I created an AWS NLB and I created a new Target Group during NLB setup for TLS / Port 443.
Now I want to add another Target Group for TCP Port 80 and I created a new Target Group.
When trying to register the Target Group under "Listeners" the Target Group for TCP Port 80 is greyed out:
What am I missing?
I had this, and the load balancer UI did not make it easy to edit existing target groups, so the easiest fix was to delete the old target group and start over, looking closely at the protocol. The Add Target Group page has a protocol selector that defaults to HTTP & port 80, and it is intuitive to leave it that way, but you need TCP or whichever protocol the balancer is going to forward.
This is because the Network Load Balancer operates at a lower, more flexible level (layer 4 + TLS termination) and only supports TCP / UDP / TLS. On the Add Listener page, you will have the same Protocol and Port fields, and the new target group will be allowed as long as the Protocol matches. If you select a target group there and then change to a different protocol, the page will show an error like "TCP_UDP listeners cannot forward traffic to TCP target groups. You must select a compatible target group or change the listener protocol."
ALB/NLB by design allows a target group to be used by a single ALB/NLB only, you would have already used the *nlb-route-http target group in a different NLB, can you post status of targets under *nlb-route-http if there is healthy/unhealthy instances then its already being used and you won't be able to re-attach it.
Either remove from existing NLB or create a new target group.
I was having this problem even when I chose TCP as the Target Group protocol.
That is, I created a target group first, then separately created an application load balancer and the target group didn't appear in the "Select a target group" drop down menu.
The only way I got it to work was to create a target group of type "IP addresses", then select it in the target group list and choose "Associate with New Load Balancer" from the Actions menu.
Only then did the Target Group appear in the "Select a target group" dropdown menu.
Related
I want to block a program from accessing the local server "local host" (On windows) temporary so i can test random disconnections cases ... I tried adding a (rule) to the firewall for disabling both inbound and outbound in all networks types but the program just got block from accessing the internet not the local network
Moving on to an answer instead of a comment - nevertheless, more information on your use-case is greatly appreciated;
I think it is impossible to block access to localhost but allow internet access. Two reasons:
Networking works on different layers ("OSI layers") and localhost communication is looped back before firewall might filter (see ). Not so sure on this though.
localhost communication might be "basic" in a way that it is necessary for applications when they want to communicate via network.
UPDATE after OPs comment
I assume you are on Windows 10, and you know the path to the executable of the program you want to block.
Open "Windows Defender Firewall with Advanced Security".
On the left side, go to "Outbound Rules".
Then, on the right side click on "New Rule...".
A new window will open; Leave "Program" selected and click "Next".
Next to "This program path:" is a Button "Browse..." - select your program here. Click "Next..."
Select "Block the connection", then "Next...".
Select all three; Domain, Private and Public.
After click "Next..." choose an appropriate name, then click "Finish".
From now on, you can disable/enable this rule as you see fit.
Kinda hard to provide detailed answer having only the information you've provided, but I think this scenario can be easily tested with simple containers configuration: having both program under test and "localhost" service running in containers, you can randomly update container's network configuration to simulate connectivity issues.
You can use a reverse proxy like Fiddler and block all requests coming from this application to localhost.
If I understood what you mean then this will do:
To create a rule, select the Inbound Rules or Outbound Rules category at the left side of the window and click the Create Rule link on the right side. The Windows firewall offers four types of rules: Program – Block or allow a program. Port – Block or allow a port, port range, or protocol.
if you are using a third party anti-virus solution with a built-in firewall, go to the firewall option and black list/disable/prevent internet access to your app
Otherwise, disabling your firewall will not stop any access, as it will allow inbound and outbound traffic. you can prevent specific ports but disabling the firewall wall will not only do what mentioned before but it will also leave your device vulnerable for online threatts
Try these 3 simple steps.
run your program
Open cmd ( please check you need admin access for this, if yes then run as admin)
Run the following command to see at which port the localhost is listening.
netstat -ano | findstr :
e.g (if your localhost is listening at port 3900 the command will be as follow;
netstat -ano | findstr :3900
the result will be shown on cmd console, the last column is PID (Process id)
We will just kill that process which will eventually stop the localhost server to listen any request from any source.
taskkill /PID /F
< PID > that you will get from above command.
in this case, only the localhost will stop it's service, but you application will keep communicating to outer network, internet.
I have a domain let's call it (testserver.com) that points to my PC IP (192.XXX.X.X), I need to setup a rule/proxy/something that will make all connections from testserver.com goes to 192.XXX.X.X:8080, sorry if this is a stupid or impossible question
First, #Daniel might have a good suggestion there, it would ofc be easier to work with names.
So, I have just gone to the Windows Firewall with Advanced settings, here are the steps I think are to do for incoming traffic.
First: Add an Inbound-connection-rule:
inbound connection rule
Second: Choose the Option "Port"
rule that controls a connection for an TCP or UDP port
Third: Choose your protocol type, TCP or UDP and select the second option below, write 8080
define protocol and port
Fourth: Now choose if only secured connection(s) should be allowed or also not-secured
choose option for network security
Fifth: Now select if domain, public connection or private connection
network type
Sixth: Now add name and description of the rule
name and desc
Seventh: Go to properties of your (new) rule
Eighth: Now you can check the different tabs and also change the protocol from UDP or TCP to any other. The tab "Scope" will let you define IP-adress(es) for this connection that are either public or private, for this connection. In case you're interested, you can also define Authorized computers for this connection, but the connection must be secured then.
the IP scope section
You can set rules for incoming or outgoing traffic in the Windows Firewall. I cannot tell you the exact steps currently, as I am not home. Tho I found this post helpful:
https://serverfault.com/questions/496335/open-windows-firewall-to-all-connections-from-specific-ip-address
If you still need help, I would watch later. But actually the Windows Firewall should be quite easy to manage.
I have a Lambda in my VPC that needs to access DynamoDB. I have a VPC Endpoint setup for this, finally got it to work, but am questioning the setup.
Lambda is running in my private subnet.
The subnet has a route table:
Destination: 10.153.32.0/21 Target: local
Destination: pl-02cd2c6b (com.amazonaws.us-east-1.dynamodb, 52.94.0.0/22, 52.119.224.0/20) Target: (my VPC Endpoint)
Destination: 0.0.0.0/0 Target: (my NAT Gateway)
My VPC Endpoint is associated with the above route table (and a few others), hence the #2 route.
And I added the following Network ACL Inbound Rule
Port range 1024 - 65535
CIDR blocks 52.94.0.0/22 and 52.119.224.0/20
ALLOW
What concerns me is that Network ACL rule. I added it after reading this comment.
I'm wondering if I need that rule, or if maybe something else is wrong? I was surprised I had to add it because that SO comment was the only place that mentioned it.
It feels fairly safe to add since those CIDRs should be safe to allow since they are specifically for DynamoDB. But I'm assuming I'll have to keep an eye out for changes to those ranges.
EDIT: I also tried updating my lambda's security group outbound rules, to allow all ports with a destination of pl-02cd2c6b, but that didn't work.
You would only need that rule if you decided to use a customized Network ACL. By default, NACLs allow all, leaving network access control in the hands of security group settings... so you don't use the default rules, you have to manually allow everything in both directions since, unlike security groups, NACLs don't track IP flow states.
What you are doing looks correct (assuming you need a custom NACL).
The IP addresses from the prefix list are necessary for allowing reply traffic in the inbound direction, and the unusually-broad ephemeral port range comes from the VPC documentation:
AWS Lambda functions use ports 1024-65535.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
There is a documented caveat about treating the prefix list as static:
The range of public IP addresses for a service may change from time to time. Consider the implications before you make routing or other decisions based on the current IP address range for a service.
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html#vpc-endpoints-routing
Using the default "allow all" NACL is probably a better alrernative. If you really feel the need to lock down your Lambda function's access, you should be able to create an outbound security group rule referencing the pl-xxxx directly. This will work once your NACL is set back to allow all.
I've tried many tutorial how to block any website using layer 7 protocol. I need to block any social media website in office hour. But for the very first time, i've already done it but i still can access the website for example facebook.com.
This is my screenshoot :
Filter number 15 is what im trying to do but didn't work.
This is my layer 7 regexp
This is number 15 filter rules detail
Could you help me ?
You need to first disable ip\settings fast path.
/ip settings set allow-fast-path=no
Then, move your rule up, above fasttrack rule.
I'm not sure you can do it this way, because layer7 filter looks INTO the packets, not the destination URL; as Facebook/Youtube traffic is encrypted, layer7 filter sees nothing but encrypted stuff.
So you can't block traffic dynamically but you can block IPs this way:
Create a script which resolves www.facebook.com to an IP, and put this IP into an address list.
Schedule this script every minute or so.
Add a firewall rule to drop forwarded traffic to this address list.
You can also use the Mikrotik built-in DNS server, set your hosts to use it, and statically set www.facebook.com to 127.0.0.1. Your clients will be unable to connect to the real facebook (IF they are using your DNS).
I have a dedicated windows 2012 server with 12 dedicated IPs.
I want to be able to make connections simultaneously from two different ips that I choose.
This will be used for two different browser applications.
I have tried the following:
ForceBindIP %IP_ADDRESS% %APP_EXE%
But the IP doesn't change, the browser always displays the lowest IP from my added range.
I have also experimented with a script that removes all the ips, and then just adds one.
netsh interface ipv4 delete address "Ethernet" 104.251.111.110
netsh interface ipv4 delete address "Ethernet" 104.251.111.111
netsh interface ipv4 delete address "Ethernet" 104.251.111.112
netsh interface ipv4 delete address "Ethernet" 104.251.111.114
....
netsh interface ipv4 add address "Ethernet" 104.251.111.115 255.255.255.0
This changes the address BUT I end up having only one IP for both applications.
If the applications you intend to use doesn't support binding to interfaces/ip (true, it's uncommon), you can use SOCKS or Proxy software (which is a lot more common, especially browsers).
For instance you could install WinGate or Squid http://www.squid-cache.org (which is the one I know most).
Squid-Cache have the ability to bind to different outgoing addresses based on rules (http://www.squid-cache.org/Doc/config/tcp_outgoing_address/ ).
Basically what you need to do is:
install Squid
add ACL for loopback IP mapping, such as:
acl IP110 src 127.0.0.1/32
acl IP111 src 127.0.0.2/32
[...]
tcp_outgoing_address 104.251.111.110 IP110
tcp_outgoing_address 104.251.111.111 IP111
[...]
And the default, which is just formally needed:
tcp_outgoing_address 104.251.111.110
Each application will then need to be configured with a Proxy (or SOCKS, if you go that way), which is a configuration option most commonly available. On the proxy configuration set the corresponding local IP:
for outgoing connection using IP .111, use proxy on 127.0.0.2
for outgoing connection using IP .110, use proxy on 127.0.0.1
.. and so on.
Make sure Squid (or WinGate) bind to localhost 127.0.0.1/24, so you shouldn't have big security concerns, but if this is exposed on internet you may want to proceed to security assessment anyway.
This way if you decide to offload some application remotely, to other server, you can still manage to use the same outgoing IP(s), you just need to change squid configuration to allow external connection, which could be a big plus for scaling.
It looks like you're searching for a fix involving little rework of the browser applications. Assuming that you're using IIS to serve the applications, you should:
Using File Explorer or command line, soft-link the application configuration in another root folder for each instance of the browser application.
Using IIS, recreate the application as a site for each of the above browser application folders.
Using IIS, bind each instance of the browser application to the IP address you wish to serve it with.
Caveat: It's tempting to use the same app pool for all instances, but evaluate your hardware before! Remember that (depending on the application requirements) you create a single point of failure when using a single app pool. Create separate app pools with identical parameters to reduce this risk.