Ask MetaFilter posts tagged with firewall

XP Filter: I set up a non admin account for safer computing -- Am I safe enough now?

dancestoblue — Mon, 21 Jul 2008 09:06:12 -0800

I've read so much here lately 1 2 3 about not browsing as an admin, decided to check it out and yepper, I surely was using an admin account. I've set up a non admin account, made a few other changes (described inside), hoping to find out from The Hive Mind if I am now safe enough to breathe easy(er). Ya'll put the fear of computer death into me, I finally decided to check and yeah, I was doing it wrong wrong wrong. So I set about trying to get my mind (and puter) right in the eyes of The Hive Mind.

I set up an account without Admin rights, and will use this for most everything from now on.

I left both accounts without passwords because of reading this post -- is this a good plan, or is this guy off the wall?

I am using a fairly fresh XP install (maybe two months) and I'm pretty sure I'm still clean -- I've run Spybot and AdAware, updated as needed, maybe every couple weeks.

I'm using AVG Anti-Virus Free and update it as it says it's needed.

I'm using the ZoneAlarm free firewall -- I LOVE that it allows me to determine when software decides to 'call home' and I get to decide -- Apple is pretty determined with this, I've found, and so is Open Office, a few others.

I've got Windows Auto Update turned on but not to auto download and install -- I want it to prompt me and let me decide if and when.

I'm using MS Windows Defender and upgrading as it suggests.

I'm using Firefox 3 upgraded automatically any time they suggest, and running AdBlock Plus and NoScript, updated when suggested.

If any site gives me problems in Firefox, I first try Opera (updated as needed) and then IE7, last resort. I run IE Tab through Firefox rather than firing up IE7, and I only use it on sites that demand IE7 (NetFlix, Sprint, a couple of others) -- I'm hoping this helps me but I don't actually know if it adds safety or not. I update IE7 as Windows Update suggests, pretty sure I'm always current.

I'm using Foxit PDF rather than Adope bloatware.

"Aye" suggested Disabliing all AutoRun and AutoPlay options with TweakUI (a Microsoft PowerToy) is this needed/wanted?

What have I missed? Where have I gone overboard? I want safety but don't want to live locked down so hard I cannot move.

Thanx in advance.

Peace.

dancestoblue

Can I edit my Akismet plugin?

harriet vane — Mon, 14 Jul 2008 04:08:22 -0800

Can I edit the Akismet plugin I use on my Wordpress blog? My host has a firewall which is preventing my Akismet plugin from working properly. They offered me a proxy address and number I can use instead, but I don't know how to get the plugin to use them. (Alternatively, can you recommend a good comment-spam catcher that won't run into firewall problems?) I've asked the Akismet people for help with this, but they say they don't provide that level of service.

I've never modified a plug-in before, but would be happy to get my hands dirty if given clear instructions.

My previous host had no problems with it (just terrible customer service). I was really happy with how well Akismet worked, so I'd prefer to keep it going if possible.

Help me securely share folders across different networks

special-k — Wed, 02 Jul 2008 10:04:46 -0800

Help me share a folder across the internet without compromising my firewall I have a desktop at work with multiple hard drives and a large amount of data. Lately I have been working at several remote research sites and find the need to grab files from the desktop. So I shared some folders and restricted access to my username. The desktop has a static IP so the share works like so

\\ip.add.re.ss\share_name

so far so good. Zone alarm [on the desktop], however, denies access when I am on a different network. I've talked to the IT admins at a few of my research sites and entered those IP ranges into my trusted zone but it would be impossible for me to cover every single site (and the occasional coffee shop in the middle of nowhere). What can I do to get around this?

Sharing works perfectly when zone alarm is turned off. I could, for example, enter 1.1.1.1 to 255.255.255.255 as a trusted range but that would defeat the purpose of having the firewall. I'm stumped.

Both computers run XP

My company's firewall is blocking my website. Is there anything I can do on my end to fix this?

Anonymous — Tue, 20 May 2008 07:29:34 -0800

My company's firewall is blocking my website. Is there anything I can do on my end to fix this? (Be kind, I am a website newb.) Up until last week, I had no problems accessing my website or its cPanel admin from work. Now I just get a timed out error even when I just try to load the page (or something of that effect--can't remember the exact wording.)

My work is pretty laid back about web surfing during breaks/lunch, etc., and I have never had any problems accessing any other sites (flickr, myspace, youtube) so what could possibly be so bad about my site that they would block it? It's just a simple online portfolio.

My hosting company says that it is because the firewall is blocking the port the cPanel is on and apparently a lot of companies view it as an insecure port? They said the only thing I could do is request that my company allow it.

I don't really want to go that far just to access a personal website from work (I mean, I do have real work to be doing :) but I guess my bigger concern is that if our firewall is blocking it, how many others are as well? I didn't even realize that the reason I couldn't access it was because of the firewall, I just thought the server was down or something. If other people experience the same thing, might they just think I have an unreliable site?

Are there any changes I should make to make it more firewall-friendly? Sorry if these are totally dumb questions, but I am totally new at this website stuff.

Yoggie Pico

chuckdarwin — Tue, 29 Apr 2008 02:14:37 -0800

Will this cute little firewall device work well with a small Server 2003 domain setup? Found via the always-fun Gadget Show.

Trying to stream at work

Juicylicious — Mon, 14 Apr 2008 07:28:40 -0800

How can I listen to NPR on my office PC when audio/video streaming is not allowed? I cannont get streaming audio from npr.org. Nor can I get video from the usual sources, cnn.com, etc. Oddly, I can get streaming audio from Project Vibe by setting the "listen now" properties to "Hi Bandwith (FM quality)" and "Stand Alone Windows Media."

How can I replicate this process so that I can listen to NPR?

"Reverse" firewall testing?

AltReality — Thu, 10 Apr 2008 20:30:09 -0800

Simply put, I would like to determine which (outgoing) ports are open and which are closed on my company's network. They have a firewall blocking most ports...so far I can only get through port 80 and port 443. I know for example, ports 23, 25, 110 and 6667 are blocked. So I may be over-thinking this, but what I think I need to do is find a way to listen on all ports (or at least a select list) on an external computer, then scan that computer's IP from inside the network to see what connects... The catch: I would like to open these ports for connections without having to install servers that actually use those ports. If we're talking a couple hundred ports, I don't want to install and configure a couple hundred server apps. (or all 65535?) Does anyone know of an app that will open 'fake' ports on a system and respond with some sort of generic server type? I know I've seen such an app before, but I just don't remember what it was called, and my google skillz are not coming through this time. Side note: I originally thought what I was looking for was a "leak tester" ...but this isn't quite right, as it is testing incoming ports, not outgoing ports. Thanks,

New software for a new computer?

®@ — Sat, 23 Feb 2008 08:39:31 -0800

I'm setting up my spankin' new computer. So far I've downloaded AVG as my anti-virus solution, but I'm not sure which way to go for anti-spyware. Is Ad-Aware still any good? Should I use ZoneAlarm (which doesn't play nice with Adaware), or is there something better? And does anyone have experience with AVG's anti-spyware setup? I realize that ZoneAlarm serves more of a "firewall" niche, so input / corrections are appreciated. Anyone have experience with AVG's anti-spyware solution?

That's not art, that's my firewall!

grumpy — Thu, 03 Jan 2008 10:05:41 -0800

How do you draw a picture depicting firewall rules? Do you know of any examples? I'm looking for a way to depict firewall rules as a picture or graph, sort of like a network diagram. Can you point me to examples or documentation on standard ways of depicting firewall rules graphically?

Take me to Mac network security school.

jeffxl — Wed, 05 Dec 2007 18:12:01 -0800

I noticed this morning in my system logs that I had some failed FTP and SSH login attempts from an IP in China. I thought I was going to have get all Cliff Stoll on this guy, but then looking back further I saw that this has been happening for months, from lots of different IP addresses. I'm many things, but I have never claimed to be a network guy. I know my way around the command line, for the most part, but after the basic network utilities, I'm done. Further, I've been pretty lax with network security, generally having a "wouldn't happen to me" sort of attitude about hackers. That being said, I admittedly have a very insecure setup between the outside world and my computer. My router is set with DMZ to my computer, so I can get to it easily. I have web sharing, remote desktop, ssh, ftp, and afp enabled -- and use all of them regularly. Up until about half an hour ago, I also had my software firewall disabled.

On the other hand, fortunately, my passwords are strong, and the root account isn't enabled.

After seeing the mountain of failed login attempts, I've become a little more paranoid, and would like to be more cautious. A few questions, though:

1. These people trying to break in, do you they just do pings of a range of IP addresses until one responds, and then have a program that just tries a whole lot of logins/passwords at that IP? I see lots of attempts for Administrator, root, and mysql, but there are also attempts for random ones like 'raphael'. What's the deal?

2. I have test users on my system for debug purposes, some of them with admin rights. Is there any way to disallow these users to log in with ftp and ssh? How paranoid should I be?

3. I'd still like to be able to access my computer from the outside world using the same services I have been before, but I'm thinking I should start using my firewall properly, and take off DMZ and enable port forwarding instead, right? Question is, how is this any better at preventing break in attempts? If I can get in here from the outside, they could too, right?

Any other tips, suggested readings, or words of wisdom? School me.

Anti-virus compartions and Vista Firewall?

meta.mark — Sun, 11 Nov 2007 14:44:28 -0800

Where can I find detailed information on anti-virus software comparisons? I've heard of and seen some charts that display details such as catch rates and etc but have never known the exact source. Something like this perhaps: http://virus.untangle.com/ but a more broad spectrum, preferablly one that includes AVG and Avast! Also what is the best firewall for Windows Vista?

IMAP proxying help needed

whir — Mon, 05 Nov 2007 12:01:58 -0800

My work's firewall recently began blocking outbound traffic that isn't on ports 22, 80, and 443, and I'd like to use my home router (running openwrt) to proxy my personal IMAP email so I can read it from work. I'm pretty network and linux-savvy, but I haven't really tried this out before, so I thought I'd solicit some advice. What I figure is that I'll point to my home address via dyndns or the like and then, for requests originating from my work subnet, forward the requests on to my ISP's imap server. Here's some k-R4d ascii art to illustrate what I'm going for:

[work PC] ----> [work firewall] ---> [home router] --->      [isp]

pc.work.com     fw.work.com          myrouter.dyndns.org     imap.isp.net

So on my router, I want to forward requests for router.dyndns.org:443 to imap.isp.net:143.

I'm running the latest version of Thunderbird as an email client. At home I have OpenWRT running on a Linksys WRT54G (it's running the release before kamikaze, IIRC, but I can upgrade it easily enough if I need to). I'd like to run whatever software I need to on the router itself, so I don't need to keep a machine in my home network on all the time and poke a hole in my home firewall.

Has anyone had experience with doing this? In particular I'm wondering if the IMAP protocol itself involves my client sending out its own IP address (pc.work.com) and then confusing the IMAP server at imap.isp.net, which should actually be talking to myrouter.dyndns.org.

My iptables skills are a little rusty, so if anyone has specific examples of the commands to use, I'd be grateful.

Also, could someone tell me if there's a better solution than just forwarding the raw TCP traffic? Is this something setting up a SOCKs server on myrouter.dnydns.org could solve? I do have one other IMAP account I'd like to access if I could, and I wouldn't mind getting around my workplace's HTTP content filters if I can do so easily. Neither one of these concerns is a big deal, though - mostly I just want to be able to access my personal email account. And now that I'm thinking about it, I'd like to be able to send SMTP mail from pc.work.com through my ISP if I can, too, without letting spammers use my router for nefarious purposes.

I've also seen some linux software out there specifically for proxing imap (called "imapproxy" or something?), but I didn't see a version compiled for openwrt specifically - I'm not adverse to setting up a wrt toolchain if I need to, but I'd rather not spend time on that if there's an easier way.

Bizarre Linux Networking Problem

signalnine — Mon, 01 Oct 2007 16:13:23 -0800

I have a server running Centos 5. It's currently refusing outside connections to any port except port 22. ip-tables and SELinux are both disabled. Whiskey Tango Foxtrot? By outside connections, I mean any connection that's not localhost. So, for example, I can telnet to localhost port 25, but from a machine on the same subnet (255.255.255.0) it refuses the connection. I've also checked /etc/hosts.allow and /etc/hosts.deny, both are empty and in xinetd.conf no_access and only_from remain unset.

Seriously guys, I'm sure I'm missing something really stupid, but I'm baffled at the moment.

Help me bypass the great firewall of China?

escher — Fri, 14 Sep 2007 13:51:25 -0800

I'm having trouble with people accessing my server from within China. Maybe you can help me bypass the great firewall? The full scoop:

I run the web/email server for my wife's small family business. There are some employees here in the states, and some in China. The server itself is located in Texas. The folks here in the states never have any trouble accessing the server for email/web/etc, but the folks in China have intermittent access to the server in general. I'm most concerned about the email access, for what it's worth. I run pop3 off ports 25 and 26, with SSL available. I have tried using both with SSL and without on the china clients with no difference in performance.

During the times when it's down, I can't even ping the server from the computers in china. Doing a traceroute just shows stars (timeout) after the first hop or so. I'm guessing we're running into the "great firewall of China".

The server has it's own (4) dedicated IP's, so we're not sharing with any other website that may be controversial - although there may be some websites in our local subnet that are being blocked (i'm not sure).

The employees in china aren't very technically adept, so I can't have any solutions that require technical knowledge on a frequent basis - but i do have access to their computers remotely and can setup any kind of software/settings as needed. The computers over in china are running Windows XP.

filter/firewall new workaround?

priorpark17 — Mon, 03 Sep 2007 11:23:51 -0800

Please help me see if this gets around filters/ firewalls at work school. If you are blocked from cerain sites at work / school can you see if this works: Go here

http://www.t-mobile.co.uk/services/mobile-tv-video-services/mobile-tv/webnwalk-demos/

Click on a phone and then then surf the web through a virtual demo phone.

I would be especially keen to see if this gets past the "Gt. Firewall". You know what that is is you suffer with it.

BTW I am not on T-mobile and have no links to them I just want to see if it is a new workaround.

Bandwidth throttling / traffic shaping on Fedora Core 6

remi — Thu, 23 Aug 2007 05:42:49 -0800

How do you set up bandwidth throttling / traffic shaping on Fedora Core 6? We have at server here at the office running Fedora Core 6. The server is mainly used as a Web and file sharing server. (I.e.: It is not used as an network authentication server or as a DHCP server.)

The servers, including that one, and all our workstations are all connected to a switch, then a small D-Link router, the DSL modem, and finally, of course, the Internet. We run test Web sites on our server which clients can access from the outside.

We are trying to limit how much outgoing bandwidth the server can use when a client connects to our server. We only have one DSL line for now, and with 15 people on the network, things can get slow. When clients connect to our server, it doesn't help.

I tried setting up bandwidth throttling / traffic shaping on the Fedora Core 6 server. First, how do you call it? "Bandwidth throttling" or "traffic shaping"?

After a read a bit of documentation about iproute, shorewall, iptables, and trickle, frankly, I'm more at a loss than before. Is it possible to just use iptables to set it up? We also have Webmin installed on it -- can I do it with that? Any recommendations?

Any help would be appreciated. Thanks in advance!

Cisco PIX 501 Firewall

kaozity — Mon, 20 Aug 2007 05:14:45 -0800

Can the Cisco PIX 501 be upgraded with any firmware so that it is IP Version 6 (IPv6) Compatible? We have a Cisco PIX 501 as seen in the link below...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

Is there any way for the firmware to be upgraded so that it is IP Version 6 (IPv6) Compatible? If not, is there a comparable router that we can purchase that is?

How do I SFTP over an HTTP proxy with a mac?

TNLNYC — Tue, 24 Jul 2007 07:15:46 -0800

I have a Mac running OSX and use programs like Coda and Transmit to send out files. However, on certain networks, the only access I have to the net is via an http proxy (with no https, even!) . I understand there are ways to tunnel sftp over http but could not find an easy guide (or set of tools) to do so in a way where I can attach such tunneling to one profile (ie. CUSTOMER or WORK) and not have the proxying happen on another profile (ie. HOME) The challenge comes from the fact that the network is so clamped down that the http way is the only way (the good news is that it's on port 8090 and that windows applications seem to be able to proxy over 8090 without restrictions)

What I'm looking for is a WYSIWYG software package that would allow me to easily establish a link from my sftp client to tunnel over the http port back out to the Internet (and possibly also tunnel things like Skype over that http proxy)

Any ideas?

How To Admin my Home Mac from Work Windows! Proxies and Firewalls Everywhere!

ZakDaddy — Sat, 14 Jul 2007 11:14:26 -0800

I need a little help setting up remote admin (VNC) access for Mac OS X 10.4.10 from a Windows client at work. Firewalls on both ends, significant port restrictions at work, and FYI, I've googled this into the ground. The closest I've come to something useful is this post, this post, and this one on MacOSXHints.com, but a lot (read: most) of the crucial concepts are just not sinking in for some reason. Hope Me!

Here's my setup:

1 - Mac OS Tiger computer (acting as a file server) in my home router's DMZ with SSH and Remote Access turned on in the Preferences. Complicating note: I'm presenting SSH over both port 22 and port 443 for reason listed below.

2 - Windows XP Pro desktop at work with local system admin privileges in place. I have both Putty and UltraVNC installed and running. Our proxy only allows outbound connections from ports 80 and 443, hence the complication at home. No big deal, only took about 2 hours and much hair pulling to figure out.

3 - Have successfully set up a DynDNS.org account pointing to my home IP, no problem.

Right now, I can connect from work with a Putty session via myurl.blah.blah:443 (to get through my proxy) and it works fine. W00t! I'm badly stuck at the next step, though; how do I then successfully connect with a VNC client from work to port 5900 on the home Macintosh?

Other notes: I have remote access to my desktop at work via RDP using a Java implementation of a Citrix client, which works fine, so I can accomplish all of my config and testing from home. Which is pretty cool, if you ask me.

Thanks in advance, all.

(I know I ask a lot of questions, but my life is so much better thanks to ask.me. Y'all rock.)

Quis custodiet ipsos custodes?

puddleglum — Tue, 05 Jun 2007 16:29:18 -0800

IT is taking my work computer for an hour tomorrow for something called "Domain Migration". Is there a way to find out exactly what they're doing? and are being fully combined as - so it's entirely understandable that they want some more consistency with the networking stuff. They say they need my computer "in order to connect to the new domain from the network", and I believe them (mostly), but I'm still a little paranoid that they're going to start looking over my shoulder.

Is there any way to tell, or anything I should do in anticipation?

Advanced Network Routing

ijoshua — Thu, 26 Apr 2007 12:37:26 -0800

Is it possible to configure a Mac OS X Server to route incoming and outgoing traffic via two different interfaces? Here’s the problem: we have an Xserve providing various services to a small, company-wide network. Among other services, it handles DNS, DHCP, and NAT, and acts as the gateway through an asymmetric DSL connection to the Internet. We’ve recently begun noticing extremely high latency (over 1000ms,) with no appreciable degradation in download throughput (generally better than 3 Mib/s, as good as 6 Mib/s.) We seem to have finally diagnosed the source of the latency: our pitiful upstream is being saturated by larger uploads at just over 384 kib/s.

Is it possible, using ipfw/dummynet or some other tools, to filter packets destined to travel out on this interface, and reroute them through a secondary interface dedicated to uploading? Can return traffic still be delivered via the primary interface?

Any other possible solutions are also welcome.

Good, free firewalls.

Effigy2000 — Wed, 25 Apr 2007 21:12:02 -0800

What's a good, free firewall I can use on my home PC (running WindowsXP SP2) that isn't Zone Alarm Pro, Sygate or Kerio? I currently use the last free version of the Sygate firewall. It's great and seems to protect my system from attacks well enough (as far as I can tell) but I'm thinking that it's probably going to start becoming ridiculously obsolete soon (if it isn't hopelessly so already). So I need a new, preferably free firewall solution for my home computer which is linked via an Ethernet cable to one other home computer.

I don't want to use Zone Alarm Pro, for the simple reason that it doesn’t get on with Nintendo's Wi-Fi service. So I suppose one other feature that I'd like to see this new firewall use would be compatibility with that service.

I've tried Kerio, but I didn't like it. Maybe I didn't configure it correctly when I used it or something, but within a day or so of running it my system had collected more spyware than you could shake a stick at, something which simply hadn't happened under Sygate. It got so bad that I had to actually restore my Windows installation to a restore point from before Kerio was installed! So sufficed to say, it was a bad experience and I don’t intend to repeat the Kerio experiment again.

If there aren't any free firewalls out there that are worth using, I'd be happy to hear a few recommendations for low cost firewall solutions, but as I'm sure many here would agree, free is pretty much always better.

And why isn't it enabled by default, Steve?

bricoleur — Wed, 11 Apr 2007 13:34:03 -0800

This is so embarrassing. I'd post it anonymously if I didn't think I'd have to provide more info. Anyway...I set up my new iMac last night and didn't even think about the firewall 'til this afternoon. So it was off for something like 12 hours of broadband, static-IP connectedness to the Net. How hosed am I, and is there anything I can do to put some or all of the horses back in the barn?

Need new internet security programs

Joleta — Sun, 17 Dec 2006 12:48:58 -0800

I need advice for buying a new internet security suite (or individual programs). For the past few years I've been using McAfee Internet Security Suite, buying a new version each year to keep up to date, and getting 12 months of virus updates. However, I've just read some troubling reviews of McAfee Internet Security Suite 2007 and am thinking I might want to go with something else. I've had bad luck with Norton products in the past but will keep an open mind. I like the ease of a suite of products for anti-virus, firewall, anti-spam, etc. but I'm willing to consider separate products. Ease of use wins out over price. Think of this question like, what would you recommend to your mother, and you can't be there to keep it running right all the time. My computer is Windows XP Media Center Edition. And how much trouble will I have uninstalling my current McAfee Security Suite 2006 if I switch to something else?

ssh tunnel - allow remote connections on remote side?

dmd — Mon, 11 Dec 2006 20:42:09 -0800

How can I allow remote connections to the remote side of my ssh tunnel? -g doesn't work. Neither does GatewayPorts. The situation: INSIDE---FIREWALL---OUTSIDE. The possible connection is ssh from INSIDE to OUTSIDE. I want to run a service on port 8080 of INSIDE. I want everybody in the world to be able to access it by connecting to OUTSIDE:8080.

ssh -R8080:localhost:8080 OUTSIDE does not work - that binds the 127.0.0.1 interface of OUTSIDE, not its public interface ... that is, only OUTSIDE itself can connect to its own port 8080.

Putting 'GatewayPorts yes' in OUTSIDE's /etc/ssh_config doesn't help.

I successfully solved the problem by embedding one tunnel in another - tunneling an ssh port from INSIDE to OUTSIDE, like this:
INSIDE$ ssh -R12345:INSIDE:22 OUTSIDE
OUTSIDE$ ssh -p 12345 -L8080:INSIDE:8080 localhost

but that seems unnecessarily contrived, and is highly inefficient.

Can anyone help?

Extra possibly vital information: INSIDE is Mac OS X, OUTSIDE is Windows XP running an up-to-date Cygwin.