Comments (22)
Maybe best thing is to write a test with curl -X GET http://<ipaddress>:5984
to determine if firewall is turned on:
- windows
- macosx
- linux
also wrote already a script to turn off firewall for windows for ports 5984 (and 6984 for https)
missing there is:
- script for windows to put firewall back in place
- script for macosx to turn firewall off
- script for macosx to put firewall back in place
from ole--vagrant-community.
I learned that there are two kind of firewalls in mac. One is application-based and the other is package-based. Both of them are turn off by default. In other words, all the ports of a mac system are free to access under the same network by default.
I think this is correct since I am able to access the bell app on my mac with my cellphone without any extra modifications.
Let's consider the situation when these two kinds of firewalls are turn on purposely by whoever.
For the application-based firewall, since I believe that the bell app is not recognized as an "application" by the mac system yet, it will not be a concern for the bell app.
As for the package-based firewall, this is something a little bit more complicated and I need more time to know how it work. By the way, it is called "pf".
As for the third-party firewall, due to my limited knowledge to networking programming, I don't even know if I can revert the blocking from them.
So should I dive more into this issue for mac or should I move on to another issue? What do you think, @dogi ?
from ole--vagrant-community.
I think we should write a script to test if there is a firewall first ;)
script in meta language kinda:
detect all possible IPaddress(es)
if `curl -X GET http://127.0.01:5984` != curl -X GET http://<your IPaddress(es)>:5984 then
firewall
fi
@xinglunxu does this kinda make sense?
from ole--vagrant-community.
What should the script do if it detect the firewall is on? Should it notify the user that the firewall is on and ask him to turn it off?
thanks.
from ole--vagrant-community.
@xinglunxu yes - that would be a good start ;)
from ole--vagrant-community.
I just made a better understanding of the package filter service in mac.
So when we find out that the port is blocked, we can solve this problem in two ways.
- Disable the Firewall completely. And enable it again after we close the bell-app.
- Keep the firewall and make it stop blocking a specific port. And revert the change after closing the bell-app.
I think the first solution is so much better because:
- Easy.
- Turning off the firewall is not a big deal for mac system. It is off by default anyway.
- The second solution might not work. Some third-party firewall may modify it in the way that no later modification can revert it. Refer to the document here
Here is a quote:
As indicated earlier, each packet is evaluated against the filter ruleset from top to bottom. By default, the packet is marked for passage, which can be changed by any rule, and could be changed back and forth several times before the end of the filter rules. The last matching rule "wins". There is an exception to this: The quick option on a filtering rule has the effect of canceling any further rule processing and causes the specified action to be taken.
from ole--vagrant-community.
think I was search for this http://www.ibiblio.org/macsupport/ipfw/
anyhow think also first step here is to write the script which checks if couchdb is accessible
from ole--vagrant-community.
Oh, so 6984 is the port number for the database of community-bell, and we need to make sure both ports, for server and database, are not blocked. Am I correct?
from ole--vagrant-community.
Just realize that the port for couchdb is not map to any host port so it is not accessible, according to Vagrantfile. So, what do you mean by checking if couchdb is accessible in the previous post? And what is port 6984 used for? Thanks!
from ole--vagrant-community.
we are not using port 6984 right now, but it is the default port of couchdb for https
from ole--vagrant-community.
@dogi For Windows, the problem I had was not only with firewall, but with enabling the VM in my computer. So, the test should also check somehow whether VM is enabled or not. I do not know if this check should come before or after we check for firewall.
from ole--vagrant-community.
@mhalqurashi Hi, just a suggestion, I think the script about the firewall should only concern about the firewall. In other words, it should be functional. I would assume that the caller of this firewall checking script would have already handled the VM machine enable issue before calling it.
from ole--vagrant-community.
@mhalqurashi think you mean #1
and yes we want also a script for that ;)
from ole--vagrant-community.
@dogi So I created this script file to detect if a specific port is accessible through http protocol. It also take port number as argument in command line argument. If none provided, then use port 5984. It output "on" if port is unaccessible or "off" otherwise. No side effect.
Here is the script, not sure if this is what you wanted.
#!/bin/bash
COMMAND="ifconfig | grep \"inet \" | grep -v 127.0.0.1 | cut -d' ' -f2"
INET_IP=`eval $COMMAND`
PORT=$1
if [ "$PORT" = "" ] ; then
PORT=5984
fi
HTTP_RES_CODE=`curl -Is http://${INET_IP}:${PORT} | head -1 | cut -d' ' -f2`
if [ "$HTTP_RES_CODE" = "200" ] ; then
echo "off"
else
echo "on"
fi
Run like this:
sh detectfirewall.sh
or
sh detectfirewall.sh 5984
from ole--vagrant-community.
@dogi Hi, so after some time of searching and thinking, I am still very convinced that turning off the whole PF service is better than turning off individual ports. The reason is that I cannot find out a very good way of turning on/off individual ports.
First, please read my response here if you haven't. #5 (comment)
Since the mac firewall(PF) is a package filtering service so there is no interface to individually "turn on/off a port". If the mac user or other applications set up the rules to filter out the packet sending to 5984, I will have to find a way to attach a rules at the end of all current rules to explicitly allow packet going 5984 to pass. This is something I have problem doing.
In other words, I think the pf service is not designed for coordination between different users(applications and system administrator). If a firewall application is in charge of the pf service then it will be hard for bell app to make a small change to the pf service configuration and reverse it later. It will be better to turn off the PF service for running bell and turn it on again after closing bell.
from ole--vagrant-community.
@xinglunxu I know that this is the case ... since that is the low hanging fruit ;)
let's start there
from ole--vagrant-community.
So... Since turning on and off the pf can be achieved with command line, I think there is no need to write a script for that.
Use sudo pfctl -e
to turn on pf and sudo pfctl -d
to turn off pf
from ole--vagrant-community.
Never mind I think I should still write the script for it just for record.
from ole--vagrant-community.
Never mind I think I should still write the script for it just for record.
+1
from ole--vagrant-community.
I will try to work on the windows version
from ole--vagrant-community.
Firewall_rules_reverse.bat
:: Delete the rules "CouchDB/HTTP"(dir = in && out) and "CouchDB/HTTPS" (dir = in && out)
netsh advfirewall firewall delete rule name="CouchDB/HTTP" protocol=tcp localport=5984
netsh advfirewall firewall delete rule name="CouchDB/HTTPS" protocol=tcp localport=6984
from ole--vagrant-community.
firewall_port_checking.bat
:: Change cmd language to english
chcp 437
:: Parse IPv4
ipconfig
for /f "tokens=1-2 delims=:" %%a in ('ipconfig^|find "IPv4"') do set ip=%%b
set ip=%ip:~1%
set ip_full_5984="%ip%:5984"
:: Check whether IPv4:5984 exists
netstat -aon|find %ip_full_5984%
if %errorlevel% == 0 (echo "Port 5984 FOUND")
from ole--vagrant-community.
Related Issues (17)
- add Bios tweaks to README.md HOT 15
- Create redirect at port 80 to the right port and subdirectory HOT 1
- scripts for downloading all the necessary software HOT 20
- Uninstall script to help with testing HOT 16
- set other then standard password HOT 16
- research into how do installation process with a one liner HOT 5
- windows: add more software to README.md HOT 5
- test
- Proof of Concept to install and uninstall the required software with Chocolatey HOT 4
- Should we download also Firefox with choco? HOT 3
- windows: improve start vagrant on boot HOT 2
- macOS vagrant start on boot (suggestion)
- macosx: start vagrant on boot HOT 11
- ubuntu: start vagrant on boot
- shortcut icon on desktop HOT 8
- simple install by single script HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ole--vagrant-community.