logo
Redian新闻
>未名空间
>EmergingNetworking - 热门网络技术
>
番茄DMZ服务器上某些服务外网无法访问是怎么回事?
avatar
番茄DMZ服务器上某些服务外网无法访问是怎么回事?# EmergingNetworking - 热门网络技术
k*1
1
School of Information Systems, Singapore Management University
Project on software security: three research engineers and one postdoc
The research engineers and postdoc will join a research project on software
security. They will assist in designing, developing and evaluating research
prototypes. Candidates should have strong programming background in C/C++ or
Ocaml. Those who have experiences in security research and operating
systems programming are preferred. A research engineer needs to have
avatar
y*i
2
虽说pending期间是合法的,但万一出状况岂不是要立刻走人?
avatar
P*e
3
HD里买不到硫酸铜,就连石灰都没有
avatar
d*e
4
真TMD想不开
avatar
t*m
5
番茄内网上有一台服务器是DMZ模式。SSL(443),SMTP(25),SIP/Asterisk(5060)等外
网访问正常。但是另外一些服务器使用不规则端口的从外网无法访问。用端口扫描发现
这些服务本身所在的端口都接收到外网的请求,但是随后而来的随机端口(RTP?)
request无法响应。
因为已经处于DMZ模式了,所以不知道是不是firmware的防火墙或IPtable设置出了问题
。其实我基本上用的缺省设置。另外同一个路由器(ASUS RT-N12)刷DD-WRT也有同样问
题。
使用AT&T Uverse的猫加路由就没有这个问题,所有服务从外网访问正常。所以不是ISP
封杀端口的问题。
难道会是路由器的问题?
avatar
k*1
6
招聘进行中,顶顶
avatar
f*n
7
再变成H4回来不就行了。
avatar
s*g
8
He was in the midst of an argument with his wife about how to take care of t
heir recently-born preemie twins when he jumped from his 16th floor balcony
in Washington Square Village, where many NYU professors live.

【在 d******e 的大作中提到】
: 真TMD想不开
avatar
s*g
9
Can your firewall appliance recognize (meaning stateful inspection) your
application so that it can dynamically open up RTP/UDP ports negotiated in
control channel? By default most distributions have Iptable allowing
everything, A simple tcpdump on server will almost immediately tell you
where the problem is, a simple flow debug on firewall will do the job also.

ISP

【在 t*m 的大作中提到】
: 番茄内网上有一台服务器是DMZ模式。SSL(443),SMTP(25),SIP/Asterisk(5060)等外
: 网访问正常。但是另外一些服务器使用不规则端口的从外网无法访问。用端口扫描发现
: 这些服务本身所在的端口都接收到外网的请求,但是随后而来的随机端口(RTP?)
: request无法响应。
: 因为已经处于DMZ模式了,所以不知道是不是firmware的防火墙或IPtable设置出了问题
: 。其实我基本上用的缺省设置。另外同一个路由器(ASUS RT-N12)刷DD-WRT也有同样问
: 题。
: 使用AT&T Uverse的猫加路由就没有这个问题,所有服务从外网访问正常。所以不是ISP
: 封杀端口的问题。
: 难道会是路由器的问题?
avatar
b*e
10
这个主要决定于主申请人的情况。如果主申请人没有任何犯罪纪录,当然转H4和不转没
有任何区别。

【在 y****i 的大作中提到】
: 虽说pending期间是合法的,但万一出状况岂不是要立刻走人?
avatar
h*r
11
是啊,想不开想不开,
在Google研究院见过Sam,非常smart一人,而且看起来超级年轻。第一次看见时,我还
以为他是phd.student,结果人家都是full professor了。
什么时候去的nyu不知道。

【在 d******e 的大作中提到】
: 真TMD想不开
avatar
t*m
12
服务器没开防火墙。番茄的放火墙在界面里关不掉。换个路由器(Uverse自带的那个)就
没问题。所以问题应该是路由器硬件或者番茄固件的。番茄的那个log看的一团雾水。
连我想找的那个服务都看不见。

【在 s*****g 的大作中提到】
: Can your firewall appliance recognize (meaning stateful inspection) your
: application so that it can dynamically open up RTP/UDP ports negotiated in
: control channel? By default most distributions have Iptable allowing
: everything, A simple tcpdump on server will almost immediately tell you
: where the problem is, a simple flow debug on firewall will do the job also.
:
: ISP
avatar
y*i
13
主申请人是标准良民一个。
avatar
k*0
14
是不是小孩有问题导致的?

【在 d******e 的大作中提到】
: 真TMD想不开
avatar
t*m
15
一下是我的iptables。端口6500和8443上的服务没法从外网访问。那位高人看下?
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere state RELATED,
ESTABLISHED
shlimit tcp -- anywhere anywhere tcp dpt:ssh
state NEW
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg 1/
sec burst 5
ACCEPT udp -- anywhere anywhere udp dpts:33434:
33534 limit: avg 5/sec burst 5
ACCEPT udp -- anywhere anywhere udp spt:bootps
dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:
webcache
Chain FORWARD (policy DROP)
target prot opt source destination
all -- anywhere anywhere account:
network/netmask: 192.168.1.0/255.255.255.0 name: lan
all -- anywhere anywhere account:
network/netmask: 192.168.10.0/255.255.255.0 name: lan1
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,
RST/SYN TCPMSS clamp to PMTU
L7in all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,
ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
wanin all -- anywhere anywhere
wanout all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 192.168.1.167
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain L7in (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere LAYER7 l7proto
skypetoskype
RETURN all -- anywhere anywhere LAYER7 l7proto
youtube-2012
RETURN all -- anywhere anywhere LAYER7 l7proto
flash
RETURN all -- anywhere anywhere LAYER7 l7proto
httpvideo
RETURN all -- anywhere anywhere LAYER7 l7proto
rtp
RETURN all -- anywhere anywhere LAYER7 l7proto
rtmp
RETURN all -- anywhere anywhere LAYER7 l7proto
rtmpt
RETURN all -- anywhere anywhere LAYER7 l7proto
shoutcast
RETURN all -- anywhere anywhere LAYER7 l7proto
irc
Chain shlimit (1 references)
target prot opt source destination
all -- anywhere anywhere recent: SET
name: shlimit side: source
DROP all -- anywhere anywhere recent: UPDATE
seconds: 60 hit_count: 4 name: shlimit side: source
Chain wanin (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.1.99 tcp dpt:6588
ACCEPT udp -- anywhere 192.168.1.86 udp dpt:5063
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:8443
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:ftp
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:https
ACCEPT tcp -- anywhere 192.168.1.167 tcp multiport
dports pop3,pop3s
ACCEPT tcp -- anywhere 192.168.1.99 tcp dpt:
webcache
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:6500
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:7777
ACCEPT tcp -- anywhere 192.168.1.99 tcp dpt:8312
ACCEPT tcp -- anywhere 192.168.1.167 tcp dpt:5143
ACCEPT udp -- anywhere 192.168.1.167 udp dpt:5153
ACCEPT tcp -- anywhere 192.168.1.170 tcp dpt:6143
ACCEPT udp -- anywhere 192.168.1.170 udp dpt:6153
ACCEPT tcp -- anywhere 192.168.1.170 tcp dpt:57753
Chain wanout (1 references)
target prot opt source destination
avatar
b*e
16
良民就不要花冤枉钱了。 如果是公司出钱,那就也转。

【在 y****i 的大作中提到】
: 主申请人是标准良民一个。
avatar
e*g
17
转到NYU变成Associate Prof了?

【在 h***r 的大作中提到】
: 是啊,想不开想不开,
: 在Google研究院见过Sam,非常smart一人,而且看起来超级年轻。第一次看见时,我还
: 以为他是phd.student,结果人家都是full professor了。
: 什么时候去的nyu不知道。
avatar
t*m
18
服务器软件没有这种log。是不是443,25,5060这些服务不会另外开RTP/UDP所以访问正
常?而需要另开端口的服务就卡壳了?

【在 s*****g 的大作中提到】
: Can your firewall appliance recognize (meaning stateful inspection) your
: application so that it can dynamically open up RTP/UDP ports negotiated in
: control channel? By default most distributions have Iptable allowing
: everything, A simple tcpdump on server will almost immediately tell you
: where the problem is, a simple flow debug on firewall will do the job also.
:
: ISP
avatar
k*0
19
不知道。我看多大上也写着Assoc

【在 e***g 的大作中提到】
: 转到NYU变成Associate Prof了?
avatar
b*p
20
我老板还亲自发信通知我们缅怀他
哀悼阿
相关阅读
Fax under Winxp using ONESUITE phonecard: The SolutionJuniper Attacks Cisco's CRS-1关于Sprint Nextel的未来D-LINK wireless routersunrocket crashed, now what[KJJD]华为联合贝恩22亿收购3ComDynagen,很cool啊D-Link DI-524问个 IP Infusion的事情如何打开压缩在CD里面的DBS文件能否track down a computer by it's MAC address online?急问这是怎么回事?muCan PING/Telnet with IP address but not with Server name极度怀疑comcast的限速【求助】某些网页打不开国内网络发展真快。网络连接问题 今天遇到一个牛人,把VPLS骂得一钱不值
logo
联系我们隐私协议©2024 redian.news
Redian新闻
Redian.news刊载任何文章,不代表同意其说法或描述,仅为提供更多信息,也不构成任何建议。文章信息的合法性及真实性由其作者负责,与Redian.news及其运营公司无关。欢迎投稿,如发现稿件侵权,或作者不愿在本网发表文章,请版权拥有者通知本网处理。