Networking – open NAT type on maximum security of the firewall

For my Xbox to work properly, I need to have open NAT. I can do this by setting my router's firewall settings to minimum (letting all incoming and outgoing traffic pass). However, this option is not very secure and I would like the firewall on my router to be secure to the maximum. The description of this option is

Maximum security:
Incoming strategy: reject. The remote administration settings will replace
the incoming security policy. Outbound Strategy: reject. Outgoing access
is authorized to the following services: DHCP, DNS, IMAP, SMTP, POP3,
HTTPS, HTTP, FTP, Telnet.

I've read online that I should configure a port forwarding for the Xbox to connect properly to Xbox-Live servers. But, no matter the fact that I have correctly configured the ports, I still can not get an open NAT. So I wonder

  1. Is it possible to get an open NAT when your firewall is configured for maximum security?
  2. Is port forwarding say nothing when your firewall is configured for maximum security? I've talked to my ISP (Verizon) and the technician said that port forwarding means nothing if you set the firewall on maximum security, but I think it's wrong , because that would not it impede the transfer of port?

Side note:

The minimum security for the firewall reads "Inbound Policy: Accept." Outbound Policy: Accept. Am I right to worry about this level of security or should I just set firewall security to a minimum?

Firewall – Cisco ASA5506: NAT Problem (Blocked Pack Even While Authorization Rule Exists)

We have a problem with our ASA5506.

The public interface "outsideSub" has an internet connection via PPPoE.
Pinging a public DNS server from outsideSub iface was successful.

However, the packet trace shows that TCP packets are blocked with the help of an access control list.
In addition, the hosts on the internal subnet do not have an Internet connection.

Here is the current configuration:

: Checked in
:
: Serial number: JAD211802J4
: Hardware: ASA5506, 4096 MB RAM, Atom C2000 1250 MHz Serial CPU, 1 CPU (4 cores)
: Written by admin at 12:07 PM: 48.259 EDT Thu 4 Jul 2019
!
ASA version 9.6 (1)
!
Firewall of the host name
enable encrypted password WHzrdccdxogzFJXY
names

!
Gigabit Ethernet interface 1/1
external name
security level 0
no ip address
!
Gigabit Ethernet interface 1 / 1.100
only
vlan 7
nameif outsideSub
security level 0
pppoe customer group vpdn telekom
IP address pppoe
!
Gigabit Ethernet interface 1/2
name inside
security level 100
ip address dhcp
!
GigabitEthernet interface1 / 3
nameif DMZ
security level 50
ip address 192.168.3.1 255.255.255.0
!
GigabitEthernet interface1 / 4
guest name
security level 1
ip address 192.168.5.1 255.255.255.0
!
GigabitEthernet interface1 / 5
to close
no name
no security level
no ip address
!
Gigabit Ethernet interface 1/6
to close
no name
no security level
no ip address
!
Gigabit Ethernet interface 1/7
to close
no name
no security level
no ip address
!
Gigabit Ethernet interface 1/8
to close
no name
no security level
no ip address
!
management interface1 / 1
management only
no name
no security level
ip address dhcp
!
passive ftp mode
CEST time zone 1
summer time clock CEDT recurrent last sun march 2:00 last dim oct 3:00
DNS domain-lookup outsideSub
default DNS DNS server group
name server 217.69.169.25 outsideSub
Inter-interface for traffic authorization with identical security
intra-interface authorization of the same security traffic
network object obj_any
subnet 0.0.0.0 0.0.0.0
objects network insideSub
WWW-EXT object network
host 87.140.26.169
WWW-INT object network
192.168.3.2 host
https object service
service tcp source range 0 1024 eq destination https
internal web server of object network
192.168.3.2 host
dect network gateway of objects
host 192.168.178.15
http service object
source tcp service eq www destination eq www
description http
DM_INLINE_SERVICE_1 object group service
service object tcp-udp destination eq sip
service object tcp destination eq www
service object tcp destination eq https
DM_INLINE_SERVICE_2 object group service
udp service object
service object tcp destination eq sip
service object udp destination eq sip
service object tcp destination eq 5090
service object tcp destination eq https
service object tcp destination eq www
udp destination range of service object 30000 31000
service object udp destination eq 3478
service object udp destination eq 3479
destination range udp service object 40000 41000
DM_INLINE_SERVICE_3 object group service
udp service object
service object tcp destination eq sip
service object udp destination eq sip
service object tcp destination eq https
service object tcp destination eq 5090
udp destination range of service object 30000 30900
object destination udp destination range 40000 40900
service object udp destination eq 5070
service object udp destination eq 5080
DM_INLINE_SERVICE_6 object group service
service object tcp destination eq https
domain eq destination service-object tcp-udp
service object tcp destination eq www
DM_INLINE_TCP_1 tcp object group service
port-object eq www
eq https object-port
object group service DM_INLINE_TCP_2 tcp
port-object eq www
eq https object-port
access-list inside_access_in extended permission ip any any
tcp access list entry extended permission internal-webserver object group-object DM_INLINE_TCP_2 log debugging
access group to the extended permit entering the access list DM_INLINE_SERVICE_2 any debug object from the log of the gateway d-inactive
access-list DMZ_access_in permission extension tcp any object server-group internal-webserver DM_INLINE_TCP_1
access list DMZ_access_in extended authorization object group DM_INLINE_SERVICE_6 internal web server object all
access list DMZ_access_in ip license extension all inactive
access list inside_access_in_1 extended license ip any any
access-list inside_access_in_1 extended object group DM_INLINE_SERVICE_3 any debug object in inactive idle gateway log
access-list guest_access_in extended ip authorization any outsideSub interface
access list telefon_access_in extended permit object group DM_INLINE_SERVICE_1 any any
pager lines 24
enable logging
informative asdm registration
MTU out 1492
MTU outsideSub 1492
MTU inside 1500
MTU 1500
MTU guest 1500
unreachable rate limit by icmp 1 burst size 1
no history asdm enabled
arp timeout 14400
no arp license not connected
!
network object obj_any
dynamic interface nat (any, outsideSub)
internal web server of object network
nat (DMZ, outsideSub) static interface service TCP https https
!
nat (inside, outsideSub) post-auto dynamic source no matter what interface
nat (DMZ, outsideSub) after dynamic auto source no matter what interface
nat (guest, outsideSub) post-auto dynamic source no matter what interface
incoming access group in the outsideSub interface
access-group inside_access_in_1 in the internal interface
DMZ_access_in access group in the DMZ interface
offsub route 0.0.0.0 0.0.0.0 87.140.26.169 1
xlate waiting time 3:00:00
wait time pat-xlate 0:00:30
timeout conn 1:00:00 mid-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
waiting time sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
sip-temporary-media wait time 0:02:00 hours 0:05:00 absolute
wait time tcp-proxy-reassembly 0:01:00
floating waiting time 0:00:00
LOCAL of the default domain of the user's identity
aaa authentication ssh console LOCAL
http server activation
http 192.168.178.0 255.255.255.0 inside
no snmp server location
no snmp server contact
Sw-reset-button service
crypto ipsec security-association pmtu-infinite aging
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
Self-Registration
fqdn none
subject name CN = 192.168.178.1, CN = firewall
key pair ASDM_LAUNCHER
crl configure
trustpool crypto ca
ca crypto certificate chain ASDM_Launcher_Access_TrustPoint_0
213f335c certificate
308202d2 308201ba a0030201 02020421 3f335c30 0d06092a 864886f7 0d010105
0500302b 3111300f 06035504 03130866 69726577 616c6c31 16301406 03550403
130d3139 322e3136 382e3137 382e3130 1e170d31 39303231 31303831 3332345a
170d3239 30323038 30383133 32345a30 2b311130 0f060355 04031308 66697265
77616c6c 31163014 06035504 03130d31 39322e31 36382e31 37382e31 30820122
300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101 00b8ce18
cf8bf6f6 dd3ee4fb a4dfe76c 4fe03a80 f81cd905 e46d54f9 f012b3ef a7b1b18e
986a25c1 72e2958e 358069bc 19cb4f82 6c64ae3e 093c5728 d459f866 6f96236a
510542c1 31fa49da 3abda6f9 9fd94928 f50cd6e4 0efd84e7 347f347b 599cffe4
ffc329ab 20e73469 4eea0f70 eccbbfe9 8b836d74 308d2726 141b774e bfc67f7b
01fd29f3 95270e96 1f772697 f860eb11 7e0686a7 d3a67ddf 1bc9d1f1 dfd8e56b
0dd0383b 77450eae d40e73b1 42eaa054 bdf1df88 bce74fa3 786577f4 761e2bb5
a7a64f7f bd438ccd a17fb35c 2259eb15 6e7fae71 41f7a8f2 1bcf7de0 1d681b31
67c3accc 8f335083 c1c785aa 287efa1b 001f9364 9ca24063 1df21744 0d020301
0001300d 06092a86 4886f70d 01010505 00038201 010005c6 2bb39f28 b70fc7f0
a36607a8 2548e727 f15ac207 fb9158dc 2d40b205 01bbdfca a400a80d f7ceddf9
9e970bb2 1ea6f27c 5abf5213 36c6e0bb da17f51f 11b57d6a 1a23d549 1da464b0
4eb0b2a9 8930c91d c4cab838 0467fe35 222fe4b1 8b1341a6 ea83f447 f415300e
c1d4307e 3ae79b83 99800943 6a1dfd1c 22f3313b cc16ad04 852268b0 d028aa16
b50ce50a bc6b7060 db1e01c4 c76395b4 cdfee801 a1d3a9f4 74398b92 cba196cf
8fca0659 305b10f7 fee4e90a 00ec7220 6401044c c20cd391 74cd12db acc1427f
d6d5f324 f5b15a43 b97eb21e 07fac702 81aed9a9 1828acae 91702b57 994e3618
3c2e2e50 55bb0fc3 18da4c73 399d0c17 830a9389b679
to leave
telnet wait time 5
ssh strictthostkeycheck
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key exchange group dh-group14-sha1
wait time of the console 0
vpdn group telekom request dialout pppoe
vpdn group telekom ppp authentication pap

dhcpd dns 217.69.169.25
dhcpd auto_config on the inside
dhcpd option 3 ip 192.168.5.1
!
dhcpd address 192.168.5.2-192.168.5.254 guest
dhcpd dns 217.69.169.25 interface guest
dhcpd activates the guest
!
ntp server 188.68.54.53 source outsideSub
Trust Point ssl ASDM_Launcher_Access_TrustPoint_0
access-policy-registration-dynamic DfltAccessPolicy
username password administrator WRN6n6ecK1px5qbL privilege encrypted 15
!
class-map inspection_default
correspond to the default inspection traffic
!
!
policy-map type inspect dns preset_dns_map
settings
maximum length of auto auto message
maximum length of message 512
policy-map global_policy
inspection_default class
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
lean inspect
inspect sunrpc
inspect xdmcp
inspect a sip
inspect netbios
inspect the TFTP
inspect ip options
inspect icmp
!
overall global_policy service policy
prompt context
no report of anonymous call at home
Cryptochecksum: 2e518b4508919eb399ce4cb4eae31eca
: end

Here are two screenshots to solve the problem / configuration:

packet trace showing that the packet is stuck

the permit rule exists however (181k hits)

NAT rules or routes have not been changed explicitly!
The only change was to change the internalSub PPPoE parameter to "use a static IP address".

We had no Internet connection with static IP, so we restored the iface parameter on PPPoE. Since then, the problem of NAT / routing exists.

Unfortunately, there is no backup configuration and the configuration was written in flash …

The firewall only allows port 443.53 and tor port, all other UDP, TCP blocked

I had trouble configuring the router to not lock me. I want to exclude 80 so I do not visit an unencrypted website. I need a suggestion.

windows 10 – ESP32 can not work around the firewall

I'm using ESP32 (an Arduino-based microcontroller to connect to a Unity game that I'm building on my PC.) I use the PC as a wireless access point and ESP32. connects to this point of access with the help of a hard-coded password. is connected, the card packets are blocked by my firewall (Windows Defender firewall from Windows 10 by default.) It works properly once I turn it off How can I make sure that UDP packets from esp32 can bypass the firewall without me having to completely turn it off?

google cloud platform – How to prevent GCE force to remove firewall rules?

I've had instances on GCE hosting multiple websites for years. Suddenly, without notice or notice, my instances became inaccessible on 6/19.

After losing several hours trying to solve this problem, I found that a gceenforcer@system.gserviceaccount.com service account removed the firewall rules from my account! Even if I click on "Enable HTTP / HTTPS traffic" when configuring the instance, a few minutes later, the GCE application manager removes the rules again.

So many questions (and so frustrating!). What is the application of the GCE? Why is it deleting my firewall rules without permission or notification? How can I disable it?

Firewall log issues: pinhole access, router ping, and connection attempts

First of all, I would like to say that I am a computer scientist and I live in the United States, but I have minimal experience of cybersecurity and I have two questions about the incidents that I am having. I discovered today:

I noticed that my router was configured by a user to allow FTP traffic on port 21. I also found a single entry in the firewall log, which indicated Access to Pinhole.

IN = br1 MAC = SRC = DST = LEN = 40 TTL = 241 PROTO = TCP DPT = 21 Access
Pin hole

  1. The destination is the public IPv4 address of my router. I have seen the entry "Accessing Pinhole" from a single IP address and there is only one other entry (from the same IP address src) that says "Delete an unknown incoming packet" just below; I've used whatmyipaddress to look for the IP address of the CBC. This address indicates that it comes from Asia, Hong Kong. Does "Access to Pinhole" mean that the person has managed to connect to my router and can it also indicate that it has been compromised (even though I have not seen any malware or viruses on it? computers in my home network)?

  2. In addition, the information contained in my McAfee firewall on my laptop also make me think that it is compromised. It says that my router has several times

    • tried to ping my laptop
    • tried to scan my laptop by sending a large amount of UDP packets
    • attempting to connect to various TCP or UDP ports (typically 1900 or something> = 49000)

However, Mcafee Firewall also seems to block legitimate services and boasts of blocking thousands of connections every week or even every day.

Thank you for any help.

[WTS]Dedicated high speed servers DataPacket.net + Free server management!

Since 2001, the best accommodation at the best price!

DataPacket.netThe mission of is simple, we provide the best accommodation at the best price. Price, service and support are at the forefront, our customers come first and you will see it in every service we provide. We are an experienced and professional technology partner you can rely on.

Specially designed Intel Core servers, designed by DataPacket to fit a wide range of applications while offering you a dedicated server at an unbeatable price. Powerful components with reduced profile and low power consumption allow DataPacket to offer youDedicated servers cheap:

DServer (4 GB) $ 29.95 / month
Free server management
Installation within 24 hours
Intel Core (2C / 4T) 2.9 GHz
500 GB hard drive
4 GB of RAM
1000 Mbps private network
100 Mbps public network
Unmeasured bandwidth
== >> Buy now!

DServer (8GB) $ 39.95 / month
Free server management
Installation within 24 hours
Intel Core (2C / 4T) 2.9 GHz
500 GB hard drive
8 GB of RAM
1000 Mbps private network
100 Mbps public network
Unmeasured bandwidth
== >> Buy now!

DServer (SSD) $ 49.95 / month
Free server management
Installation within 24 hours
Intel Core (2C / 4T) 2.9 GHz
320GB Hard Drive – 240GB SSD
8 – 16 GB of RAM
1000 Mbps private network
100 Mbps public network
Unmeasured bandwidth
== >> Buy now!

Why choose us?

Bare-Metal Cloud Server– A naked bare metal server is a dedicated server with a cloud management layer. Some of the RAM and disk are reserved for cloud management tools, provisioning models, and the operating system.
Dedicated Servers Cheap– Choosing DataPacket means that you will get the best accommodation at the best price! We offer cheap dedicated hosting solutions for all budgets, fast and reliable, with the best features.
Cloud Management Tools– Manage your infrastructure by adding or removing servers on demand, reload the operating system, configure firewall rules, restart servers, or monitor your usage. DataPacket cloud management tools put you in control!
Dedicated Instant Servers– One of the advantages of a "bare-metal" server (aside from the advantageous price) is the provisioning process. The configuration will start instantly once payment is received. Your server will be ready within minutes of payment.

Do you offer a free trial?
We provide a 30 day money back guarantee in case you are not satisfied with our service.

If you have any questions, do not hesitate to contact us:
Phone:+1 (407) 995-6628
Mail:service @ datapacket.net
Address:401 E 1st Street # 1868 – 0080
Sanford, FL 32772
United States
OrSEND THE TICKET!

.

firewall – Interception of network traffic with a hub

In theory, yes. I did it for over a year some time ago. Prepare for the possibility that this affects your overall throughput, especially if you have a lot of traffic and approach the maximum of your firewall's interface.

Another caveat: at a conference where a team was going to demonstrate this with the help of a Linksys hub, they discovered that Linksys customized some of their switches as hubs. It was more than 5 years ago, but I wanted to warn you to avoid any potential frustration.

Firewall – Web Site Access – Whitelist Porting

I am able to access a certain website https://buzzlightyear.acme.com:68080 from a corporate network (the default https port 443 was allowed in the Windows firewall of the machine buzzlightyear.acme.com).

The same company provided a personal PC, and I would like VPN (connect via home WIFI) and can access the same server via RDP.

However, I can not access the website above. Can confirm that I have disabled the proxy settings.

When I informed the security network team of this company, they announced the opening of port 68080 and I can now access this URL.

  1. Where would this second whitelist be done (in general), and why is the whitelist of 443 not enough?

  2. When I access the page via IE, it works well. But receive a warning when I access it via Firefox or Chrome. It warns that the connection is not private. By examining the http certificate, it is indicated that the certificate is correct. However, the signature hash algorithm is SHA-1. When I asked if it was not possible to generate a SHA-256 certificate, they replied that it would involve a lot of work. Is it true? Please also report an article with a clear explanation (high level) of the required changes.

Thanking in advance,
To fart

Firewall window. Can not get a specific program on a local network

I'm trying desperately to make sure that the Windows Firewall allows the UDP connection of a client / server software between two computers connected locally (using a router).

When I try with the server-side and client-side Windows firewall, everything works fine, which indicates that the Windows firewall is the culprit.

I want the server / client to be able to communicate with the client-side and server-side firewall, but everything I've tried has not worked.

What I have tried so far:

-added the executable in "Allow a program or feature via Windows Firewall" on the server side and client side

-i tried to create an incoming rule allowing connections from
all UDP ports using a server-side / client-side specific executable

– tried to disable the Web Agent from Avast Antivirus (server side), the client side should have no 2nd party blocking the connection as it is a new installation.

– tried to allow all incoming connections on the private profile in the "Windows Firewall Properties with Advanced Security on the Local Computer" window, again on the client and on the server (at this point , I tested almost everything)

does anyone have any ideas that could solve the problem?