Add rules to ports.xml

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1052 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-03 23:03:36 +00:00
parent ea95a311c8
commit 21694406bf

View File

@ -2,8 +2,6 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article> <article>
<!--$Id$-->
<articleinfo> <articleinfo>
<title>Ports Required for Various Services/Applications</title> <title>Ports Required for Various Services/Applications</title>
@ -15,11 +13,13 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2002-07-30</pubdate> <pubdate>2004-01-03</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -40,37 +40,50 @@
</abstract> </abstract>
</articleinfo> </articleinfo>
<note>
<para>In the rules that are shown in this document, the ACTION is shown as
ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
or you may want DROP or REJECT if you are trying to block the application.</para>
</note>
<section> <section>
<title>NTP (Network Time Protocol)</title> <title>NTP (Network Time Protocol)</title>
<para>UDP Port 123</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 123</programlisting>
</section> </section>
<section> <section>
<title>rdate</title> <title>rdate</title>
<para>TCP Port 37</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 37</programlisting>
</section> </section>
<section> <section>
<title>Usenet (NNTP)</title> <title>Usenet (NNTP)</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 119</programlisting>
<para>TCP Port 119</para> <para>TCP Port 119</para>
</section> </section>
<section> <section>
<title>DNS</title> <title>DNS</title>
<para>UDP Port 53. If you are configuring a DNS client, you will probably <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
want to open TCP Port 53 as well. If you are configuring a server, only ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 53
open TCP Port 53 if you will return long replies to queries or if you need ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting>
to enable ZONE transfers. In the latter case, be sure that your server is
properly configured.</para>
</section> </section>
<section> <section>
<title>ICQ</title> <title>ICQ</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 4000
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 53</programlisting>
<para>UDP Port 4000. You will also need to open a range of TCP ports which <para>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</para> you can specify to your ICQ client. By default, clients use 4000-4100.</para>
</section> </section>
@ -78,73 +91,100 @@
<section> <section>
<title>PPTP</title> <title>PPTP</title>
<para>Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<ulink url="PPTP.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>).</para> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> 47
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 1723</programlisting>
<para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para>
</section> </section>
<section> <section>
<title>IPSEC</title> <title>IPSEC</title>
<para>Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. These <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
should be opened in both directions (Lots more information <ulink ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 50
url="IPSEC.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>)</para> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> 51
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 500
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 50
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> 51
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 500</programlisting>
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
url="VPN.htm">here</ulink>.</para>
</section> </section>
<section> <section>
<title>SMTP (email)</title> <title>SMTP</title>
<para>TCP Port 25.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 25</programlisting>
</section> </section>
<section> <section>
<title>Pop3</title> <title>Pop3</title>
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para> <para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 110 #Unsecure Pop3
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 995 #Secure Pop3</programlisting>
</section> </section>
<section> <section>
<title>IMAP</title> <title>IMAP</title>
<para>TCP Port 143 (Secure IMAP is TCP Port 993)</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 993 #Secure IMAP</programlisting>
</section> </section>
<section> <section>
<title>Telnet</title> <title>Telnet</title>
<para>TCP Port 23.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 23</programlisting>
</section> </section>
<section> <section>
<title>SSH</title> <title>SSH</title>
<para>TCP Port 22.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 22</programlisting>
</section> </section>
<section> <section>
<title>Auth (identd)</title> <title>Auth (identd)</title>
<para>TCP Port 113</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 113</programlisting>
</section> </section>
<section> <section>
<title>Web Access</title> <title>Web Access</title>
<para>TCP Ports 80 and 443.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 80 #Insecure HTTP
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting>
</section> </section>
<section> <section>
<title>FTP</title> <title>FTP</title>
<para>TCP port 21 plus look <ulink url="FTP.html">here</ulink> for much <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
more information.</para> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 21</programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more information.</para>
</section> </section>
<section> <section>
<title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title> <title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
<para>TCP Ports 137, 139 and 445.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> tcp 137,139,445
<para>UDP Ports 137-139.</para> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis> &#60;destination&#62;</emphasis> udp 137:139
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> tcp 137,139,445
ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> udp 137:139</programlisting>
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para> <para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
</section> </section>
@ -152,9 +192,12 @@
<section> <section>
<title>Traceroute</title> <title>Traceroute</title>
<para>UDP ports 33434 through 33434+&#60;max number of hops&#62;-1</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 33434:33443 #Good for 10 hops
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> icmp 8</programlisting>
<para>ICMP type 8 (<quote>ping</quote>)</para> <para>UDP traceroute uses ports 33434 through 33434+&#60;max number of
hops&#62;-1</para>
</section> </section>
<section> <section>
@ -163,99 +206,22 @@
<para>I personally use the following rules for opening access from zone z1 <para>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:</para> to a server with IP address a.b.c.d in zone z2:</para>
<informaltable> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
<thead> ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 111
<row> ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 2049
<entry align="center">ACTION</entry> ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 32700:</programlisting>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2:a.b.c.d</entry>
<entry>udp</entry>
<entry>111</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2:a.b.c.d</entry>
<entry>tcp</entry>
<entry>111</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2:a.b.c.d</entry>
<entry>udp</entry>
<entry>2049</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2:a.b.c.d</entry>
<entry>udp</entry>
<entry>32700:</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</section> </section>
<section> <section>
<title>VNC</title> <title>VNC</title>
<para>TCP port 5900 + &#60;display number&#62;.</para> <para>TCP port 5900 + &#60;display number&#62;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5902 #Display Number 2
...</programlisting>
</section> </section>
<section> <section>
@ -267,4 +233,12 @@
<para>Still looking? Try <ulink <para>Still looking? Try <ulink
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para> url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para>
</appendix>
</article> </article>