Opening ports in Firewall

How ever you start Home Sharing, do that, then run netstat -anp tcp or(which is part of Network Utility)
sudo /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke 192.blah.blah.blah 1 1000 (1-1000 are port numbers to check and change to your search). And in answer to "how does Leopard know which ones?", here is a quote: "One nice feature to be included in Leopard’s (OSX 10.5) firewall is the addition of an Adaptive Firewall. This allows you the ability to setup firewall rules based on an application rather that a particular port. What this really means for an administrator is, now you don’t have to hunt down which ports to open for say iChat. In the past you had to know UDP ports 5060, 5190, 5297, 5298, 5678, 16384 through 16403 had to be open to allow full functionality; miss one of them and you may spend a day trying to figure out why the video chat doesn’t work. Now all you have to do is specify that you want to allow iChat and the firewall knows which ports to open for you." Interesting answer that iChat(et al) "just know". This entire App FW makes some sense to me but the CL IPFW rules, to me, do not show as opened after being set and running data thru a new ruled port, by any open port tracing command I use. Tiger was , for sure, easier. If that grammar makes sense.

Social control and retraining camps are beyond the scope of Apple Discussions.

Just a bit of gallows humor. Oh I could go on & on politically. On that question, romad re: knowing what ports to open. Of all the searches, I cannot find a definite answer to that. Why do you speculate Security Updates? Doug

As an alternative, you can "roll your own" set of rules for the ipfw application.

AK

You should have it. Open Terminal and see what happens if you give the command

sudo ipfw show

Configuring the rule set is a non-trivial exercise - you might prefer to use a GUI interface such as WaterRoof.

AK

I understand that and have done so. The problem, as stated, does not show the ports being opened(OP orig question) by various commands. Even when a transaction is happening on an open port. doug-penningtons-power-mac-g4:~ dougp$ tftp tftp.server.test.net
tftp> get C0A8010A.SUN4C
Example:(paste above should be below, after tftp was started)
sudo services start tftp (which is port 69) coupled with: sudo ipfw add allow tcp from any to any 69
and doug-penningtons-power-mac-g4:~ dougp$ sudo ipfw list
00100 allow tcp from any to any dst-port 69
65535 allow ip from any to any
then: doug-penningtons-power-mac-g4:~ dougp$ netstat -anp tcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.0.5.52395 204.2.148.105.80 ESTABLISHED
tcp4 0 0 *.88 . LISTEN
tcp6 0 0 *.88 . LISTEN
tcp4 0 0 127.0.0.1.25 . LISTEN
tcp4 0 0 127.0.0.1.631 . LISTEN
tcp6 0 0 ::1.631 . LISTEN
and:ug-penningtons-power-mac-g4:~ dougp$ sudo /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke 192.168.0.5 1 1000
Password:
Port Scanning host: 192.168.0.5

Open TCP Port: 88 kerberos

Doug

The rule 100 that you add to ipfw does not actually change anything, as the default final rule 65535 allows everything anyway.

The port scan (using stroke) on my machine shows listening ports - if for example I enable web and printer sharing, it lists the several ports. I tried to start a tftp service, using launchctl, but it just logs a bug and doesn't start, so naturally it doesn't show in stroke. Are you sure that yours did actually start? (Use Activity Monitor, or ps in Terminal).

When I try to connect to your example (tftp.server.test.net) the attempt times out - but while trying it shows in netstat.

AK

Austin, Due to whatever I gave you the wrong command. Should be as follows:
sudo service tftp start
It does show a time out(always has), but check your Home directory(or whatever dir you go from) for SUN4C. Should be there via my new correct command. Top shows PID and command for tftp.

I can't seem to show that tftp is even listening when running?
doug-penningtons-power-mac-g4:~ dougp$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.kerberos . LISTEN
tcp6 0 0 *.kerberos . LISTEN
tcp4 0 0 compose.smtp . LISTEN
tcp4 0 0 compose.ipp . LISTEN
tcp6 0 0 localhost.ipp . LISTEN
udp4 0 0 *.tftp .
udp6 0 0 *.tftp .
udp4 0 0 192.168.0.5.kerberos .
And finally, then to do a custom ipfw rule(s), the default rule always stays(as seen on all other rule sets I've seen), so what am I missing? Or is my syntax wrong?Thanks. Doug

Good morning Doug.

Your latest netstat is showing tftp - the tftp protocol uses UDP, not TCP. There is thus never an active connection.

You don't need to start a tftp server (sudo service tftp start) in order to use tftp to retrieve files from another server, you just use the tftp command to start a client.

In IPFW the final rule always allows everything else (the opposite of what you would get on a router packet filter) so I have a rule 65534 deny log ip from any to any. I have a series of rules to allow specific services to set up new TCP connections, and a general rule to allow TCP established. If you like I will email you my ipfw set-up file - it is reasonably commented, as I used it in teaching.

AK

Austin, Reasoning behind starting server has to do w/netbooting a few years back. Anyway, thanks for some clarification here. And I would like the offer of your set up file and info but how to do without plastering my email in broad daylight here? Never have run across this scenario here. Thanks. Doug

My email address is in my profile, so send me one and I'll send you one.

AK