Adobe help" walking me through 2 more times.  I just don't get it, I have been on with Adobe on some days up to 5 hours at a time for over a month now.  I think it must be something with the installation disc but they say no, no, switchboard is just not working on my OS X 10.9.4.  I even took the computer into the apple store here and had them look it over, reinstall everything and they say it's the Adobe software.
       Thank you very much for your help, it's nice to know someone is reading this :-)  I do work around this by saving the files and reopening them in the next program I need but everyone in class is always waiting on me, (it sucks) and I just think it should work.  Hope you have a good day and I will put an update on here if this is ever figured out.
  Thanks one more time :-)