Server firewall can't close AFP port 548

Running 10.4.9 (not Intel) my external IP address I have shut down everything in the firewall except pop3 and http toward this server (call it x.x.10.200) and yet when I do a port scan - AFP and Ping still show up as vunerable. I am running stealth on TCP and UDP and have all ICMP boxes unchecked.
anyone with some experience with this would be appreciated.
Also my bad: the somehow hitting a control return key combination while in Advanced Settings clears and kills all those settings. could I get a screen print or list of what was in there?
btw; I have put port 548 in the deny alway in under the advanced settings also and it still shows open to a port scan.
Thanks
PeteSanDiego
Multiple   Mac OS X (10.4.9)   Server Security Networking

I figured out that I had the outside ip address in the wrong side of the advanced settings, so I was able to close AFP. However, try as I can, I cannot stop the response to icmp ping. any help would be appreciated.
Multiple   Mac OS X (10.4.9)  

Similar Messages

  • Changing the AFP Port? or another solution?

    I have an AirPort Extreme Base Station with a hard drive attached with AFP sharing so I can access the drive over the Internet, but I want to also be able to access my OS X Server (10.5) which is behind this router. Is there any way I can change the AFP port number or somehow be able to access both remotely?
    Thanks,
    John

    Yes,
    What you should do is twofold:
    1. make items readonly in your form when a record is "not new" (ie the rpimary key is set)
    2. prevent the page from executing an update (you never know who/what is spoofing your pages)
    the second can be done by creating a process "ON UPDATE" that triggers an error.
    Regards,
    Richard
    blog: http://blog.warp11.nl
    twitter: @rhjmartens
    If this question is answered, please mark the thread as closed and assign points where earned..

  • How can I close this application?

    I entered a script that autoclicks every 0.1 seconds and I didn't turn off the mouse thing so it just keeps entering 5s. I can't do anything except move my cursor(can't click or type). How can I close this application?

    > I have an interface (main vi) wich call another interface (pop
    > up).this interface call another interface. How can I do in order to
    > close the interface which is calling without stopping my application
    >
    There is a mechanism built into subVIs and subVI calls to open when
    called and close when finished. This still works fine for many tasks
    and is quick and easy. To use this, you can use the File>>VI Properties
    on your subVI, go to Window Appearance, Customize, and it is in the left
    column near the bottom.
    You can also set this on a subVI call by right clicking, choosing SubVI
    node setup and set the same Open when called and Close on exit settings.
    The difference between them is that the first will affect every usage of
    the VI, whereas the
    second can be set to pop open sometimes and other
    times not.
    Of course there is another way, introduced when the VI server was added.
    There is a VI property for the VI class, Front Panel Window Open.
    Setting it to True and FALSE will open and close. There is also now a
    method for opening and closing with a few additional options.
    The VI Server allows for more control and flexebility, but the first two
    options are still perfectly valid for simple things. If using them,
    closing your subVI is as simple as exiting your outer loop of your
    subVI. This returns and closes the window all at once giving control
    and and data parameters back to the caller. If using the VI Server, you
    can either close the window just before returning or leave it to the
    caller. Just be sure they are in agreement.
    Greg McKaskle

  • Cannot close Serial port socket on Server 2008, Can on XP

    As per the subject - running the same code using the same hardware, but different OS (Server 2008 Std. NOT XP Pro)will not work!
    It's all very odd... The port opens fine but will not close using SerialPort.close(), thereby causing problems the next time the port is opened (PortInUseException).
    Has anyone here experienced this before? Any suggestions as to where the problem may lie?
    Edited by: wizzkidd on Jan 19, 2010 7:46 AM - More descriptive title

    I have a serial port monitor open on both machines; it shows that the connection is still open (on Server 2008), even after the following is run:
         public void closePort() {
              if (serialPort != null) {
                   serialPort.close();
                   Console.print("Closed port: "       + "(" + commPort + ")");
              else {
                   Console.print("Port is still open: " + "(" + commPort + ")");
         }However, on XP, the connection is closed properly.
    Upon failure to close the port, the code has already been run, however, no exception is thrown.
    Edited by: wizzkidd on Jan 19, 2010 7:56 AM

  • Can connect via VPN, but can't access AFP server on same Xserve

    Hi:
    I've set up our XServe with MacOS X Server 10.5.2 to do AFP and VPN (L2TP only; PPTP is disabled). The XServe is a standalone server, not connected to any other direstory server.
    I can connect to the XServe's AFP server from my Mac over our wired and wireless network. The AFP server shows up in the sidebar of Finder windows. So far, so good.
    I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret.
    But I cannot connect to the XServe itself to use Server Admin or AFP (using afp://server.company.com or afp://xxx.xxx.xxx.xxx via the Go > Connect to Server command).
    The error I get while connecting to the 10.5.2 AFP server is Some data in apf://server.mycompany.com could not be read or written (Error Code -36 ). I saw this error associated with a SMB problem in 10.4.x, but SMB is not running.
    Other iChat users in my office also do not automatically show up in the Bonjour list when I connect to the network. Other computers on our network do not appear in the sidebar of a Finder window. (I'm told these are to be expected, as Bonjour isn't supported (in the "local area Bonjour" over a WAN link - it's purely a multicast feature on the network in the office, and won't be routed across the VPN link. True?)
    Now, here's the odd part. There is a second server (v10.4.11) on our network running AFP. I can connect to it (using afp://server.company.com via the Go > Connect to Server command) and mount its various sharepoints via the VPN.
    The only thing I see in the VPN log that seems amiss is this (but I have no idea what it means):
    Tue Mar 11 23:09:27 2008 : Unsupported protocol 0x8057 received
    --Both the 10.5.2 and the 10.4.11 servers have DNS properly configured (though our ISP; we're not running our own DNS).
    --Both servers and the client have public IP addresses and have the same subnet mask. Network Utility confirms this while connected to the VPN.
    --NAT is not running. The ISP is responding with public IPs for the servers.
    --The firewall for the 10.5.2 server is not running (but will be once I get this all working).
    --The IP address range for the VPN server doesn't overlap our DHCP pool (which also currently uses public IP addresses).
    --Any user can access any service.
    --No network routing definitions have been set up.
    --In essence, I've followed the steps on Pages 141-142 of the Network Services Admin Guide.
    One other note: After I connect, the Network Preferences > VPN > Advanced > TCP/IP window shows the IP address for the client just fine (assigned from the VPN pool), but lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?
    I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server.... And I'm not sure why I would have to if I can already successfully connect to the 10.4.11 AFP server .
    What simple step am I missing?
    TIA,
    mm

    "I am able to successfully connect to our network via the VPN with Mac OS X 10.5.2 client (on two different machines) using L2TP through our network's firewall (on a Netopia T1 router; UDF ports 500 and 4500 and IP Protocol 50 and 51 are open) using a shared secret."
    I suspect you mean UDP ports and you might need UDP port 1701 open too.
    You only need IP protocol 50 (ESP), protocol 51 (AH) isn't used. And ESP is only used when client and server isn't behind NAT (when NAT is used only the UDP ports are used).
    "Unsupported protocol 0x8057 received"
    This is usually seen when you can't get GRE through but since you don't use PPTP I can't be sure why this is registered in the logs. Sometimes when connecting using PPTP you have to disconnect and then reconnect for everything to work - you might try this for L2TP too.
    But if you already can reach services on any LAN nodes through the VPN I wouldn't bother with it.
    As you have a firewall in front of the server you need a second alias IP on the server that you can use to get at the services running on the server through the VPN. The firewall blocks all ports protocols not opened - that's why you can't use the server main IP even if the VPN is up.
    The netmask is used by all nodes to determine how big your subnet is: what part of the IP number is the network number and what range the node number is in => really: should traffic be directed to a node on the same LAN or sent directly to the gw/router for forwarding.
    What you can't do is connect from a NATed network to another NATed network that both are using the same network number. (That's why people should stay away from using the "default" 192.168.0.0/24 and 192.168.1.0/24 networks for VPN server LANs).
    Try your settings at http://www.jodies.de/ipcalc to see what I mean.
    "...lists the router as having the IP address of the XServe (rather than the router on the network). Is that normal?"
    Yes. The VPN server is the VPN gw/router.
    "The firewall for the 10.5.2 server is not running (but will be once I get this all working)."
    If you already have a firewall in front of your servers that is a bit redundant.
    "--No network routing definitions have been set up."
    "I'm hoping I don't need to have the XServe run DNS as an internal LAN DNS server"
    You need routing definitions if you want to setup a split tunnel VPN or all traffic is routed through the VPN when connected. The VPN becomes the default gw.
    Without ipforwarding ON in the server you can only reach nodes on the server LAN - not Internet.
    DNS is needed for your servers forward and reverse names/IPs for advanced services but doesn't need to run in any of your own servers.
    If you decide to do a split tunnel VPN config (adding public and private routing definitions) a reachable DNS IP for VPN clients (in VPN config on server) is needed for VPN clients or they can't use names to find anything. To reach this DNS IP if public/not on your server LAN, you need your server to forward IP DNS lookups and have a routing definition for it.
    A split tunnel VPN only send traffic for your server LAN through the VPN and all other traffic directly to the local gw/router (Internet).

  • Os X Server 10.4.9+4 eth ports+firewall active: 1 port is totally locked

    Ciao to all.
    I need a strong help!
    I have an XServe where I run few application: AFP, Web, 4Dimension, PureFTP and few other services.
    I decided to use 2 of the 4 ethernet ports for a direct connection with 2 G5 used for graphics jobs (192.168.3.1 and 192.168.4.1).
    The other 2 eth ports are used:
    1) for the web services (the principal in list on "Network" panel) (192.168.0.25)
    2) for internal use (AFP , Print etc etc) for the iBooks of the sales department (192.168.0.2)
    As described above, the two G5 are directly connected to the card and the other 2 eth ports, on a switch with the rest of tha lan.
    I used the Gateway Setup Assistant in order to prepare the routing of the 2 ports directly connected .
    I choose the first port ( 192.168.0.25) as main port for internet routing and I choose the 2 G5's port (192.168.3.1 and 192.168.4.1) as lan that needs to be routed..
    I did NOT choose the eth port I use for internally purposes (192.168.0.2)......
    Generally, the Assistant made a good job; I mean from the 2 G5 I can see ALL the services published on the server AND they are correclty routed on Internet.
    The problem is on the port internally dedicated.
    When the firewall starts, all the ports of the 192.168.0.2 are filtered!
    No way to see one open port.........
    I don't have lot of knowledge about firewalling; someone can suggest me a way to make this eth port "free" again?
    GRAZIE
    Rob (Italy)

    I don't understand your settings. Either your ISP is misleading you, or they are doing something very unusual.
    >The other eth port was used for internal connection but I had to use the same subnet because , always for ISP settings, to surf on internet, I'm allowed to use ONLY a specific range 192.168.0.2to192.168.0.25.
    There is no valid network that run from 192.168.0.2 through 192.168.0.25. The closest you can get is a /27 network which uses the subnet mask 255.255.255.224, but that gives you the IP address range 192.168.0.1 through 192.168.1.32.
    It's possible that's what you've got, but I've never seen an ISP hand out a /27 in the 192.168.0 network. Usually they hand out a small number of real-world IP addresses and you use a router to share that address amongst clients on your own private network, but then you wouldn't be limited to such a small subnet.
    Can you report all the numbers in the Network Preferences, including subnet mask and router address.
    If all your client systems in the same 192.168.0.x network there's no need to use a second NIC in the server - they can all talk to the server on the 192.168.0.25 address.

  • Can I open a port range in the firewall for one host?

    Can I open a port range in the firewall for one host?  In other words, I want to be able to open ports 54001 to 54050 to allow one remote host in my LAN to access that port range in my Mac Server.  Is this possible?  Currently, the only option I see is to open individual ports for all external hosts (eg http or https)
    Thanks in advance!

    Which version of OS X Server are you using?
    Server 2.2 and earlier includes an interface to a software firewall that can be configured to open specific ports very easily. Descriptions of how to configure the firewall can be found in the documentation for these versions.
    Server 3.x no longer has an interface to the software firewall - it is still there, but you need to use other methods do configure it.  A popular example of such a method is the icefloor utility.
    Apple suggest that for Server 3 you delegate firewall duties to an external router.  Server 3 includes the ability to configure the firewall component of Apple Airport routers 'automatically'
    if you connect a machine running Server 3 directly to an Airport Router the router appears in the LH pane in the Server.app window (usually second line, below the entry for the server itself), and you can control what services are 'enabled' through the firewall there.
    a more common solution perhaps is to use a non-apple router, and configure the firewall (and so open specific ports) through whatever control interface is provided for that router.  There are many many kinds of hardware router you could use, and the control interfaces used vary widely - so you will have to consulting the documentation for your own router to work out how to do this.
    If you post information about your software versions, and hardware configuration, it is possible that you can get more specific help with the tasks involved in opening the ports.
    Hope this helps.

  • Can't change printer port on Windows 8.1 and Server 2012 R2

    1. Install "Lexmark X646e Class Driver" using a in-box print driver (i.e. one comes with the Windows installation base) .
    2. Go to "Printer properties" -> "Port"
    3. Select a custom monitor port, and the following error occurs in Event Viewer.
    An error occurred while configuring print queue 'Lexmark X646e Class Driver'. Printer driver 'Lexmark X646e Class Driver' may not be used in conjunction with a non-inbox port monitor.
    Same steps applied on Windows 8 and Server 2012, and not issues found. The restriction/limitation is newly added in Window 8.1 and Server 2012 R2. 
    Changing to a custom monitor port after printer driver installation is very important for us.
    How can we solve or workaround the above issue, so it can behave like Windows 8 and Server 2012? 

    What Port Monitor just so I can bubble this information to some others?
    Alan Morris Windows Printing Team
    Hi Alan:
    We developed a custom printing system, which involved the following configurations:
    1. Create a custom port monitor on server 2012 r2.
    2. Change an existing print queue to use this custom port monitor, and share this print queue.
    3. All workstations will print to this shared print queue on the server.
    The goal is to manage/monitor the print information in StartDocPort for all printing for instance.  This is what we've been doing for a long time.
    Now we upgraded our system from server 2012 to server 2012 R2, but we can't change the port monitor to our ones anymore.
    I've tried the Type3 printer driver, such as Brother Color Type3 Class Driver, unfortunately it didn't work if the installation is using "Add a printer", and select the driver from the list.   
    The only way to make it work is to install the printer driver using the one downloaded from the vendor's website, this will bypass Windows "Add a printer". 
    Is there any chance we can make this to behave like server 2012 or earlier? Modify registry keys?
    Cheers
    Steven

  • How can I open all ports on a Window 2003 Server

    How can I open all ports on my windows 2003 server for a specific range of IP addresses?

    Hi,
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
    Regards.
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Can a server process be assigned fixed (Logos) port?

    Hi, This question relates to protecting logos traffic between a web client and a server process. We have a number of internet users accessing their own server processes on a single server machine. We would like to set up multiple VPNs for each server process so that users cannot interact with others server processes. However, because each server process is dynamically assiged a port by Logos at startup we cannot do this. Does anyone know if it is possible to set a predetermined port for each process via logos or are there any other alternatives to secure the traffic? Thanks

    TRL,
    OK...I missed that part .
    Lookout does implement a "network security layer" that provides access privileges to each process, object and subfolders. Its drawback is the "lookout.sec" file, you have to copy it manually (or get it copied) to each client computer.
    Also, there are some default settings you should change in order to get it working.
    First: create a good lookout.sec file.
    Give the Administrator account a password(by default it doesn't have one) and be sure it is not the default login user.
    Create as many users (or groups of users) as you need (maybe one per process) using the User Manager. After doing that you can distribute "lookout.sec".
    Second: Set network security properties to each process.
    Open the "Network Securi
    ty Properties" window by rigth clicking (in the object explorer) over the process you want to restrict access and left-click "Configure Network Security". Push "Permission..." button and select the user want to allow or restrict access.
    Refer to chapter 10 Security to get more information about the available options.
    Hope it works for you
    JSS

  • I keep getting Alarm popups saying that it cannot send msg using the server null. I think I have disabled email (I use Gmail) and the calendar however I still get these popups and I can't close them?

    I keep getting Alarm popups saying that it cannot send msg using the server null.
    I think I have disabled email (I use Gmail) and the calendar however I still get these popups and I can't close them?
    How can I disable the Alarm popups?
    Thanks
    Brian

    OS X Mail: Troubleshooting sending and receiving email messages - Apple Support
    Google Mail recently implemented additional security measures "for your protection" of course. The manifestation of that may be the requirement to create a unique, "application-specific" password for each one of the various Google services you may use. That requirement probably includes Google Mail. So if the above Apple Support document doesn't resolve the problem, research Google's application-specific password requirements, and how to configure Mail to use it.
    I asked the Hosts to edit or obscure the email address in your post.

  • Firewall that can filter by source port?

    Hi,
    I have looked everywhere but can't find a firewall for OSX that will allow me to filter incoming or outgoing connections by source port. Just about every one I find can filter by destination port.
    Can anyone help me on this?
    Thank you in advance

    Whoop!
    Thanks for that. That really helped. I don't suppose
    you could point me in the direction of a tutorial
    that will allow me to do what I need?
    Hmmm.
    No tutorials that I can personally reccomend. (I actually use iptables on linux for my firewall needs)
    http://www.novajo.ca/firewall.html looks ok.
    There is a lot of good info on macosxhints, as well, especially on creating the startup script you will need to create.
    Hopefully someone else has a good link to a tutorial.
    Also, brickhouse may do what you need, but it didn't look as if it was quite as configurable as you wanted....

  • How can i find SDM port , Message server port, Message server name?

    Hi All,
       I am tring to deploy a ear file from NWDS.
    I am trying to congigure through
      Windows>Preferences>SAP J2EE engine -- Remote.
    I have these questions.
    1. How can i find Message server Host?
    2. How can i find Message server Port?
    3. How can i find SDM port?
    4. What is the difference betweent the Message server port and SDM port? Both are same or can be different?
    5. What are the ways to deploy a ear file on remote J2EE engine ?
    6.Can I run SDM from a remote mechine and connect to the server?
    7. When i am trying to deploy a ear file i am getting
      "Cannot determine sdm host (is empty)" what is the possible reason.
    (Here i used information from /usr/sap/GXI/DVEBMGS00/j2ee/cluster/instance.properties for server host and port number)
    Thank you
    Ganges Leaves

    Hi Ganges~
    Please check this link~
    Deployment Problem
    Could not start SDM Server
    SDM setting the target system for j2ee engine
    "No route to host" - SDM
    SDM Error
    Can not deploy. sdm host is empty
    Hope this helps,
    regards,
    moorthy

  • Port 548 network problem

    I am trying to connect to two macs behind the same firewall. I am having port conflict issues on 548, since they both use this port for AFP.
    I have the forward setup but I can only connect to one or the other. I have read a bunch of info on this but no real solutions other than buying a new firewall that can do port mapping or hacking the network config to change the port one of the machines uses (although this sounds like it is not supported or recommended by apple.
    Many people have to be running into this same issue. I am surprised I haven't found any solutions. Any help would be appreciated.

    There are several possible solutions depending largely on your router's port forwarding capability.
    Some routers can only forward to the same private port number as the public (e.g. port 548 on the public interface maps to port 548 on some internal machine). Others, though, can map to different port numbers. If you have the latter you should be able to map some unused port number on the outside world to your second server, e.g.:
    Public port #548 -> machine1:548
    Public port #2548 -> machine2:548
    In this way AFP continues to listen on port 548 on each machine, and you just tell the remote client to connect to port 2548 (or whatever other number you choose) if you want to connect to the second machine.
    If that doesn't work for you since your router can't swap port numbers then the next level is to use SSH Tunneling. You setup a port forward for port 22 only, and use SSH tunneling to forward to port 548 on either machine.
    There's another advantage to this approach, too, which is that your AFP session gets encrypted, adding an additional level of security.
    To take this approach, setup port forwarding on port 22 to either machine, then from the remote client initiate a SSH session to that machine while using the -L switch.
    If the two remote machines have the IP addresses 192.168.1.2 and 192.168.1.3 and your public IP address is 123.45.67.89 then you'd so something like:
    ssh -L 5480:192.168.1.2:548 [email protected]
    This tells SSH to connect to 123.45.67.89 and setup a tunnel between the local port 5480 (on your machine) which forwards to port 548 on the machine 192.168.1.2
    Substituting the IP address of the other machine establishes a connection to that machine.
    Once the SSH tunnel is up you tell your machine to connect to localhost:5480 - this is picked up by SSH, sent over the tunnel and forwarded to the destination machine.
    The next step above that is to use a VPN. This gives your machine direct access to the entire remote network and you can access any service on any machine over the secure VPN connection. This will take a little more setup, but is easier in the long run if you have either lots of internal machines or do this often.

  • Port 548 Problem

    OK, nobody laugh, but I am trying to transfer some old work files from an ancient PowerBook 3400 (including many on Zip disks) running OS 8.1 to one of our newer machines so we can look through them at our leisure later and save those of interest.
    On the PowerBook, I have successfully connected over our LAN to both of the new machines (see below) via Chooser and started to copy files to those machines. In the middle of the copy, after a few minutes, I get the following message: 192.168.1.xx:548 "The file server connection has closed down". 192.168.1.xx is the LAN IP address of the receiving machine. Personal File Sharing is allowed on the receiving machine, and file permissions have been given to Others in the receiving folder. Do I need to do authorize something on Port 548 to allow the transfer?
    Thanks in advance for any suggestions.
    Bob
    (cross-posted on OS 9 board as well)

    Try "Reading them"... the other way, if the newer ones can connect to the PB.
    It was Tiger/10.4 that broke File Transfer via Appletalk, 10.3.x is not a problem...
    OSX.4.x lost the file transfer ability of Appletalk... 10.1.5 thru 10.3.9 had it!
    http://docs.info.apple.com/article.html?artnum=301183
    Another solution is OpenDoor's $39 Shareway IP, (some OS7, 8, 9 releases had a limited version included)...
    http://www.opendoor.com/shareway/
    Which makes OS9 Tiger compatable, but how far I do not know.
    With the limited version I am able to copy files "from" the other one, but copying "to" the other one will break either way, getting your exavt error and crashing the earlier OS machine whiile spinning the Beachball on the Tiger machine.
    "Mac OS X 10.4 and later don't support Personal File Sharing (or other AFP) over Appletalk, though by initiating the connection from the opposite direction you could still achieve an IP connection from a Mac OS 8 computer to a sharing Mac OS X computer. The Network preference pane in Mac OS X 10.4 and later still offers the AppleTalk checkbox, but it is for browsing AppleTalk-advertised resources and zones. The subsequent connection must be over TCP/IP."
    http://docs.info.apple.com/article.html?artnum=106461

Maybe you are looking for