Ports Required for Various Services/Applications
Tom
Eastep
2004-01-26
2001-2002
2004
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation License
.
In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.
In the rules that are shown in this document, the ACTION is shown as
ACCEPT. You may need to use DNAT (see FAQ 30)
or you may want DROP or REJECT if you are trying to block the application.
Example: You want to port forward FTP from the net to your server at
192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21
You would code your rule as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21
Auth (identd)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 113
DNS
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 53
ACCEPT <source> <destination> tcp 53
FTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21
Look here for much more information.
ICQ
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 4000
ACCEPT <source> <destination> tcp 4000:4100
UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.
IMAP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 143 #Unsecure IMAP
ACCEPT <source> <destination> tcp 993 #Secure IMAP
IPSEC
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 50
ACCEPT <source> <destination> 51
ACCEPT <source> <destination> udp 500
ACCEPT <destination> <source> 50
ACCEPT <destination> <source> 51
ACCEPT <destination> <source> udp 500
Lots more information here and here.
NFS
I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2. I have found though that
different distributions behave differently so your milage may vary.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <z1> <z2>:a.b.c.d tcp 111
ACCEPT <z1> <z2>:a.b.c.d udp 111
ACCEPT <z1> <z2>:a.b.c.d udp 2049
ACCEPT <z1> <z2>:a.b.c.d udp 32700:
NTP (Network Time Protocol)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 123
Pop3
TCP Port 110 (Secure Pop3 is TCP Port 995)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 110 #Unsecure Pop3
ACCEPT <source> <destination> tcp 995 #Secure Pop3
PPTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 47
ACCEPT <source> <destination> tcp 1723
Lots more information here and here.
rdate
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 37
SSH
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 22
SMB/NMB (Samba/Windows Browsing/File Sharing)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 137,139,445
ACCEPT <source> <destination> udp 137:139
ACCEPT <destination> <source> tcp 137,139,445
ACCEPT <destination> <source> udp 137:139
Also, see this page.
SMTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 25
Telnet
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 23
Traceroute
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops
ACCEPT <source> <destination> icmp 8
UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1
Usenet (NNTP)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 119
TCP Port 119
VNC
TCP port 5900 + <display number>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 5901 #Display Number 1
ACCEPT <source> <destination> tcp 5902 #Display Number 2
...
Web Access
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 80 #Insecure HTTP
ACCEPT <source> <destination> tcp 443 #Secure HTTP
Other Source of Port Information
Didn't find what you are looking for -- have you looked in your
own /etc/services file?
Still looking? Try http://www.networkice.com/advice/Exploits/Ports
Revision History
1.42004-01-26TECorrect
ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd
rules file entries.1.12002-07-30TEInitial
version converted to Docbook XML