2002-11-09 19:06:34 +01:00
|
|
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<html>
|
|
|
|
|
<head>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<meta http-equiv="Content-Type"
|
|
|
|
|
content="text/html; charset=windows-1252">
|
|
|
|
|
<title>Shorewall Port Information</title>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<meta name="ProgId" content="FrontPage.Editor.Document">
|
2002-08-13 22:45:21 +02:00
|
|
|
|
</head>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<body>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
|
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
|
|
|
|
id="AutoNumber1" bgcolor="#400169" height="90">
|
2003-05-15 21:39:23 +02:00
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td width="100%">
|
|
|
|
|
<h1 align="center"><font color="#ffffff">Ports required for Various
|
|
|
|
|
Services/Applications</font></h1>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
|
|
|
|
|
</tbody>
|
2002-08-22 23:21:41 +02:00
|
|
|
|
</table>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>In addition to those applications described in <a
|
2003-05-15 21:39:23 +02:00
|
|
|
|
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
|
|
|
|
|
are some other services/applications that you may need to configure your
|
|
|
|
|
firewall to accommodate.</p>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>NTP (Network Time Protocol)</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<p>UDP Port 123</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>rdate</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<p>TCP Port 37</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>UseNet (NNTP)</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Port 119</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>DNS</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
|
|
|
|
|
to open TCP Port 53 as well.<br>
|
|
|
|
|
If you are configuring a server, only open TCP Port 53 if you will
|
|
|
|
|
return long replies to queries or if you need to enable ZONE transfers.<2E>In
|
|
|
|
|
the latter case, be sure that your server is properly configured.</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>ICQ<EFBFBD><EFBFBD><EFBFBD></p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>UDP Port 4000. You will also need to open a range of TCP ports which
|
|
|
|
|
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>PPTP</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
|
|
|
|
|
href="PPTP.htm">Lots more information here</a>).</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>IPSEC</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
|
|
|
|
|
500. These should be opened in both directions (Lots more information
|
|
|
|
|
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>SMTP</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p><EFBFBD>TCP Port 25.</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p>RealPlayer<br>
|
|
|
|
|
</p>
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>UDP Port 6790 inbound<br>
|
|
|
|
|
</p>
|
|
|
|
|
</blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>POP3</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Port 110.</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TELNET</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Port 23.</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>SSH</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Port 22.</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>Auth (identd)</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Port 113</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>Web Access</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<p>TCP Ports 80 and 443.</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>FTP</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>Server configuration is covered on in <a
|
|
|
|
|
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<p>For a client, you must open outbound TCP port 21 and be sure that your
|
|
|
|
|
kernel is compiled to support FTP connection tracking. If you build this
|
|
|
|
|
support as a module, Shorewall will automatically load the module from
|
|
|
|
|
/var/lib/<<i>kernel version</i>>/kernel/net/ipv4/netfilter.<2E><br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<p>If you run an FTP server on a nonstandard port or you need to access
|
|
|
|
|
such a server, then you must specify that port in /etc/shorewall/modules.
|
|
|
|
|
For example, if you run an FTP server that listens on port 49 then you would
|
|
|
|
|
have:<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
loadmodule ip_nat_ftp ports=21,49<br>
|
|
|
|
|
</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
|
|
|
|
|
have problems accessing regular FTP servers.</p>
|
|
|
|
|
|
|
|
|
|
<p>If there is a possibility that these modules might be loaded before Shorewall
|
|
|
|
|
starts, then you should include the port list in /etc/modules.conf:<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>options ip_conntrack_ftp ports=21,49<br>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
options ip_nat_ftp ports=21,49<br>
|
|
|
|
|
</p>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
</blockquote>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<p><b>IMPORTANT: </b>Once you have made these changes to /etc/shorewall/modules
|
|
|
|
|
and/or /etc/modules.conf, you must either:<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<ol>
|
|
|
|
|
<li>Unload the modules and restart shorewall: (<b><font
|
|
|
|
|
color="#009900">rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart</font></b>);
|
|
|
|
|
or</li>
|
|
|
|
|
<li>Reboot<br>
|
|
|
|
|
</li>
|
|
|
|
|
|
|
|
|
|
</ol>
|
|
|
|
|
|
|
|
|
|
<p> </p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<blockquote> </blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<blockquote> </blockquote>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2002-08-13 22:45:21 +02:00
|
|
|
|
<p>TCP Ports 137, 139 and 445.<br>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
UDP Ports 137-139.<br>
|
|
|
|
|
<br>
|
|
|
|
|
Also, <a href="samba.htm">see this page</a>.</p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>Traceroute</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<blockquote>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<p>UDP ports 33434 through 33434+<i><max number of hops></i>-1</p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
2003-02-08 21:46:02 +01:00
|
|
|
|
<p>NFS<br>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>I personally use the following rules for opening access from zone z1
|
|
|
|
|
to a server with IP address a.b.c.d in zone z2:<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>Note that my rules only cover NFS using UDP (the normal case). There
|
|
|
|
|
is lots of additional information at<61> <a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p>VNC<br>
|
|
|
|
|
</p>
|
|
|
|
|
|
|
|
|
|
<blockquote>
|
|
|
|
|
<p>TCP port 5900 + <display number></p>
|
|
|
|
|
</blockquote>
|
|
|
|
|
|
|
|
|
|
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
|
|
|
|
|
file? </p>
|
|
|
|
|
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<p>Still looking? Try <a
|
|
|
|
|
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
|
|
|
|
|
<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
|
2002-11-09 19:06:34 +01:00
|
|
|
|
href="support.htm">Tom Eastep</a></font> </p>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
<a href="copyright.htm"><font size="2">Copyright</font> <20> <font
|
2003-02-08 21:46:02 +01:00
|
|
|
|
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
2003-05-15 21:39:23 +02:00
|
|
|
|
<br>
|
|
|
|
|
<br>
|
|
|
|
|
<br>
|
2003-02-28 03:12:52 +01:00
|
|
|
|
<br>
|
2003-02-08 21:46:02 +01:00
|
|
|
|
<br>
|
2002-11-24 21:08:19 +01:00
|
|
|
|
<br>
|
2002-11-09 19:06:34 +01:00
|
|
|
|
<br>
|
|
|
|
|
</body>
|
|
|
|
|
</html>
|