Simple Firewall
Hi all,
I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
Three questions I have:
1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.
Thank you all for your time.
Yes it is possible with java.net API.
There are lot of examples.
I think you shoulg go to the socket programming division
if you realy like to this.
Similar Messages
-
[SOLVED] creating simple firewall
HI
I am running mails and web on my server, I would like to put simple firewall on that server to have some prtotection.
Here is my start configuration of iptables
cat /etc/iptables/iptables.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 25 -j ACCEPT
-A INPUT -p tcp --dport 587 -j ACCEPT
-A INPUT -p tcp --dport 143 -j ACCEPT
-A INPUT -p tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
As you can see I am opening imap, smtp, web and ssh ports.
MY IDEA is to protect server from strangers who are scaning ports, trying to open all possible web pages and login over some webapp.
I would like to do something like this:
DROP connection if there are to many attempts to open, Let's say if there are more the 5 per 1 second then DROP.
Is it possible to do it in simple way using iptables? and how?
thank you very much.
Last edited by jancici (2012-03-21 21:34:51)it happend just few moments ago, I know it is not me :-)
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:10 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:11 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:12 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:13 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:14 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:15 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (no auth attempts in 7 secs): user=<>, rip=175.145.230.49, lip=77.93.202.118
Mar 21 15:17:16 localhost dovecot: imap-login: Disconnected (tried to use disabled plaintext auth): user=<>, rip=175.145.230.49, lip=77.93.202.118
so these are the situation, or reasen why I want to protect my server -
Simple firewall implementation
Hello,
I'm pretty new to the cisco product and want to setup a simple firewall.
I found some exampels but can't get it to work.
For now we are using Cisco routers 88x and 89x series.
When I activate te script I the remote connection to the router is lost, although I have put an permit rule for ssh.
The script is the following:
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall rtsp
ip inspect name Firewall h323
ip inspect name Firewall netshow
ip inspect name Firewall ftp
ip inspect name Firewall ssh
ip access-list extended Allow-IN
permit eigrp any any
permit icmp any 192.168.2.0 0.0.0.255 echo-reply
permit icmp any 192.168.2.0 0.0.0.255 unreachable
permit icmp any 192.168.2.0 0.0.0.255 administratively-prohibited
permit icmp any 192.168.2.0 0.0.0.255 packet-too-big
permit icmp any 192.168.2.0 0.0.0.255 echo
permit icmp any 192.168.2.0 0.0.0.255 time-exceeded
permit tcp any 192.168.2.0 0.0.0.255 eq 22
deny ip any any
interface Vlan1
ip inspect Firewall in
interface Dialer1
ip access-group Allow-IN in
Can anyone tell me what I'm doing wrong here?
And a second question, can I use for the ip inspect also port numbers or must I always use a service name?
Thank you,
//EdwinHello,
I have tested this.
I couldn't add the router-traffic to the ip inspect rule for ssh but could add it to the ip inspect rule with tcp.
I tested this option but unfortunatly the connection was closed again as soon the rules were applied to the interfaces.
Maybe I did it wrong or it doesn't work.
//Edwin -
Hi,
I know this is an old firewall but its just a simple firewall I need, my question is this.
I am not getting any internet with my current config, see below:
show conf
: Saved
: Written by enable_15 at 00:52:17.182 UTC Fri Jul 20 2012
PIX Version 6.3(5)
interface ethernet0 auto shutdown
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any source-quench
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 78.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 101 0.0.0.0 0.0.0.0 0 0
access-group allow_ping in interface outside
access-group allow_ping in interface inside
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.52.10.0 255.255.255.0 inside
http 10.52.66.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet timeout 5
ssh timeout 5
management-access inside
console timeout 0
terminal width 80
Cryptochecksum:f8f18bf2b944dddfaf3d83e6c1e1c57c
bmi-501-fw-1#
What am I missing, if I try and ping 8.8.8.8 it times out, any suggestions?Hi, Thanks for the reply, I've managed to sort it now with the following config below:
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname bmi-501-fw-1
domain-name buildmeit.internal
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list PERMIT_IN deny tcp any any
access-list PERMIT_IN deny ip any any
access-list PERMIT_IN deny udp any any
access-list PERMIT_OUT permit tcp any any
access-list PERMIT_OUT permit ip any any
access-list PERMIT_OUT permit udp any any
access-list PERMIT_OUT permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside XXX.XX.XXX.XXX 255.255.240.0
ip address inside 10.52.100.123 255.255.255.0
global (outside) 1 interface
outside interface address added to PAT pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group PERMIT_IN in interface outside
access-group PERMIT_OUT in interface inside
route outside 0.0.0.0 0.0.0.0 XX.XX.XXX.1 1
route inside 10.52.0.0 255.255.0.0 10.52.100.123 1
wr mem
Regards to point 5 where you say devices like this shouldnt be used, I know its an unsupported device but what other reasons should I not be using it, its a good\simple firewall - i'd rather use this than say...........a horrible netgear! -
Firewall or UTM? The Fortigate is a UTM. It offers a lot more than a simple firewall, and most of those additional features demand a more-or-less constant stream of updates to remain effective. Hence, the subscription expense.
What kind of traffic to you need to support? At what rate?I like Untangle. If you have a box with two NICs in it you can use it and install it onto that machine. You can install more NICs to have more options available for you. I know it can take more than one ISP connection and either combine them or put them in a fail over state. I like the webfiltering on it as well.
Edit:
https://www.untangle.com/shop/WAN-Balancer
https://www.untangle.com/shop/web-filter
-
Hi all,
I have very recently begun using java as a development package, and I love the network capability that it has. It makes it quite a bit easier to make a network application, and implement it.
Something I would like to try would be to make a fairly simple firewall. For instance, when a user inside the network wants to make a connection, it would forward it through to the outside world, and keep the thread open to allow communication back to the host. If the outside world tried getting in, it would reject the host unless is met specific requirements (right port, etc).
Three questions I have:
1. Is this possible? I mean, it seems possible, but would there be a problem with the data, even if I used very basic I/O streams and such? Or would there be problems because of the vast number of protocols and such?
2. How can I differentiate between 2 NICs? On my existing firewall, I'd have eth0 and eth1 for my internet and local net Ethernet cards. How would java know which is which? Creating a server socket is simple, but how do I tell it which interface to listen on?
3. Obviously a firewall would need to listen to all incoming and outgoing ports. Do I seriously need to make 65535 threads to have a server socket listen on every port? I would hope there is a more simple way, but I'm just not finding it anywhere.It's possible to write a proxy. Taht said, this is
not really a very good first java network assignment
as java network access is quite high level, and this
is a complex project.As far as having the knowledge behind it, that is not
a problem. This isn't really a school project per-say.
I am persuing a degree as a networking specialist, so
network addressing and protocols is not an issue. It
is simply taking that understanding and putting it
into (java) words.
In combination to that, I have a decent programming
background, just not much in java. I hope to learn
quickly, and this is more like a final goal. Java
seems like the perfect language to compliment an
understanding of a network infrastructure.Your OP didn't specify a level of knowledge other than that you were new to java. I assumed you had quite a bit of network experience to even consider just a project.
The 2 NIC have different IP addresses, when creatinga
ServerSocket you can specify the ip address as wellas
the port,Makes sense, I guess, but I was more or less hoping to
have it dynamic. If I ever want to change the address
or move this to another system, I wouldn't want to
have to recompile with the new address. This could
easily be solved with a textbox to input the addresses
though, so it's not a big deal.You could use a Runtime.exec() call to run a command such as ipconfig on windows or ifconfig -a on unix to get that info.
I believe there is no way to do this, a port of 0
means to use an ephemeral port.If this is not possible, then I would think a java
firewall is not possible. Yes, when I said it requests an ephemeral port I meant that you can't do what you want.
Granted, maybe I am just not
understanding the software end of it, but a packet
sniffer, like Ethereal, is able to see all data
passing through, and I doubt it has 65k threads per
protocol to listen. Is there a way to have the program
see all data hitting it's NIC?Java definitely cannot listen to packets in promiscuous mode. There is a package called JPCap that provides packet capture using JNI.
I am not sure where an ephemeral port would solve
this. Granted, it would help with the internals of the
program, passing data from eth0 to eth1, but how would
this solve the problem of knowing with port to recieve
data on eth0?
Thanks again!You're welcome, and good luck -
Hi I am running a simple firewall on my laptop configured using ufw.
Now I was trying to set up my new SIP account in linphone. It works just fine except when I receive calls - I get no audio in. This is what I know so far:
1. Not a NAT problem, works fine via my phone setup on the same LAN.
2. No new new entries in /var/log/iptables.log - I opened port 5060 for udp and 7078 for udp and tcp. (linphone wants rtp on 7078 I believe)
3. It starts working fine, if I open all ports via, "ufw default allow".
How do I find which port it is that I need to open for this work?
Help is appreciated. Thanks.
Last edited by lamdacore (2012-09-02 19:46:32)Add an explicit LOG rule at the start of INPUT to just log all incoming traffic, then examine those logs:
iptables -I INPUT -m state --state NEW -j LOG --log-prefix='[NEW]'
iptables -I INPUT -m state --state RELATED -j LOG --log-prefix='[RELATED]'
While a call is in progress (with the firewall disabled), you could also examine the output of netstat:
netstat -tunp | grep program
Replace "program" above with whatever application you're using so you only see the connections that process has open. -
[SOLVED] firewall from wiki, iptables: No chain/target/match by
I am trying to build a simple firewall using Arch wiki page, https://wiki.archlinux.org/index.php/si … l_firewall
I ended up with this:
#!/bin/bash
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
When I run the script, it gives me this error:
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
The problem is caused by the last 4 lines. What do I do wrong?
(I use current x64 Arch).
Last edited by dopalek (2014-06-06 11:59:11)Gcool wrote:You're probably getting those warnings because you're trying to delete (iptables -D) rules that don't exist. While this is no big deal on itself (the rest of the rules will still be applied); you could consider simply omitting the 3 "iptables -D" rules from your config, which should get rid of the warnings.
You are right, thank you, I didn't notice it before.
Anyway I guess -D rules from wiki are in case somebody has own rules applied before. It could be explained in the wiki to avoid confusion in future.
Last edited by dopalek (2014-06-06 12:02:30) -
Connect to local SAP server from mac
I have a Windows 2008 server with SAP server software installed. i connect to it using my windows laptop through SAP logon pad . But now am using a macbook pro os x 10.8.2 and have no idea on how to connect to the my local SAP server. And i installed a Java SAP client logon pad for mac . And this client Logon pad has an "Add New connection option" but i have no idea on how to configure it ,any sugg?
The incoming connection will only be restricted to random ports > 1024 unless the server is configured otherwise. ie. you can't manually pick the numbers.
The OS X firewall (ipfw) can be configured to allow the incoming connection from a particular IP address - but I run Norton firewall so I don't know the specifics of configuring ipfw via the OS X interface.
I do know that the shareware program Flying Buttress (previously known as BrickHouse) gives a GUI interface to the full flexibility of ipfw.
I failed to mention previously that you might want to investigate whether the server supports SFTP (Secure FTP) which performs all the communication over port 22 allowing a simple firewall setting (at the server end) and also has the benefit of performing encryption on the data traffic.
Graham -
Skype 1.5 (beta) with video is easier to set up than iChat ? Please help
Hi,
I have a MacBook with Tiger and iChat v.3.1.5 and my wife has a PowerBook G4 with Panther and iChat 2.1.
On the MacBook there is this video camera and it seems to be working properly. On the PowerBook there is a DV Sony camera attached via Firewire. Both cameras are working and we are able to see and hear each other with Skype 1.5 beta (downloaded on both computers) The image is at times a bit jerky but is usable ( I guess this is because of our internet speed, I think some 512 MB/s).
I have been trying to get iChat to work but somehow I did not understand how to set it up. There is a wizard ofering either a .Mac account or some AIM (what is this?). I do not want to use the .Mac account (my wife does not have one and mine is only a trial) and do not know what this AIM is. I tried to put my email data into it but it does not work. There is also this bonjour protocol which the computer keeps asking if I would like to use?.
Right now I am at home and have access to both computers. Can you please explain how I can get iChat to work?
PS. How do I put myself into my wife´s buddy list and viceversa?
Thank you so much.Hi Gregory!
I got some help from Apple support and here I paste for you some details that might be helpful.
Ports to open for Mac OS X firewall When using the built-in Mac OS X firewall, you only need to open these ports: 5060, 5190, 5297, 5298, 5678, 16384 through 16403 Tip: If you don't want to bother, a simple workaround is to temporarily turn off the firewall on each computer.
To chat with the Mac OS X Firewall active, follow these steps to add the necessary ports:
• 1. From the Apple menu, choose System Preferences.
• 2. From the View, choose Sharing.
• 3. Click the Firewall tab.
• 4. Click New.
• 5. From the Port Name pop-up menu, choose Other.
• 6. In the Port Number, Range or Series field, type in:
• 5060, 5190, 5297, 5298, 5678, 16384-16403
• 7. In the Description field type in: iChat AV
• 8. Click OK.
Ports to open for third-party firewalls
A "simple" firewall only allows you to open or close ports, without any additional criteria. If you have one of these, then you should open these ports:
5060, 5190, 5220, 5222, 5298, 5353, 5678, and 16384 through 16403.
If that does not work, try opening all ports from 1024 to 65535.
Note:
• 1. All iChat AV traffic is UDP except for ports 5190 and 5298, which need to be open for both TCP and UDP; and 5220 and 5222, which need to be open for TCP only.
• 2. Ports 5297, 5298, and 5353 are used only for local traffic. Opening these ports may be necessary for firewall software that runs on a computer, rather than on a router. These ports do not need to be open at your uplink to the Internet.
• 3. The Mac OS X firewall found in the Sharing preference pane filters only TCP packets. For this reason, most of the ports listed here do not need to be opened at the Mac OS X firewall.
• 4. Some router-specific features or configurations may interfere with iChat AV. This includes port mapping on either end, SIP rewriting, SIP dropping, or dynamic opening of media ports.
• 5. This document lists all ports used by iChat AV, not just those used by audiovisual content. A list of individual port functions can be found in technical document 106439, "'Well Known'TCP and UDP Ports Used By Apple Software Products".
• 6. For firewall issues specific to file transfer, see technical document 107476, "iChat: Cannot Send or Receive a File When Firewall Is Active".
All the best,
D.M. -
Binding more than one IP address to a server instance
I know that it is possible to bind multiple IP addresses to multiple server
instances. But is it possible to bind more than one IP address to just one
server instance? If so, how can it be done?
Thanks in advance,
David Chen
No...it won't work, I misunderstood your post. There is no way you can tell
a WL instance to bind to multiple IPs...Sorry about that.
.raja
"Mike Reiche" <[email protected]> wrote in message
news:[email protected]...
>
> no... I don't think it (not specifying a bindAddr to have WL bind on all
NICs)
> will work. You will have two WL instances trying to bind to the same
IP/Port -
> which is not allowed.
>
> Or did you mean something else.
>
> There is no way/syntax to ask WL to bind to two specific IP addresses.
>
> Mike
>
> "Raja Mukherjee" <[email protected]> wrote:
> >Mike,
> >
> >It will work if both NIC1 and NIC2 are on the same nework. In David's
> >case,
> >the NICs are part of different subnet. WLS cluster is only supported
> >on the
> >same network.
> >
> >..raja
> >
> >"Mike Reiche" <[email protected]> wrote in message
> >news:[email protected]...
> >>
> >> Are you running two instances on the same machine in the same cluster
> >and
> >you want
> >> them all to listen on both NICs? That is the only thing I don't know
> >how
> >to do.
> >>
> >> You would need to four IP addresses -
> >>
> >> nic1 / instance1 - 208.8.7.1
> >> nic2 / instance1 - 208.8.7.2
> >>
> >> nic1 / instance2 - 208.8.7.3
> >> nic2 / instance2 - 208.8.7.4
> >>
> >> then somehow you would need to specify the following - HOWEVER, THERE
> >IS
> >NO DOCUMENTED
> >> WAY TO DO THIS. Open a case with BEA support.
> >>
> >> on instance 1
> >>
> >> bindAddr=208.8.7.1,208.8.7.2 # don't know what the syntax is
> >>
> >> and on instance 2
> >>
> >> bindAddr=208.8.7.3,208.8.7.4 # don't know what the syntax is
> >>
> >> MIke
> >>
> >> "Raja Mukherjee" <[email protected]> wrote:
> >> >David,
> >> >
> >> >From what I understood from your email, if you want to add additional
> >> >instance for "internal" network and that solves your problem, you
> >don't
> >> >need
> >> >additional licenses. Again, I am not an expert on licensing , last
> >I
> >> >knew,
> >> >the WL licenses are not charged by instances but by CPUs. As long
> >as
> >> >you not
> >> >adding more CPU you don't need additional license for WL. Please check
> >> >with
> >> >your account rep to verify that.
> >> >
> >> >Are we talking about a requirement where the "same" application to
> >be
> >> >accessed by both "internal" as well as the "external" clients? If
> >so,
> >> >a
> >> >simple firewall configuration of allowing traffic from "internal"
> >network
> >> >to
> >> >the "external" network only to WLS port would do the trick. Also make
> >> >sure
> >> >that the firewall only allows incoming traffic for the ones originated
> >> >from
> >> >"internal" network. There are other possible options, but I need to
> >know
> >> >more about your configuration.
> >> >
> >> >Last but not the least, if you had given the information to the group
> >> >instead of sending personal email, you would have probably gotten
> >faster
> >> >response. There are a lot of good and experienced folks in this
> >newsgroup.
> >> >
> >> >I don't mind being your friend at all, couple of Bud light would be
> >a
> >> >good
> >> >start :)
> >> >
> >> >..raja
> >> >
> >> >"David Chen" <[email protected]> wrote in message
> >> >news:[email protected]...
> >> >> Good guess, Raja. We do have two NICs and two separate networks.
> >I
> >> >think
> >> >> Mike's answer is correct according the documentation. However, in
> >our
> >> >case,
> >> >> since we are using cluster, we have to specify "bindAddr" (is that
> >> >right?).
> >> >>
> >> >> Unfortunately, I am not the David Chen from Dallas. But I would
> >not
> >> >mind
> >> >to
> >> >> be a friend of yours, Raja :)
> >> >>
> >> >> Thanks,
> >> >>
> >> >> David Chen
> >> >>
> >> >>
> >> >>
> >> >> "Raja Mukherjee" <[email protected]> wrote in message
> >> >> news:[email protected]...
> >> >> > If my guess is correct, they have two NICs and two separate
> >> >> networks...let's
> >> >> > see what are they really trying to achieve. I may have emails
> >on
> >> >my
> >> >> mailbox
> >> >> > (I know a David Chen from Dallas, is that you David??) which I
> >can
> >> >not
> >> >> check
> >> >> > right now...
> >> >> >
> >> >> > .raja
> >> >> >
> >> >> > "Mike Reiche" <[email protected]> wrote in message
> >> >> > news:[email protected]...
> >> >> > >
> >> >> > > If you do not specify a bindAddr, it automatically binds to
> >all
> >> >IP
> >> >> > addresses on
> >> >> > > that machine.
> >> >> > >
> >> >> > > Mike
> >> >> > >
> >> >> > > "David Chen" <[email protected]> wrote:
> >> >> > > >I know that it is possible to bind multiple IP addresses to
> >multiple
> >> >> > > >server
> >> >> > > >instances. But is it possible to bind more than one IP address
> >> >to
> >> >just
> >> >> > > >one
> >> >> > > >server instance? If so, how can it be done?
> >> >> > > >
> >> >> > > >Thanks in advance,
> >> >> > > >
> >> >> > > >David Chen
> >> >> > > >
> >> >> > > >
> >> >> > >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >
> >
>
-
EA3500 behind another router - how to make it work?
I want to create a DMZ by having a less sophisticated router connected to cable modem, which would have the webserver which contains no sensitive information, and then the EA3500 to which my laptops and desktops which contain sensitive information would connect to. Can CCC work through that first router?
so to give more details...
the first router, a D-Link DIR-615 running DD-WRT gets it's WAN address from the cable modem via DHCP. on the LAN side, DHCP is turned off and the DIR-615 is 192.168.1.1. The EA3500 WAN is connected to a DIR-615 LAN port with IP 192.168.1.2 and the EA3500 LAN side has DHCP turned on and assigning IP addresses to my laptops and desktops with IP's in the 192.168.2.100-149 range. The webserver is connected to the DIR-615 LAN port with IP 192.168.1.3. DIR-615 forwards port 80 to 192.168.1.3:80. All other ports are blocked.
My question is if anyone knows if there are speciic ports that need to be opened and if TCP or UDP on the DIR-615 in order to allow Cisco Cloud Connect to work on the EA3500 even though it is behind what is essentially a simple firewall? Because as it is, it doesn't work.
when I had 2 DIR-615's this worked fine, but I wanted to gain some of the cloud capabilities of the EA3500 plus the gigabit ethernet and the USB port (which has proven utterly useless). I'm trying to figure out if I've wasted my money... -
Iptables -p tcp/udp --dport no longer working
I had a simple firewall setup on my Arch router box. I'm trying to block some additional ports, and it looks like maybe a recent update has borked the tcp/udp extensions modules?
Running anything with
--dport
or
--destination-port
(or the source port variants) returns a "No chain/target/match by that name."
What is the module for the tcp/udp extensions? Is it one of these:
krovisser /etc/iptables :( # lsmod | grep ip
tulip 51905 0
ipt_MASQUERADE 2154 5
iptable_nat 3358 1
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
ipt_REJECT 2313 1
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
iptable_filter 1488 1
iptable_mangle 1584 0
ip_tables 17218 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 17351 6 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter,ipt_REJECT,iptable_mangle
krovisser /etc/iptables # lsmod | grep nf
nf_nat_ipv4 3568 1 iptable_nat
nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
nf_conntrack_ipv4 9166 4
nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
Not sure what's going on, because using a bare `-p tcp` will work. So it should load the extension at that point.
Last edited by krovisser (2013-05-07 23:29:19)In addtion to what fukawi2 said, if you are running systemd and you make a change to your iptables you can do:
iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables
The updates will then take place without having to restart the server.
Hope this helps.
R.
edit: this also assumes that the modules you need are loaded.
Last edited by ralvez (2013-05-08 02:12:26) -
The official download tool within the PC suite will not connect. The PC set up is a simple firewalled home network.
is there a way to configure the settingings in the PC suite to go around the firewall or whay ports does it use?
Cheers
DJ000http://dailymobile.se/forum/index.php have a look here for latest info on 5800
If i have helped at all a click on the white star below would be nice thanks.
Now using the Lumia 1520 -
Model of asa for response rate limit
Hi , i'm new , just registered
I need to know what kind of cisco asa i should buy for my company, i need to use response rate limit , for limit dns requestes on my dns server.
If you' can helm me, i'll be very gratefull..Recent versions of ISC BIND can rate-limit their responses themselves; Cisco ASA software can police packet flow rates but it's not their primary function. If the only thing you want is rate-limiting, I wouldn't bother with the ASA. If you need actual firewall, NAT, or IPS functionality, the ASA becomes useful.
To size an ASA, you'd need to know what kind of traffic rates you need to support, and what kind of inspections you plan to do. Cisco has some published packet and throughput data at e.g.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/qa_c67-700608.html
In my own experience, simple firewall configurations and test traffic will at least meet and often exceed Cisco's guidance.
Personally, I'm using ASA 5525-x devices to support ~350 users on gigabit fiber uplinks averaging about 6kps, mixed sizes with good results. With the older 5520's I was dropping packets during peak traffic surges to full line rates.
-- Jim Leinweber, WI State Lab of Hygiene
Maybe you are looking for
-
Two weeks ago, a message (with different languahes) pop-up to ask me to restart the computer when i was visiting my favorite websits, the content of the message is "you need to restart the computer, hold power the power button for several seconds or
-
Getting error while uploading multiple files in sharepoint hosted app in 2013 with REST API
Hi All, In one of my tasks, I was struck with one issue, that is "While uploading multiple files into custom list with REST API". Iam trying to upload multiple files in library with REST calls for an APP development, my issue is if i wants to upload
-
Import package needs to show extra info in the log.
Hi, I have a problem regarding an import package. I am trying to edit in a way, that in the package log I get details about for which entity, time and category the import has run. Is this possible? Regards, Tim Vierhout
-
How can I take my pdf book and revert it to indesign so I can make a few changes on it?
How can I take my pdf book and revert it to indesign so I can make a few changes on it?
-
(Lightroom 5.2 in MacBook Pro) Cannot Import Photos.
Hi, I have just purchased, downloaded and installed adobe lightroom 5.2 online. I was trying to discover it since it's my first time using lightroom. So I tried clicking on the "Import" button and it showed me different folders from my library. Howev