Ports Required for Various Services/Applications Tom Eastep 2004-01-26 2001-2002 2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate. In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application. Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 You would code your rule as follows: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21
Auth (identd) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 113
DNS #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 53 ACCEPT <source> <destination> tcp 53
FTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 Look here for much more information.
ICQ #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 4000 ACCEPT <source> <destination> tcp 4000:4100 UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.
IMAP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 143 #Unsecure IMAP ACCEPT <source> <destination> tcp 993 #Secure IMAP
IPSEC #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 ACCEPT <destination> <source> 50 ACCEPT <destination> <source> 51 ACCEPT <destination> <source> udp 500 Lots more information here and here.
NFS I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2. I have found though that different distributions behave differently so your milage may vary. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1> <z2>:a.b.c.d tcp 111 ACCEPT <z1> <z2>:a.b.c.d udp 111 ACCEPT <z1> <z2>:a.b.c.d udp 2049 ACCEPT <z1> <z2>:a.b.c.d udp 32700:
NTP (Network Time Protocol) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 123
Pop3 TCP Port 110 (Secure Pop3 is TCP Port 995) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 110 #Unsecure Pop3 ACCEPT <source> <destination> tcp 995 #Secure Pop3
PPTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723 Lots more information here and here.
rdate #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 37
SSH #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 22
SMB/NMB (Samba/Windows Browsing/File Sharing) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 137,139,445 ACCEPT <source> <destination> udp 137:139 ACCEPT <destination> <source> tcp 137,139,445 ACCEPT <destination> <source> udp 137:139 Also, see this page.
SMTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 25
Telnet #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 23
Traceroute #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops ACCEPT <source> <destination> icmp 8 UDP traceroute uses ports 33434 through 33434+<max number of hops>-1
Usenet (NNTP) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 119 TCP Port 119
VNC TCP port 5900 + <display number>. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5901 #Display Number 1 ACCEPT <source> <destination> tcp 5902 #Display Number 2 ...
Web Access #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 80 #Insecure HTTP ACCEPT <source> <destination> tcp 443 #Secure HTTP
Other Source of Port Information Didn't find what you are looking for -- have you looked in your own /etc/services file? Still looking? Try http://www.networkice.com/advice/Exploits/Ports
Revision History 1.42004-01-26TECorrect ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd rules file entries.1.12002-07-30TEInitial version converted to Docbook XML