I'm trying to open the port 29765 port on a VM instance in Google Compute Engine.I created a firewall rule as per below instructions and restarted the VM after creation. But it doesn't work. Can someone help me by providing some advice and if I'm supposed to do anything else ?
It's a Windows platform.
https://cloud.google.com/vpc/docs/using-firewalls
Go to cloud.google.com
Go to my Console
Choose your Project
Choose Networking > VPC network
Choose "Firewalls rules"
Choose "Create Firewall Rule"
Target: All instances of network Source : 0.0.0.0/0
To allow incoming TCP connections to port 29765, in "Protocols and Ports" entered tcp:29765
Click Create
Related
I'm trying to use UPnP to open a port, so I'm experimenting with miniupnpc. I've observed a handful of people use and suggest upnpc -a <internal ip> <internal port> <external port> <protocol> to open the specified external port and point it to the application running on the specified internal port.
Before I continue, I will note that UPnP is on in my router's settings, and that it lists a few connections, though when I check them with a port checker I find that none of them are actually working? Or at least none of them seem to be open.
When I try to map the internal port 5000 to the external port 7777 with the following command:
upnpc -a 192.168.1.10 5000 7777 tcp
What I find is that it "works" without any explicit errors, but
the external ip it maps to isn't really an external ip at all. Here's the output following the command given above:
upnpc : miniupnpc library test client, version 2.1.
(c) 2005-2019 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.1.1:5000/Public_UPNP_gatedesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
Found a (not connected?) IGD : http://192.168.1.1:5000/Public_UPNP_C3
Trying to continue anyway
Local LAN ip address : 192.168.1.10
ExternalIPAddress = 192.168.0.153
InternalIP:Port = 192.168.1.10:5000
external 192.168.0.153:7777 TCP is redirected to internal 192.168.1.10:5000 (duration=0)
Obviously, 192.168.0.153 is not an external IP Address, and yet it seems to be treating it as though it is. Why might this be?
EDIT: Upon further inspection, it seems like since I have a multi-router set up, the "external ip" here is actually the internal ip of the secondary router. I wonder why this is, though, and whether it can be circumvented.
I've installed neo4j enterprise from Google cloud market place and it is accessible from within the Kubernetes network but I want to access it from my external application which is not on the same network.
Following this guide from Neo4j I'm able to connect the browser using port forwarding;
MY_CLUSTER_LEADER_POD=mygraph-neo4j-core-0
kubectl port-forward $MY_CLUSTER_LEADER_POD 7687:7687 7474:7474
In the user guide, they suggest that I should not use a load balancer on the server side. I should expose each pod in the cluster separately and use bolt+routing from my application to handle request routing. This is described in Limitations section of the guide.
It should be exposed using Nodeports but I am unable to do it properly. I've tried doing it like this;
kubectl expose pod neo-cluster-neo4j-core-0 --port=7687 --name=neo-leader-pod
But I'm unable to connect using this exposed IP. I'm not good with cloud technologies so I can't figure out what I'm doing wrong.
I went through this article Neo4j Considerations in Orchestration Environments, tells what I should do but not how to do. It assumes prior knowledge of gcloud/kubernaties.
Anyone could guide me in the right direction? Thanks
If I’m not wrong, you create a GKE cluster for neo4j enterprise.
And it works perfectly inside of the cluster network, but not from outside.
Check if you have opened the firewall for these ports.
To create rules or see the existing rules:
Go to cloud.google.com
Go to my Console
Choose your Project
Choose Networking > VPC network
Choose "Firewalls rules"
Choose "Create Firewall Rule" to create the rule if doesn't exist.
To apply the rule to select VM instances, select Targets > "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like. Then, make sure the instances have the network tag applied.
To allow incoming TCP connections to port 7687 for example, in "Protocols and Ports" enter tcp:7687
Click Create
Check the GKE documentation for a better clue:
https://cloud.google.com/solutions/prep-kubernetes-engine-for-prod
https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy
https://cloud.google.com/kubernetes-engine/docs/how-to/exposing-apps
:)
I'm new user of openWRT I using a internet wifi in Ubuntu 16.04, I installed openWRT in VirtualBox, I tried to connect to internet but I failed, when I try to ping google.com I get this message **bad address google.com **
Just went through the same issue this morning. You have a good documentation in OpenWrt wiki for configuring your OpenWrt network when running over VirtualBox. The information below is all taken from the wiki, but I can assure that is working for a Barrier Breaker running on top of Ubuntu 16.04. The process is as follows:
With your VM off, open the VirtualBox Network tab and make the following configurations:
Configure Adapter 1 to use NAT
Configure Adapter 2 to use Bridge Adapter + Select your host machine's interface from the menu (the one that appears by using
commands as iwconfig or ifconfig). + disable promiscuous
mode
These configurations refer to the following screens (my wireless interface has the name wlx0022.., yours may be different):
Power on your VM and edit /etc/config/network. Change the two interfaces that the wiki mentions (wan and lan) and put them as it is shown below. Your interfaces may have different names before the change (in my case, the wan interface was wan6).
Your /etc/config/network file should look like this:
config 'interface' 'wan'
option 'proto' 'dhcp'
option 'ifname' 'eth0'
config 'interface' 'lan'
#option type 'bridge'
option ifname 'eth1'
#option ip6assign '60'
Just do the changes you need to in order to have your /etc/config/network file as it is shown above, but leaving the other interfaces in the file unchanged (as they are).
Then reboot OpenWrt. After that I was able to connect and ping to any site.
First,change your network connection in VirtualBox to Bridge Mode
Settings --> Network --> Adapter 1 --> Attached to --> Bridged Adapter
Second,modify /etc/config/network in OpenWRT
config interface lan
option ifname eth0
option type bridge
option proto dhcp
Restart your network by this command :
/etc/init.d/network restart
Note: make sure your host (Ubuntu 16.04) is connected to DHCP server.Then your OpenWRT-VirtualBox should get the IP address from it.
If you want to connect WiFi manually by editing file,
you need to edit mainly 3 files.
/etc/config/network
/etc/config/wireless
/etc/config/firewall
--> I would suggest adding the following portion in your network config file(/etc/config/network).
(make sure you do not have any assigned section for the wifi in the network config file)
config interface 'wifi'
option proto 'dhcp'
--> Also, you need to update the file (/etc/config/wireless)
config wifi-iface 'station1'
option device 'radio0'
option ifname 'wlan0'
option mode 'sta'
option network 'wifi'
option disabled '0'
option ssid 'name_of_the_wifi'
option key 'password_of_the_wifi'
option encryption 'encryption_of_wifi_generally_psk2'
in above setup option network 'wifi' "wifi" will be the name of the interface you defines in the /etc/config/network.[make sure if you have above section you edit the existing one. Do not add new section if you do not know what you are doing]
Here, replace "wlan0" with your wireless interface.
If you already have above section in wireless file,
you can also use uci commands as following,
uci set wireless.station1.ssid=name_of_wifi
uci set wireless.station1.key=password
uci set wireless.station1.encryption=psk2
uci commit wireless
wifi down; wifi
here, "station1" would be the name of the section.
--> In the /etc/config/firewall, find the option zone section where all the interface is defined, which looks like following
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 0
option mtu_fix 1
option conntrack 1
and add
list network 'wwan'
Command to check Wifi Connectivity: iwconfig
Refer the following link:
https://wiki.openwrt.org/doc/uci/wireless
NOTE: PLEASE READ FROM OPENWRT FORUM OR GOOGLE BEFORE DOING ANYTHING
The Wrong configuration may break the OpenWRT connection
I'm using a dedicated server on aruba with ZyWall firewall. I have two ports listening in the server, using telnet from inside I can connect to both the ports. If I try to telnet from outside I can access only to one of them.
I have not internal firewall, and I don't understand how I can see if the ZyWall is blocking the port access or it is forwarding all connections to that port to another ip.
Have you any suggestion?
I found the solution. I accessed the firewall web interface from a firefox installed in the dedicated server behind the firewall (the web interface is not accessible from outside), then I made two steps:
I added a rule on which I permit the access to the target port. I made this using the "Service" tab in the Security->Firewall menù.
In the matrix between LAN, WAN, DMZ etc.. I modified the rule "from WAN to LAN" and I added the rule made in the previous step.
Now it works!
We use Jenkins 1.504 on Windows.
We need to have Master and Slave in different sub-networks with firewall in between.
We can't have ANY to ANY port firewall rules, we must specify exact port numbers.
I know the port Master is listening on.
I also see that Slave opens connection to the Master from the arbitrary port dynamically assigned every run, and port on the Master side is also arbitrary.
I can fix Master's port by specifying it in Manage Jenkins > Configure Global Security > TCP port for JNLP slave agents).
How to fix Slave port?
UPDATE: Found Connection Mechanism described here: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+CLI#JenkinsCLI-Connectionmechanism
I think it might work for us, but still would be better to have fixed-2-fixed ports connection.
We had a similar situation, but in our case Infosec agreed to allow any to 1, so we didnt had to fix the slave port, rather fixing the master to high level JNLP port 49187 worked ("Configure Global Security" -> "TCP port for JNLP slave agents").
TCP
49187 - Fixed jnlp port
8080 - jenkins http port
Other ports needed to launch slave as a windows service
TCP
135
139
445
UDP
137
138
A slave isn't a server, it's a client type application. Network clients (almost) never use a specific port. Instead, they ask the OS for a random free port. This works much better since you usually run clients on many machines where the current configuration isn't known in advance. This prevents thousands of "client wouldn't start because port is already in use" bug reports every day.
You need to tell the security department that the slave isn't a server but a client which connects to the server and you absolutely need to have a rule which says client:ANY -> server:FIXED. The client port number should be >= 1024 (ports 1 to 1023 need special permissions) but I'm not sure if you actually gain anything by adding a rule for this - if an attacker can open privileged ports, they basically already own the machine.
If they argue, then ask them why they don't require the same rule for all the web browsers which people use in your company.
I have a similar scenario, and had no problem connecting after setting the JNLP port as you describe, and adding a single firewall rule allowing a connection on the server using that port. Granted it is a randomly selected client port going to a known server port (a host:ANY -> server:1 rule is needed).
From my reading of the source code, I don't see a way to set the local port to use when making the request from the slave. It's unfortunate, it would be a nice feature to have.
Alternatives:
Use a simple proxy on your client that listens on port N and then does forward all data to the actual Jenkins server on the remote host using a constant local port. Connect your slave to this local proxy instead of the real Jenkins server.
Create a custom Jenkins slave build that allows an option to specify the local port to use.
Remember also if you are using HTTPS via a self-signed certificate, you must alter the configuration jenkins-slave.xml file on the slave to specify the -noCertificateCheck option on the command line.