Xserves blocking all ports upon reboot [Firewall issue]

Similar Messages

• Xserve blocks all ports after reboot - Firewall related

  So I have two Xserves that love to just decide that upon rebooting, they will block their external ethernet port as well as their fiber ports after rebooting.
  I can confirm this is a firewall bug because the problem is fixed when I do a "sudo serveradmin stop ipfilter" and reboot, and keeping the firewall off prevents the issue entirely.
  Now of course this isn't safe and I want the firewall on all the time.
  How do I fix this? I have noticed this bug persists even after a total clean reinstall of OSX Server.

  If this is two systems and involves a disk wipe and install hasn't cured it, then this is usually not the servers, but something else on the network that's common.  Though I don't have a way to explain all of what you're describing, and particularly the effects on the "fiber ports".  This effects the fibre channel (optical) SAN ports?  That's definitely odd.  What happens?  Or do you have fiber-optic network connections?
  How are you testing for blocked ports here?  Using dig and ping and related tools, or using a higher-level application?
  I have seen cases where some firewall process goes nuts and clogs up a server.  But that's not usually both servers.
  Check the server logs for any related details, and see if there are any rogue CPU-bound processes.
  And check the local area network for problems with DNS services, with errors with IP routing, with errors around subnet routing configuration (use unique IP addresses in distinct subnets for both controllers, unless you're using link aggregation), etc.

• Block All Ports for a Host

  We are using BM 3.9 (no SP1 yet).
  I'm trying to block a Windows Media Player stream. If I put the URL that WMP uses into a deny rule, the BM log shows the html page is forbidden, yet the media still comes through.
  So I tried blocking all ports on the host. I put in a Deny rule that blocks All TCP&UDP on both the IP address and the host name. Yet, when I type the URL into WMP, I still get the stream. How do I block this with BM?
  Incidentally, after All ports didn't work, I tried specifying ports 0-65535. But I got an error that that was an invalid range. It did let me use 1-65535, though.

  David,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• "I did fresh restore, reset all setting and reboot the issue still there. I hope Apple don't forget us to solve this issue soon

  "I did fresh restore, reset all setting and reboot the issue still there. I hope Apple don't forget us to solve this issue soon

  Oh I've found it meanwhile! The is a 2nd post! So never mind this one! I think lawyerhusain understood he has to let Apple know, if he wants them to know and the technical thing will continue with the 2nd post!

• IE HTTP close (reset) - port reuse causing firewall issues

  Having an issue with some systems reusing the same TCP port number between sessions, causing the firewall to drop the connection.
  Internet Explorer is creating the HTTP socket connection to port 80. An ephemeral port (assigned by Windows) is bound to the local side of the connection. The first connection goes through just fine. The socket is
  closed/reset. However, the very next connection (hundreds of milliseconds later), is using the same ephemeral port, causing the firewall to discard the connection.
  I have tried setting TcpTimedWaitDelay in the registry but that did not help. Since the socket is being reset, it never goes into the TIME_WAIT state.
  Any suggestions? This does not happen consistently - on the order of 10s of times per day.
  Thanks!

  Problem is still occurring. Customer has built a new client system with MS-only software (no virus protection, etc.). Upgraded this system to IE9.  Problem is still occurring. Tried disabling NativeXMLHTTP option but no difference.
  Here is the ASP VBScript code that causes the error to appear:
  function SubmitPost(data,ErrHow)
  var d = new Date();
  return SendData('POST','TDMaster.asp?InstID=' + document.getElementById("tdInstance").value + '&UID=' + d.getTime(),data,ErrHow,0);
  //Returns valid version of MSXML
  function GetMSXML()
  var progIDs = ['Msxml2.XMLHTTP.6.0','Microsoft.XMLHTTP'];
          for (var i = 0; i < progIDs.length; i++) {
              try {
                  var http = new ActiveXObject(progIDs[i]);
                  return http;
              catch (ex) {
          return null;
  // Function that actually sends the data and returns the response
  // Format 0 = XML
  // Format 1 = Binary
  var http;
  var timedOut;
  function SendData(method,url,data,ErrHow,Format)
              http =  GetMSXML() ; 
              var ResultXML;
              var e;
              http.open(method, url, false);
              http.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
              http.setRequestHeader("Content-Length", data.length);
              try {
                          http.send(data);
                          if(Format == 0) {
                              return http.responseText;
                          } else {
                              return http.responseBody;
              } catch(e) {
                                  return CreateError(e.number, e, ErrHow);

• RMI firewall issue - opening port 1099 is not enough

  Hello,
  We have a distributed java desktop app that uses RMI with callbacks to communicate amongst the clients. It all works really well at our dev site and at 2 trial sites.
  We are about to deploy out to more customer sites - so I have been doing more testing with firewalls etc and discovered some issues. Our customers are small businesses and typically have between 1 and 10 desktop clients that connect to the server via RMI. These customers are "very NOT technical", so we need to give them set-and-forget firewalls etc.
  This is all on a LAN, with RMI using port 1099. On the firewalls (of the various PCs) we open ports 1099 (RMI) and 5432 (for the Postgres DB).
  Also, I was using "CurrPorts" and "SmartSniff" to monitor the traffic at each PC - so I had a reasonable view of proceedings.
  Basically, opening port 1099 on the server is necessary, but it is NOT ENOUGH. The RMI moves off to ports other than 1099, and the server firewall does not allow the connection.
  Procedure ...
  (1) start the "server" app - which starts the RMI registry - the "localhost" desktop app also starts and it works well to both the database and the RMI.
  (2) start another client - it connects to the DB Server, but NOT the RMI server.
  (3) open the server firewall to all traffic for a few seconds - then the client connects successfully.
  From CurrPort logging I could watch the RMI comms progress over those first few minutes ...
  Initially the comms do include port 1099 on the initial call to the server, but there after there are always 2 or 3 "channels" open, but not to 1099.
  I notice that the Postgres DB keeps using port 5432 for all of its active channels - so it does not have the same firewall issue.
  After we have opened the firewall for a few seconds - to enable the link - then we can turn the client on and off and the client re-connects without issue - so it would seem to be only an issue with the initial connection.
  I am sure that this is all completely standard and correct RMI behavior.
  QUESTIONS:
  1. Can RMI be "forced" to always use port 1099 for connections, and not move to other ports? (like the database uses 5432)
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?
  Other comments ...
  The firewall lets me open individual ports (say 1099) - BUT I can not justify opening ALL ports.
  The firewall lets me open all ports to an application, say "C:\Program Files\Java\jre6\bin\java.exe", but that app will occasionally change at a customer's site as they will update their java version and suddenly our app will stop working.
  Any guidance is appreciated.
  Many Thanks,
  -Damian

  1. Can RMI be "forced" to always use port 1099 for connectionsYes. Export all your servers on the same port. See UnicastRemoteObject constructor that takes an int, or UnicastRemoteObject.exportObject(int). If the RMI Registry is a separate process you can't re-use 1099 for this purpose, but see below.
  2. Are there any suggestions for getting around this seemingly standard RMI behaviour?Yes. Start the RMI Registry in the same JVM as the code, then you only need to use 1099 for everything.
  If you are using server socket factories, make sure they have an equals() method, or use the same instance for all remote objects.

• WRV200 Access Restriction on all ports for a time period?

  I have a system that needs to be restricted to only having internet access for a small window each day. I have been looking at the Access Restriciton tools for htis but it looks like I would need to block each possible port with its own policy. This seems very inefficient and complex. Is there a way to make a rule that blocks ALL ports for a time period?
  Thanks!

  Under Firewall>Access Restriction when you are creating an Access Policy under Blocked Services you can select TCP, UDP, or IP. If you select IP it will block everything instead of a specific port. You will have to create a rule for each IP on your network that you do not wish to have access outside of your selected window.

• Block TCP ports?

  I have a customer that has an Airport setup for their clients (it is a restaurant) and they have been hit with some DMCA notices, as someone is downloading torrents while on their network.
  How do I block all ports but 80 on the Airport?

  Look for a firewall.  I am sure there are some.  Not sure of the requirements though. 
  It looks like whispermonitor may be a good option.

• Windows Firewall issue, Inbound rule opend all, still not the same as turning off

  This is Windows Firewall issue on Windows 8.1 Pro. 
  Backup Exec server cannot expand a computer node in selection list. I drill down to Microsoft Windows Network/Domain/Computers, then when I tried to expand a Windows 8.1 Pro computer node, it hangs out. 
  I narrowed this problem to Windows firewall related issue on Windows 8.1 Pro computer. 
  When I turn off Windows Firewall on Domain profile, Backup Exec Selection expands the computer node of the Windows 8.1 Pro computer. So, I created an inbound rule opening all to BAckup Exec server as following, but it's still not the same as turning off
  Windows firewall specifically on Windows 8.1 Pro computer;
  Any Local IP address, Any Remote IP address, Any port, Any protocol, All Interface, All Programs and Services, All profiles(Domain, Private, Public)
  And there are no rules blocking any which may override the above rule. 
  Ethernet on Windows 8.1 Pro computer shows profile is linked with Domain, but just to make it work, I selected all profiles.
  Even though I opened all available in inbound rule, it's still not the same as turning off windows firewall. Why am I missing? 

  It looks as something related to RPC(UDP 135), but even when inbound rule is all open, why it matters? RPC seems working fine only when firewall is turned off on domain profile. 
  Protocol 17 is UDP
  Port: 135
  ===============================
  Event ID 5152
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Outbound
  Source Address:
  192.168.1.120
  Source Port:
  0
  Destination Address:
  192.168.1.11
  Destination Port:
  0
  Protocol:
  1
  Filter Information:
  Filter Run-Time ID:
  245836
  Layer Name:
  ICMP Error
  Layer Run-Time ID:
  32
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Inbound
  Source Address:
  192.168.1.11
  Source Port:
  35341
  Destination Address:
  192.168.1.120
  Destination Port:
  135
  Protocol:
  17
  Filter Information:
  Filter Run-Time ID:
  245834
  Layer Name:
  Transport
  Layer Run-Time ID:
  13

• RDS and Gateway issues: Cannot get remoteapps to run without opening port 3389 on firewall

  I am testing the setup of a small RDweb server to host QuickBooks for some remote sales users (4 users). For the most part, I have everything installed on one virtual server (using 2012r2 "Quick Start" session host deployment with the additional
  Licensing and Gateway server roles added to the same server).
  Everything works excellent with one exception. External clients cannot launch published apps without having port 3389 open on the firewall, even with the gateway role installed and the 'Deployment Properties' set to use the gateway. They can properly connect
  to the RDweb site and view the published apps. The only way it works is open the firewall port (at which time I can disable the gateway or leave it configured and it works either way). Internally, everything works accordingly. I have followed the steps outlined
  on many sites and have combed though the forum here to no avail.
  Error received (summarized but is a well documented error):
  remote desktop can't connect to the remote computer: 1- Your user account is not listed (it actually is) or 2- You might have specified the remote computer in NetBios format . . etc.
  This is an existing SBS 2011 environment with additional virtual servers setup to host QuickBooks as outlined below:
  Current setup:
  Used Quick Start to install Remote Desktop Services in hosted sessions mode
  Installed the additional roles for Licensing and Gateway server on same server
  Configured wild card public certificates on all four services (Connection Broker(2), Web Access and Gateway)
  Configured internal DNS to properly lookup our external FQDN of this server (ex. quickbooks.contoso.com points to quickbooks.contoso.local
  One thing I noticed (just now) when I launch a published app and the firewall has port 3389 closed, a dialog box pops up directly after launching the app that warns about running a RemoteApp program and mentions the Remote Computer and the Gateway Server
  as both the same (which it is); however, I would have assumed one would have listed the internal server's name while, instead, both are listed as the external FQDN. Either way, internal DNS should still allow it to properly route . . no? I don't know . . I'm
  sure I am just missing something in a routing configurations somewhere. The gateway service is not properly looking up the RDweb service and then seeming not routing the encapsulated RDP session through HTTPS. . .. is my guess . .
  I was reading about the "set published name" commandlet; however, I am not experiencing a certificate name mismatch; however, the certificate name does show up as *.contoso.com versus the actual name. I may just be grasping as straws now . . :)

  Ok, while I was in the server and looking over the BPA scans: "The Remote Desktop Gateway (RD Gateway) server Secure Sockets Layer (SSL) certificate may not have a valid certificate subject name." This may be due to it showing up as *.companyname.com
  versus quickbooks.companyname.com. Anyhow. .. on to the list of actions above:
  Changed RD RAP from "Select Active Directory" group to "Allow any network resource" and tested with port 3389 closed on firewall:
  Worked. Initially it did not as I had used a custom shortcut created from earlier; however, after logging into the RDweb site again, the application loaded fine now (after the RD RAP change)
  No error message appeared; however, I did notice that for a split second, the word Error did appear in the browser's tab title, but only very shortly. The app launch does take a bit longer too now (about 10-15 seconds, up from about 4 seconds with the port
  open). This, I could care less about so long as we are properly forwarding the traffic through the gateway.
  As for log entries, I had spend quite a bit of time in there and only had minor issues with loading user profile setting taking too long and policy settings preventing the redirection of USB devices. Looking again, no issues still. Just a bunch of informational
  entries where I would connect before (and disconnect) but only with the port on the firewall open; otherwise, there was not an entry corrolating to when I would receive an error before. Now though, I am connecting after the RD RAP change and logs are showing
  connections even with the port closed. These are in "operational", the "admin" log only shows the update to the RD RAP configuration.
  Yes, the LAN's DNS server does relay the lookup information for my public FQDN as the local LAN address. No need for a local host record.
  I have now added a new rule in our firewall to allow and forward UDP port 3391 traffic to the internal server hosting remote services
  Thank you very much for your assistance on this matter. The RD RAP rule was default built during the creation of this services. Why is the resource not cross-referencing AD security groups? I could have sworn I created a group for that . . .

• All ports blocked

  Hi
  A new Netware 6.5.8 server with BM 3.9, with all necessary filters exceptions.
  If the filters are up all ports stay blocked no matter all the filters exceptios I have.
  To test it, I make a few more filters with port 80 open and 1677 for GW for all interfaces and for all address and is not possible to access to Internet pages or GW from Internet.
  Thanks for any help.
  Regards
  Viegas

  On 11/16/2009 10:55 PM, Viegas wrote:
  > Hi
  >
  > A new Netware 6.5.8 server with BM 3.9, with all necessary filters
  > exceptions.
  > If the filters are up all ports stay blocked no matter all the filters
  > exceptios I have.
  > To test it, I make a few more filters with port 80 open and 1677 for GW
  > for all interfaces and for all address and is not possible to access to
  > Internet pages or GW from Internet.
  >
  > Thanks for any help.
  >
  > Regards
  > Viegas
  1. check in filtcfg that your interfaces are correctly marked as public
  and private.
  2. Check that ds healthy and filtsrv can read the filters from edir. If
  filtsrv can not read them, it will block everything by default
  3. If you're having ds issues, move the filters out of edir and use
  filters.cfg. You can do that usign the /nonds swithc.
  But then imanager will not longer work when setting filters and you'll
  have to use filtcfg:
  1. On the system console, set the following
  parameter:
  set FILTSRV nonds=ON
  2. Run the following command to unload
  filtsrv.nlm:
  unload filtsrv.nlm
  3. Run the following command to load
  filtsrv.nlm:
  load filtsrv.nlm

• I am having trouble viewing iStore. It appears as if its a Flash issue, as several minutes after logging in to iStore I get a non-flash page of iStore in my iTunes window. I have re-installed everything and tried opening all ports in router....any ideas?

  I am having trouble viewing iStore. It appears as if its a Flash issue, as several minutes after logging in to iStore I get a non-flash page of iStore in my iTunes window. I have re-installed everything and tried opening all ports in router, and used msconfig to bring up each service individually to see if there is an effect.Flash and iTunes have been re-installed  ...any ideas?

  I agree. I don't rely on iCloud as a backup, that is what I have my portable hard drive for. Its 500 GB so I can hold my entire iTunes library several times over on it. I have all my movies on my hard drive, but somehow "The Mist" got deleted off of my hard drive, so I figured "Well, the option to redownload an already purchased movie is available through iCloud, I'll just do that!"
  And permissions and download availability have nothing to do with it, the movie's still there, it still allows me to redownload it. The only problem is when I click download, I get that message.
  And nobody else uses my computer, but I do have multiple accounts authorized on it. Even still though, I am attepmpting to download it through the account I purchased it under. :/

• How to create a new rule in Windows Firewall to permit some specific IPs and block all other computers

  Hello,
  I have a Win7 PC. I want to block all incoming connections except 3 or 4 IPs. How can i do this?
  I created a new rule to block all connections using this steps:
  Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > All Local/Remote IPs > Block the connectiion > All profiles > Then i gave a name
  This rule works fine and blocks all incoming connections.
  Then i want to create a new rule to allow specific IPs using this steps:
  Inbound rules > New Rule > Custom > All Programs > All Protocols / Ports > Remote IPs: 192.168.10.5, 192.168.10.10 > Allow the connection > All profiles > Then i gave a name
  But 192.168.10.5 and 192.168.10.10 couldn't reach W7 machine. 
  (If rules are disabled or FW is off; both IPs could reach W7 machine)
  Thanks

  Hi,
  How did you check these two IP address? Through remote access? According to your description, it should only allow remote IP could access this computer. Please also allow local IP for test.
  Roger Lu
  TechNet Community Support

• [Solved] SSH not working (ISP blocks my port 22)

  OK full story:
  I want to be able to connect to my home arch linux box from school. The setup there are winxp machines whit putty on my usb or the pc itself. I know that my school is not blocking any ports as my friend can connect to his linux box at home. (also ssh)
  These are things i did and can think of i need to to do get ssh working:
  Before everything else i started to configure my Linsys router.
  My ISP gives me an Dynamic IP so i need to use the dyndns.org service. I made an account and configured my linsys router DDNS tab to work with the account. I got into the port forward tab an putted in ssh port forwarding (on port 22 TCP for my ip 192.168.1.102 => did ifconfig to be sure). Port forwarding for port 9091 is also on for my transmission webgui i'm saying this here because this works when i'm at school.
  1. Installed openssh
  # pacman -S openssh
  All installed fine.
  2. I've put the sshd into the daemon part of my rc.conf file.
  DAEMONS=(syslog-ng network netfs crond @alsa @g15daemon @samba @sshd dbus hal)
  3. Hosts.allow file =
  # /etc/hosts.allow
  SSHD: ALL
  # End of file
  4. Hosts.deny =
  # /etc/hosts.deny
  ALL: ALL: DENY
  # End of file
  5. sshd_config file =
  # This is the sshd server system-wide configuration file. See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented. Uncommented options change a
  # default value.
  #Port 22
  #AddressFamily any
  ListenAddress 0.0.0.0
  #ListenAddress ::
  # Disable legacy (protocol version 1) support in the server for new
  # installations. In future the default will change to require explicit
  # activation of protocol 1
  Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  LoginGraceTime 120
  PermitRootLogin yes
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  #RSAAuthentication yes
  #PubkeyAuthentication yes
  #AuthorizedKeysFile .ssh/authorized_keys
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  #PasswordAuthentication yes
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication. Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  #AllowAgentForwarding yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  #X11Forwarding no
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  #UsePrivilegeSeparation yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  #PermitTunnel no
  #ChrootDirectory none
  # no default banner path
  Banner /etc/issue
  # override default of no subsystems
  Subsystem sftp /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  # X11Forwarding no
  # AllowTcpForwarding no
  # ForceCommand cvs server
  6. ssh_config file=
  # $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
  # This is the ssh client system-wide configuration file. See
  # ssh_config(5) for more information. This file provides defaults for
  # users, and the values can be changed in per-user configuration files
  # or on the command line.
  # Configuration data is parsed as follows:
  # 1. command line options
  # 2. user-specific file
  # 3. system-wide file
  # Any configuration value is only changed the first time it is set.
  # Thus, host-specific definitions should be at the beginning of the
  # configuration file, and defaults at the end.
  # Site-wide defaults for some commonly used options. For a comprehensive
  # list of available options, their meanings and defaults, please see the
  # ssh_config(5) man page.
  Host *
  # ForwardAgent no
  # ForwardX11 no
  # RhostsRSAAuthentication no
  # RSAAuthentication yes
  # PasswordAuthentication yes
  # HostbasedAuthentication no
  # GSSAPIAuthentication no
  # GSSAPIDelegateCredentials no
  # BatchMode no
  # CheckHostIP yes
  # AddressFamily any
  # ConnectTimeout 0
  # StrictHostKeyChecking ask
  # IdentityFile ~/.ssh/identity
  # IdentityFile ~/.ssh/id_rsa
  # IdentityFile ~/.ssh/id_dsa
  # Port 22
  # Protocol 2
  # Cipher 3des
  # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  # MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
  # EscapeChar ~
  # Tunnel no
  # TunnelDevice any:any
  # PermitLocalCommand no
  # VisualHostKey no
  HashKnownHosts yes
  StrictHostKeyChecking ask
  7. Im sure SSH is running i even did => /etc/rc.d/sshd restart
  8. I have never installed any firewall on my arch box (that i know off). I can connect to it using my other linux laptop
  ssh -p 22 192.168.1.102 => works
  ssh -p 22 xxxxxx.dyndns.org => works (xxx replaced by my dyndns.org domain)
  ssh -p 22 9x.xxx.xxx.xx5 => works (xxx is my normal WAN ip offcourse)
  Keep in mind that transsmission port forwarding is working fine. I can connect from everywhere to my webgui wich is on port 9091. Anyone can help me get whats wrong?
  Last edited by Redostrike (2010-02-25 17:06:14)

  Wild guess but:
  # /etc/hosts.allow
  SSHD: ALL
  # End of file
  I don't know if this is case-sensitive, but if it is: it should be "sshd".
  If it doesn't work, doesnt hurt to try.

• Adding NetGear Prosafe 8-port Gigabit VPN Firewall to existing TimeCapsule Network

  I need some help and direction with this one...
  What I currently have setup and what I am doing on a day to day is as follows;
  Cox Cable Broadband > ISP Cable Model > Time Capsule >Airport Express v1 + Airport Express v2 (Both extending wireless). I have a Dell/Windows Server setup as a Media Server and also have it setup to accept  VPN connection as well. I remote into my network quite a bit as well as VPN into it quite a bit, I RDP into the Dell Server as well as an iMAC and MacBook Pro from time to time. I have PS3, Xbox360, Apple TV 1stG and 2ndG, 2011iMac, 2011MacBookPro, iPAD3 and various other wireless clients. I would really like to add as much security as I possibly can and thought adding a Hardware firewall would be a good step.
  So I Purchased a NetGear ProSafe 8-port Gigabit VPN Firewall that I would install on my network and have everything behind that. The problem is I have no idea how to set it up for the best protection and performance. Only thing I found online is putting it behind my TC which would then leave my Wireless Clients outside the Firewall? I'm usually pretty good with this stuff, but this time I'm just completely confused and not even sure if I need this or if it's completely useles. I do like the TimeCapsule also running 2 Airport Express (v1 & v2) to extend my wireless network, but I'm not sure if it's as secure as it could be.
  If this was a good step buying a hardware firewall and from what I've read the model I bought (FVS318G) is pretty good, it's also solving a problem I have had with my network is needed Ethernet access. Time Capsule only has 3 ports so I figured this would also solve the lack of Ethernet ports as well.
  I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
  Can Anyone offer advice?? How I should configure this? Is it pointless? Return the Netgear Firewall? Buy a different hardware firewall???
  *BTW* I have software security covered, just want to add hardware as well.
  Any help/suggestions would be extremely helpful!
  Thank you!

  I am not sure who made the suggestion for the vpn router to be behind the TC.. they do that sometimes for connection to vpn for downloading TV shows etc.. but your proposed network layout is correct.
  I'm thinking I would go from Modem > NetGear(DHCP Enabled) > Time Capsule (Somehow turn DHCP/Router off) > all my network clients.
  All correct.. The Netgear has to be the one and only router.. otherwise the VPN will not give you access to the rest of the network behind the NAT.
  So easy peasy.. bridge the TC.. use the 5.6 utility if LIon.. you will need to download and install it..
  http://support.apple.com/kb/DL1482
  Lion v6 is a toy..
  Go to manual setup, internet tab. Connection sharing.. off, bridge mode. update the TC.. voila you are done.
  You should probably reboot the whole network. As the expresses will need to now get IP from the netgear not the TC. Tell us if you run into trouble, but everything should work, although it may require a reset and redo setup of the TC and express to get everything smooth again.
  Next issue.. hardware and software firewalls.. sometimes produces the great wall of china.. very secure... oh so secure nothing gets in.. or out. I do not know the Netgear.. but I would start with whatever the lowest preset is for the firewall. And see if you have issues.
  And of course then do the vpn setup.. which is a lot of fun.. (read strong sarcasm). But once you establish the tunnel should then give you access to the whole network.. you will not need to use RDP unless you need to actually take over a computer.
  VPN firewall is the RIGHT WAY.. albeit it can be painful in the initial stages.