Copyright © 2001-2002, 2004 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2004-02-12
Abstract
In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.
Table of Contents
Beginning with Shorewall 2.0.0, the Shorewall distribution contains a library of user-defined actions that allow for easily allowing or blocking a particular application. Check your /etc/shorewall/actions.std file for a list of the actions in your distribution. If you find what you need, you simply use the action in a rule. For example, to allow DNS queries from the dmz zone to the net zone:
#ACTION SOURCE DESTINATION AllowPing dmz net |
In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application.
Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 |
You would code your rule as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 53 ACCEPT <source> <destination> tcp 53 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 |
Look here for much more information.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 4000 ACCEPT <source> <destination> tcp 4000:4100 |
UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 143 #Unsecure IMAP ACCEPT <source> <destination> tcp 993 #Secure IMAP |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 ACCEPT <destination> <source> 50 ACCEPT <destination> <source> 51 ACCEPT <destination> <source> udp 500 |
I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2. I have found though that different distributions behave differently so your milage may vary.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1> <z2>:a.b.c.d tcp 111 ACCEPT <z1> <z2>:a.b.c.d udp 111 ACCEPT <z1> <z2>:a.b.c.d udp 2049 ACCEPT <z1> <z2>:a.b.c.d udp 32700: |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 123 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 5632 ACCEPT <source> <destination> tcp 5631 |
TCP Port 110 (Secure Pop3 is TCP Port 995)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 110 #Unsecure Pop3 ACCEPT <source> <destination> tcp 995 #Secure Pop3 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 137,139,445 ACCEPT <source> <destination> udp 137:139 ACCEPT <destination> <source> tcp 137,139,445 ACCEPT <destination> <source> udp 137:139 |
Also, see this page.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops ACCEPT <source> <destination> icmp 8 |
UDP traceroute uses ports 33434 through 33434+<max number of hops>-1
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 119 |
TCP Port 119
Vncviewer to Vncserver -- TCP port 5900 + <display number>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5901 #Display Number 1 ACCEPT <source> <destination> tcp 5902 #Display Number 2 ... |
Vncserver to Vncviewer in listen mode -- TCP port 5500.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5500 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 80 #Insecure HTTP ACCEPT <source> <destination> tcp 443 #Secure HTTP |
Didn't find what you are looking for -- have you looked in your own /etc/services file?
Still looking? Try http://www.networkice.com/advice/Exploits/Ports
| Revision History | ||
|---|---|---|
| Revision 1.6 | 2004-01-26 | TE |
| Add PCAnywhere. | ||
| Revision 1.5 | 2004-02-05 | TE |
| Added information about VNC viewers in listen mode. | ||
| Revision 1.4 | 2004-01-26 | TE |
| Correct ICQ. | ||
| Revision 1.3 | 2004-01-04 | TE |
| Alphabetize | ||
| Revision 1.2 | 2004-01-03 | TE |
| Add rules file entries. | ||
| Revision 1.1 | 2002-07-30 | TE |
| Initial version converted to Docbook XML | ||