I build video conferencing solutions using WebRTC. Some of the clients come from a restricted network with UDP ports blocked and the conferencing does not work well as the media server relies on UDP port 10000. I need to simulate the same network conditions in my mac so that without troubling the clients I can test out the video conference.
So how to block UDP connections to my Mac? Any help would be highly appreciated.
Regards,
Yasith
You can use pfctl in OSX.
sudo nano /etc/pf.conf
At the end of the file add the following to block UDP on port 10000
block out proto udp from any to any port 10000
Then enable the firewall with
sudo pfctl -f /etc/pf.conf && sudo pfctl -E
Related
les
I created the instance from boot image.
but always can not open port 7000 via firewall rules...and egress is (allow all), anybody knows where the problem is?
System: Debian 10
ssh in terminal and
sudo natstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 458/sshd
tcp6 0 0 :::22 :::* LISTEN 458/sshd
Is there any way to turn the port 7000 on ?
Encoutered the same issue when tring to open other ports like 5678...etc.
First of all you need to set the GCP firewall rule as "ingress".
Ingress is needed to allow incoming connections to the instance.
Regarding the ports, it does not open or activate by itself or in automatic, you need to have a service listening on that port.
However there are some tools used which allows you to activate the port by some time for testing purposes.
You can use tools like iperf3 to activate the port.
Install iperf3 for your vm with the command below.
sudo apt-get install iperf3
Once you have installed iperf3 you need to run the command below. ("-s" indicates your instance is in "server" mode, the "-p" is to set the port you prefer)
iperf -s -p 7000
On your remote machine (Client) you also need to install iperf3, if it is also a linux machine you can try the same command I mentioned earlier.
Once you have installed iperf3 use the below comamnd to reach the VM pointing the port 7000. ("-c" indicates client mode,the "-p" is to set the port the server is listening).
iperf -c [server ip address] -p 7000
Please refer to iperf
Another useful tool is netcat
I am using AWS EC2 CentOS based system. I also have a website is running on it at the domain mydomain.com
I have installed VLC successfully for my server. I can do SSH and remote to my server (I can use GUI application with gnome)
I start the vlc server with the below command:
vlc --ttl 34 -vvv --color -I telnet --telnet-password vlc --rtsp-host 0.0.0.0 --rtsp-port=554
and setup the stream on it by:
root#whm [~]# telnet localhost 4212
Trying ::1...
Connected to localhost.
Escape character is '^]'.
VLC media player 2.0.8 Twoflower
Password:
Welcome, Master
> new sample01 vod enabled
new
> setup sample01 input file:///home/myuser/public_html/mywebsite/folder/video.mp4
setup
The output of the log is good.
[0x7f24a002c5b8] stream_out_rtp vod server debug: RTSP stream at /sample01
[0x7f24a002c5b8] main vod server debug: net: listening to 0.0.0.0 port 554
[0x7f24a002c5b8] stream_out_rtp vod server debug: RTSP: adding /sample01/trackID=0
[0x7f24a002c5b8] stream_out_rtp vod server debug: RTSP: adding /sample01/trackID=1
[0x7fce4802d8c8] [Media: vod] main input debug: `file:///home/myuser/public_html/video.mp4' successfully opened
If I stay on the server it self, using GUI, I can use the VLC player to open network stream URL:
rtsp://localhost:554/sample01 (it works)
If I use vlc player from another network to connect to the stream by the below URL
rtsp://mydomain.com:554/sample01 (this is the domain that is working for my website)
rtsp://my-server-public-ip.com:554/sample01 (does not work too)
I guess there is something wrong with the port, then I went to AWS console and added more port 554 and 4212 into Inbound list in the Security Group of my instance (like what I'd done for other ports), but it does not help.
The error of the vlc client is:
[000000010050e4c8] core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
[000000010022a7e8] [http] lua interface: Lua HTTP interface
[0000000104a00978] live555 demux error: Failed to connect with rtsp://mydomain.com:554/sample01
[00000001002b2dc8] core access error: connection failed: Connection refused
[00000001002b2dc8] access_realrtsp access error: cannot connect to mydomain.com:554
[0000000100618e58] core input error: open of `rtsp://mydomain.com:554/sample01' failed
CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
Please help me on this to troubleshoot this problem.
My problem is solved. I have done following things to resolve it, but I am not sure which one is correct. If anyone got same issue, you could try one of these
I enable to Elastic Load Balance serivice of Amazon and add port fowarding for port 554 (RTSP default port)
The streaming server was running well on localhost on server itself but it is inaccessible from outside, I guess it is something about firewall and port.
I scan mydomain.com to see the port is open or not
nmap -v -Pn -sT mydomain.com
Temporarily disable firewall on AWS EC2 instance OR add a line into iptables to open port 554.
Open and edit file by
vi /etc/sysconfig/iptables
Add below line into it
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dpport 554 -j ACCEPT
or shutdown the firewall absotelutely
sudo service iptables save
sudo service iptables stop
sudo chkconfig iptables off
Optional, if you are using firewall of Cpanel, you have to check the same with the allowed port of that firewall.
I want to open a tcp port (5432) on a mac server to remotely using sql.
I installed psql9.4 using brew.
Initially I tried:
Open /etc/pf.conf in a text editor.
Add a line like this:
pass in proto tcp from any to any port 5432
Save the file.
Load the changes (and test them) with:
sudo pfctl -vnf /etc/pf.conf
Reboot.
I used network utility to check if the port was opened. But no luck.
Then I downloaded IceFloor.
I added custom Rules:
pass on en0 net photo tcp from any to any port =5432 flags S/SA keep state
Also added a new custom service to PFLists Service Database:
service name: PSQL
ports 5432
Still no luck...
Any suggestions?
Thank you
I have my Single node Hadoop installed on Google Compute Engine instance and i want to open port 50070 on that machine to access the hadoop dashboard. i configured in the firewall rule as tcp:50070 in compute engine networks. but still i am unable to access my port outside the network (ie . via internet). I tried nmap for the public ip of my GCE instance and i got a result which has only ssh port got opened all other ports are filtered .
Note: i am using debian 7.5 image
Make sure your daemon is listening on port 50070. If you have more than one networks in you project make sure the port is opened on the right network. You can run the following commands to check the information about your instance and network.
lsof -i
gcutil --project= getinstance
gcutil --project= listnetworks
gcutil --project= listfirewalls
gcutil --project= getfirewall
Check if IP/Port is allowed in iptables or not.
iptables -L
would show you all the records.
To allow port in iptables you can do the following:
sudo iptables -A INPUT -p tcp -m tcp --dport 50070 -j ACCEPT
sudo iptables-save -c
Short answer
In addition to configure the firewall rule at GCE web console make sure that your server is listening at 0.0.0.0 instead of 127.0.0.1
Long answer
In the context of servers, 0.0.0.0 means all IPv4 addresses on the local machine. If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host listens on 0.0.0.0, it will be reachable at both of those IPs - Source
In contrast 127.0.0.1 is the IP address used to stablish a connection to the same machine used by the user this address is usually referred as the localhost.
It's often used when you want a network-capable application to only serve clients on the same host. A process that is listening on 127.0.0.1 for connections will only receive local connections on that socket. - Source
Hence, if you try to stablish a connection to your server from internet and your server is listening at 127.0.0.1 at your GCE machine, then, from the server point of view a request has never been received and as a consequence Goocle Cloud Firewall will refuse the connection because there is no server listening at the opened port (in your case 50070).
I hope this answer helps to solve your problem. Best regards.
I'm trying to set up a transparent proxy on my Mac OS X Lion (10.7.5), so I can use mitmproxy (to intercept SSL traffic from android applications). I followed the steps in the mitmproxy docs for setting up port forwarding with pf on Mac OS X, and they all went without any errors:
$ sudo sysctl -w net.inet.ip.forwarding=1
Password:
net.inet.ip.forwarding: 0 -> 1
$ sudo pfctl -f pf.conf
No ALTQ support in kernel
ALTQ related functions disabled
$ sudo pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
But it doesn't seem to have had any effect. When I go to websites in my browser, it makes a direct request, and doesn't go through the port I specified. Here is the pf.conf file (en1 is my wifi):
rdr on en1 inet proto tcp to any port 80 -> 127.0.0.1 port 4500
rdr on en1 inet proto tcp to any port 443 -> 127.0.0.1 port 4500
Thanks for stopping by the IRC channel today. I've tracked this down, and the basic issue is that the rdr rules apply to inbound traffic. This means that they will NOT redirect traffic coming from the box itself. If you think about it, this is inevitable: we can't distinguish between an outbound connection from a non-mitmproxy app, and an outbound connection from mitmproxy itself. We can use route-to to send the traffic to lo0 and then redirect it, but that causes an infinite loop where mitmproxy's own outbound connections are also redirected back to mitmproxy.
Because I know a bit about your use case, I would suggest exploring ways to do this with VirtualBox. A plan of attack would be to set the VirtualBox network up in bridge mode, and then use a pf rule with a match on the source address to redirect traffic to mitmproxy. That should do what you want, and not cause singularities in time and space due to infinite redirection.
Please drop by the IRC channel again if you need a further hand with this.
Did you try net.inet.ip.scopedroute=0? From http://lucumr.pocoo.org/2013/1/6/osx-wifi-proxy/:
Now currently if you finish that above setup you will notice that
nothing actually works. The cause for this is a Bug in the OS X kernel
that requires flipping the net.inet.ip.scopedroute flag to 0. I am not
entirely sure what it does, but the internet reports that it breaks
network sharing through the user preferences. In any case it fixes
ipfw based forwarding so you can flip it with sysctl:
$ sudo sysctl -w net.inet.ip.scopedroute=0
Unfortunately in OS X Lion this flag can actually not be flipped from
userspace so you need to set it as boot parameter and then restart
your computer. You can do this by editing the
/Library/Preferences/SystemConfiguration/com.apple.Boot.plist file
(continued...)
You are using the port 4500 instead the default port 8080.
Do you start mitmproxy with the port specification?: mitmproxy -T --host -p 4500
Did you follow the steps to set the certificate in the Android device? http://mitmproxy.org/doc/certinstall/android.html
Another problem could be the gateway on your android phone: Preferences - Wifi - Hold on the network you are using - Edit network - Advanced options - Set as gateway the ip of your machine with mitmproxy.
By the way I have the same warning with No ALTQ function but it works.