WRVS4400N Firewall rule problem

Similar Messages

• SA520 Firewall Rule cannot block HTTP

  Hi All,
  We are currently encountering a firewall rule problem. The following are the steps we
  have done so far:
  Default Outbound Policy: Allow Always
  IPV4 Rules - Delete all firewall rules we have created and made a single firewall rule to block
                              outbound HTTP for a single IP Address
                   - Delete all firewall rules we have created and made a single firewall rule to block
                              outbound HTTP for a range of IP Address
                   - Tried making "Block by schedule" Action on port HTTP on a single and a
                               range of IP Addresses
                   - We have tried blocking HTTPS / POP3 / SMTP / IMAP and was successfully
                               blocked but not on HTTP
  Services - Created a Custom Service blocking Port 1-65535 but still workstation can still access the internet.
  MAC Filtering - Checked MAC address filtering and Policy for MAC Addresses listed below is set to
                                Block and Permit the Rest and added the MAC address of  the workstation we want to block
                                still the workstation can access the internet.
  IP/MAC Binding - We have also binded the MAC Address and IP Address
  Content Filtering - Only content filtering works - blocked URL
  We have also tried doing all the IPV4 Rules with the Default Outbound Policy: Block Always and all
  the firewall rules action set to allow only those services that needs to be permitted.
  Still blocked workstations can still access the internet.
  Firmware Version: 1.1.42
  Thanks
  Karl

  Hi Karl,
  This looks like a bug in build 1.1.42. Please upgrade your
  image to the latest build 2.1.18 which fixes the problem.
  Let me know if the upgrade helps.
  Regards,
  Wei

• 0x8007000e (E_OUTOFMEMORY) while adding a firewall rule using the windows firewall COM API

  Hello,
  Configuration: Windows Embedded 8 64-bit.
  I'm using the Windows Firewall with Advanced Security COM API. The program uses the INetFwRules interface. Basically, I'm using the following code (Form the code sample available here : http://msdn.microsoft.com/en-us/library/windows/desktop/dd339604%28v=vs.85%29.aspx.)
   I get the error when performing "hr = pFwRules->Add(pFwRule);".
  We can also encounter the problem when removing a rule (using pFwRules->Remove(ruleName);)
  HRESULT hrComInit = S_OK;
  HRESULT hr = S_OK;
  INetFwPolicy2 *pNetFwPolicy2 = NULL;
  INetFwRules *pFwRules = NULL;
  INetFwRule *pFwRule = NULL;
  long CurrentProfilesBitMask = 0;
  BSTR bstrRuleName = SysAllocString(L"SERVICE_RULE");
  BSTR bstrRuleDescription = SysAllocString(L"Allow incoming network traffic to myservice");
  BSTR bstrRuleGroup = SysAllocString(L"Sample Rule Group");
  BSTR bstrRuleApplication = SysAllocString(L"%systemroot%\\system32\\myservice.exe");
  BSTR bstrRuleService = SysAllocString(L"myservicename");
  BSTR bstrRuleLPorts = SysAllocString(L"135");
  // Initialize COM.
  hrComInit = CoInitializeEx(
  0,
  COINIT_APARTMENTTHREADED
  // Ignore RPC_E_CHANGED_MODE; this just means that COM has already been
  // initialized with a different mode. Since we don't care what the mode is,
  // we'll just use the existing mode.
  if (hrComInit != RPC_E_CHANGED_MODE)
  if (FAILED(hrComInit))
  printf("CoInitializeEx failed: 0x%08lx\n", hrComInit);
  goto Cleanup;
  // Retrieve INetFwPolicy2
  hr = WFCOMInitialize(&pNetFwPolicy2);
  if (FAILED(hr))
  goto Cleanup;
  // Retrieve INetFwRules
  hr = pNetFwPolicy2->get_Rules(&pFwRules);
  if (FAILED(hr))
  printf("get_Rules failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Create a new Firewall Rule object.
  hr = CoCreateInstance(
  __uuidof(NetFwRule),
  NULL,
  CLSCTX_INPROC_SERVER,
  __uuidof(INetFwRule),
  (void**)&pFwRule);
  if (FAILED(hr))
  printf("CoCreateInstance for Firewall Rule failed: 0x%08lx\n", hr);
  goto Cleanup;
  // Populate the Firewall Rule object
  pFwRule->put_Name(bstrRuleName);
  pFwRule->put_Description(bstrRuleDescription);
  pFwRule->put_ApplicationName(bstrRuleApplication);
  pFwRule->put_ServiceName(bstrRuleService);
  pFwRule->put_Protocol(NET_FW_IP_PROTOCOL_TCP);
  pFwRule->put_LocalPorts(bstrRuleLPorts);
  pFwRule->put_Grouping(bstrRuleGroup);
  pFwRule->put_Profiles(CurrentProfilesBitMask);
  pFwRule->put_Action(NET_FW_ACTION_ALLOW);
  pFwRule->put_Enabled(VARIANT_TRUE);
  // Add the Firewall Rule
  hr = pFwRules->Add(pFwRule);
  if (FAILED(hr))
  printf("Firewall Rule Add failed: 0x%08lx\n", hr);
  goto Cleanup;
  This works pretty well but, sometimes, at system startup, adding a rule ends up with the error 0x8007000e (E_OUTOFMEMORY) ! At startup, the system is always loaded cause several applications starts at the same time. But nothing abnormal. This is quite a random
  issue.
  According MSDN documentation, this error indicates that the system "failed to allocate the necessary memory".
  I'm not convinced that we ran out of memory.
  Has someone experienced such an issue? How to avoid this?
  Thank you in advance.
  Regards, -Ruben-

  Does Windows 8 desktop have the same issue? Are you building a custom WE8S image, or are you using a full WE8S image? The reason I ask is to make sure you have the modules in the image to support the operation.
  Is Windows Embedded 8.1 industry an option?
  www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

• Can't add a new Firewall Rule

  I have a very curious issue: I cannot add any new firewall rules at all! Clicking on the New Button does nothing and on the console I get
  System Preferences[487] * -[NSCFString objectForKey:]: selector not recognized [self = 0x3f11b0]
  I have flushed the firewall with ipfw, deleted the plist file, repaired permissions but the problem ist still there. Any suggestions? (apart from reinstallation)
  Adding Firewall Rules through ipfw works...

  Whenever I use ipfw I lose the ability to use System Preferences. At first I thought that it compared kernel memory with the plist file and if it found a difference, assumed another firewall was running and disabled itself. But I also deleted the plist file (assuming it would build one from kmem) but that didn't work. Right now I assume there's another file somewhere. It wouldn't make any sense to keep another table in kmem. The weird part is that rules can be the same, but different sequence numbers will cause this problem. There weren't sequence numbers in the plist file, so there's probably another file somewhere.
  I think your error is from the missing plist file. A reboot should clear it up.

• SA 540 INBOUND FIREWALL RULES NOT WORKING

  Hi all,
  I am having trouble configuring the firewall for the SA 540.
  client 1 (160.222.46.154) ----- switch ------ sa 540 ------ cisco 887 W ------ client 2 (50.0.0.10).
  client 1 can ping client 2, however client 2 cannot ping client 1. The default outbound policy (allow all) is set on the sa 540, and I have tried configuring a blanket ipv4 rule on the sa 540 to allow 'all' to 'any' (for all services) related to traffic from the WAN to LAN, and visa versa. The output from the logs are as follows:
  Fri Jan 7 13:43:04 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:09 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=ICMP TYPE=8 CODE=0
  Component: KERNEL
  Fri Jan 7 13:43:14 2000(GMT +1000) WARN FIREWALL 50.0.0.10 160.222.46.154 [firewall] LOG_PACKET[DROP] IN=WAN OUT=WAN SRC=50.0.0.10 DST=160.222.46.154 PROTO=UDP SPT=60737 DPT=53
  Component: KERNEL
  Basically any connection identified as coming in from the WAN (i.e. IN=WAN) is dropped. I set up a new vlan on the cisco 887 W, in the 160.222.46.x address space, and connected a spare port directly to the sa 540 and had no problem testing connectivity to any device via ping. Obviously the zone communication is LAN to LAN and firewall treats the traffice differently.
  I assumed that creating an all encompassing rule to allow all trafiic, for all services, between the LAN and WAN (in both directions) would be equivalent to placing the appliance in PASS THROUGH mode? There is no securtiy set on the 887 W or the switch.
  Also is anybody could explain what 'SELF' means in the conttext IN=SELF or OUT=SELF it would be much appreciated. Firmware is latest.
  Thank you.
  Regards
  Marc

  On closer analysis and with some help from Experts Exchange it did seem non sensical to have both the IN and OUT as the WAN interface, but I had literally exhausted every avenue possible bar 1- changing the routing mode to CLASSIC and configuring a static route (which was at a higher administrative level than my RIP advertised routes) and took preferece when forwarding the packets.
  Now the SA540 firewall rules work as I would expect and I can route between all zones. To summise it appears as if the Double NAT from the router (887W) and then the SA540 was the issue, and the innability to configure any workaround in the interface of the SA54O firewall rules.
  It really makes you appreciate the power of the command line and the full scope of CIsco's command line options. Does anybody know if (and how) it would be possible to configure Double NAT on the SA540?
  Regards
  Marc

• SA540 Firewall Rules Fail when Optional Port Configured to Failover

  Today, I configured a client's SA540 for failover.  The primary WAN port is FIOS with a static IP address.  The optional port is Road Runner cable with a static IP address.  The failover tested successfully.  However, now the SA540 cannot be accessed on its internal IP address (https://192.168.1.1) and none of the firewall rules work any longer.  There are several rules but to name two; remote desktop port forwarding to an internal server, and HTTPS to another internal server.  Both rules use IP addresses different than the SA540's WAN IP address.  Additional external IP addresses were configured previously and assigned and they worked up to the point were the failover was configured.
  Now here is the strange part.  If the optional port cable is removed from the port, everything returns to normal, but plug it back in and problems.  I even tried disabling failover in the SA540's configuration and it made no difference unless the cable was unplugged.
  As you might imagine the client is upset about this.  Anyone have any ideas? 
  The firmware is 2.1.18.
  Tony
  PS.  About an hour after I posted this, I tried moving the remote desktop external connection from one of the additional IP addresses configured in the SA540 to the dedicated WAN address and remote desktop sessions were then forwarded into the correct server.  Apparently, the additional IP addresses are not working with the two ISP failover configured, or at least it doesn't work in my configuration.  Any help on this would be much appreciated.  The additional IP addresses are configured in the same subnet as the dedicated (primary) WAN port.   Again, this worked until failover with another ISP was configured.

  This issue has been resolved. After much testing and discussions with the great guys at Cisco TAC, we determined that Verizon FIOS is doing something on their routers to defeat use of IP aliasing. If you have FIOS and you must have more than one IP address and expect to create an IP alias to direct traffic in a 1 to 1 NAT to a node on your network, FIOS doesn’t work. Contact with Verizon technical support is no help. They are oblivious to the problem and don’t want to be bothered.
  Tony Lombardi

• Deleting a firewall rule.

  A firewall rule is causing some problems for me, rule 12190, how do I delete this rule from the firewall?
  It looks like I have to use ipfw from the command line but I am not sure of the syntax.
  Thanks for your help.

  Post to the Unix forum under OS X Technologies.

• [Solved] Windows Firewall rule that will allow Windows Update

  The problem has been solved here:
  https://social.technet.microsoft.com/Forums/en-US/62b9fd5c-10b2-4266-bc15-fcf3e79d20d4/solved-windows-firewall-rule-that-allows-windows-update?forum=w7itpronetworking
  Everything from here down is obsolete.

  Go to Control Panel >Firewall>Advanced Settings. Then click
  Action>Export policy to make a copy of your current policy in case you want to restore it. Then click
  Action>Restore Default Policy.
  This should allow you to use Windows Update.
  See also:
  https://technet.microsoft.com/en-in/library/bb693717.aspx
  https://support.microsoft.com/kb/836941
  S.Sengupta, Windows Entertainment and Connected Home MVP

• RV120W Firewall Rules

  Hi,
  I have several problems with RV120W Wireless-N VPN Firewall :
  1 - I can't delete firewall rules from web interface, when I try, a error "Selected firewall rule(s) deletion has failed" (cf attache file)
  2 - I want to be able to send ping (or others) to a wifi connected device from WAN, i have a rule to allow all traffic from wan to lan in any protocol. When i try to send ping lan interface, there is impossible.
  Thanks,
  Benoit MENARD

  Dale,
  what address are you using to access the internal company websites (IP address or domain name). More than likely, port forwarding rules need to be configured for port 80 to go to internal address of the web server.In order to configure rules for services not available in the list, you wll need to create a custom service. After the service is created it will appear at the bottom of the services list. If you need further assistance you may have to call 1.866.606.1866 and open a support ticket.
  Blake Wright
  Cisco SBSC Network Engineer

• Firewall Printing Problem

  I have a Brother MFC-7820N Network Printer. It uses LPR TCP Port 515 and I have that port open in my firewall. Well, without the firewall it prints fine. So I turn the firewall on, I'm let's say I'm in Word, ok it prints documents fine. Then I quit and restart word, and then press print. In the print queue it just says "data sent to printer" and it doesn't print. Recycling the firewall does not solve the issue either. However, if I turn off the firewall, I can print then, and then after I turn it back on I can print once more until I restart the application I'm printing from. Anybody know what is happening?

  Hi
  Its not quite clear but you may be confusing this forum with this one:
  http://discussions.apple.com/forum.jspa?forumID=756
  This forum is for OSX Server’s Print Service. Having said that I have to ask if it works without the firewall but does not with, then why turn it on? If the printer is on your local network who are you protecting it from - yourself?
  Of course its more than possible that it is a network printer you wish to control client access to by having your Server’s Print Service provide the printer as a spool queue. If the Server can print to the printer without any problems you can simply create am appletalk queue for it and add the printer as an appletalk one on your clients. In either case I’m still struggling to see why you would want to apply a firewall rule?
  Hope this helps, Tony

• Add firewall rule with custom environment variable in program path

  Hi,
  We want to create a firewall rule for a program which is placed in folder which changes sometimes. I know you can add a firewall with the ProgramFiles environment variable like this:
  netsh advfirewall firewall add rule name="Test Firewall rule" dir=in program="%%ProgramFiles%%\Test\Test.exe" action=allow security=notrequired
  The environment variable ProgramFiles isn't expanded and if the Program Files folder is different on a system the rule still works.
  We try to use this with a custom environment variable which we set a system environment variable with this command:
  SETX SomeFolder "D:\Some Folder\Apr 2015" /M
  If we use the command below to add the firewall rule in a batch file the environment variable SomeFolder is expanded correctly and the program path is added as a static path.
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%SomeFolder%\AFile.exe" action=allow security=notrequired
  Because the folder changes sometimes we want to change the environment variable SomeFolder and not remove the old firewall rule and create a new one. We want to add the environment variable SomeFolder to the program path as a (dynamic) environment variable
  and not as the expanded path at the moment when the rule is added. If we use this command:
  netsh advfirewall firewall add rule name="Some Firewall Rule" dir=in program="%%SomeFolder%%\AFile.exe" action=allow security=notrequired
  We get the error:
            Windows Firewall with Advanced Security
            An error occurred while adding the rule.
            Error: The parameter is incorrect
            Status: The application name could not be resolved
            OK   
  Why can't we use %%SOMEFOLDER%% like we can use %%PROGRAMFILES%%? The same error is shown when we try to add the firewall rule through the management console 'Windows Firewall with Advanced Security'
  W. Spu

  Hi,
  Based on my plenty of test with this problem, it seems like there is no better method to achieve your requirement. To add new policy to firewall, it would be better using general cmdlet. The path parameter like %%SomeFolder%% do have problem in add firewall
  policy cmdlet. 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• RV220W Firewall Rules reordering

  How do I reorder firewall rules? I have used the reorder button and then ordered the rules. I then SAVE and the report is Operation Succeeded. The screen stays on the Reorder screen.
  If I go into some other screen and come back to Access Rules I find that the rule order is unchanged. So I select Reorder and the reorder screen comes back showing the new rules order. I now have 2 screens I can go to. The main "Access Rules" and the reorder "Access Rules". These 2 panels show the rules in different order.
  If I reboot the router the reordered rules are lost.
  There appears to be no way to reorder the rules.
  Firmware version is 1.0.4.17
  Any ideas?
  David

  After experimenting a bit further it seems as though there are 2 relevant firewall rule tables. The first one is the one that you see in Access Rules. It seems to show the all the rules in the order that you enter them. When you select "Reorder" you get another table with a list of priorities. This is the table that shows the rules in the order that they will be executed. This order is NOT the same as the first table and the first table order WILL NOT CHANGE as the rules are reordered.
  Now that I know this, it is OK - the doc could have been a bit clearer as this is not consistent with other small routers (at least in my experience!). I also found that when I had been altering a few rules I needed to reboot the router before the rules would work properly.
  Other than that - no problems so far (cross fingers!)
  David

• Rv220w- content filtering ignoring firewall rules

  Hello,
  I face a strange bahavior with my rv220w router : I set up access rules to deny all outbound trafic for a particular IP range. It seems to work fine .... but when I enable content filtering, HTTP  access on port 80 works again (and other ports are denied). It seems that activating content filtering makes the router ignore firewall rule. Bug ? Or did I miss someting ?
  Thanks in advance for your help.

  Hello,
  I've opened case # 621056469. The support engineer told me that he'll try to reproduce the problem on his side, and contact me back for remote testing on my own router. If the issue is already known, does it have some kind of ref number so that I can inform him ? Is a fix already planned for  a future firmware release ?
  Thanks for your help.

• Vlan and firewall rules

  If I have 3 different vlans, are there any problems having different firewall rules between each vlan and the WAN link? I saw an earlier post about some issues with filtering between vlan's but this should'n be the same.
  /Andy

  Yes, this sounds different than the earlier post.
  Firewall rules can be applied for WAN to LAN or vice versa flows.
  As vlans are logically associated with LAN, firewall rules should be applicable for WAN to vlan traffic.
  Using source or destination IP address in the firewall rules should let one to control which rules to be applied for which vlan traffic.
  Regards,
  Richard

• Failed to update server firewall rules

  Hi 
  I have a problem with the SQL firewall. Unfortunately, I can not add IP address. It always comes this error when saving: Failed to update server firewall rules 
  How can I change this? I need to change this setting so that I can work again. Unfortunately, I do not want to help the Support of Microsoft !!

  Hi,
  To configure your firewall, you create firewall rules that specify ranges of acceptable IP addresses. You can create firewall rules at the
  server and database levels.
  Server-level firewall rules: These rules enable clients to access your entire Azure SQL Database server, that is, all the databases within the same logical server. These rules are stored in the
  master database.
  Database-level firewall rules: These rules enable clients to access individual databases within your Azure SQL Database server. These rules are created per database and are stored in the individual databases (including
  master). These rules can be helpful in restricting access to certain (secure) databases within the same logical server.
  For additional information check this below link
  http://msdn.microsoft.com/en-us/library/azure/ee621782.aspx
  http://social.technet.microsoft.com/wiki/contents/articles/2677.windows-azure-sql-database-firewall-en-us.aspx
  http://social.msdn.microsoft.com/Forums/azure/en-US/ea128f00-8a94-4ace-88ff-d7095ff60c1a/cannot-change-firewall-setting-for-sql-azure-after-ip-change?forum=ssdsgetstarted
  Girish Prajwal