<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <articleinfo> <title>Ports Required for Various Services/Applications</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2004-02-05</pubdate> <copyright> <year>2001-2002</year> <year>2004</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> <abstract> <para>In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.</para> </abstract> </articleinfo> <note> <para>In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>) or you may want DROP or REJECT if you are trying to block the application.</para> <para>Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 21</programlisting> <para>You would code your rule as follows:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21</programlisting> </note> <section> <title>Auth (identd)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 113</programlisting> </section> <section> <title>DNS</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 53 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 53</programlisting> </section> <section> <title>FTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 21</programlisting> <para>Look <ulink url="FTP.html">here</ulink> for much more information.</para> </section> <section> <title>ICQ</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 4000 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 4000:4100</programlisting> <para>UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.</para> </section> <section> <title>IMAP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 143 #Unsecure IMAP ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 993 #Secure IMAP</programlisting> </section> <section> <title>IPSEC</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50 ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51 ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 50 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 51 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 500</programlisting> <para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>.</para> </section> <section> <title>NFS</title> <para>I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2. I have found though that different distributions behave differently so your milage may vary.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><z1></emphasis> <emphasis> <z2></emphasis>:a.b.c.d tcp 111 ACCEPT <emphasis><z1></emphasis> <emphasis> <z2></emphasis>:a.b.c.d udp 111 ACCEPT <emphasis><z1></emphasis> <emphasis> <z2></emphasis>:a.b.c.d udp 2049 ACCEPT <emphasis><z1></emphasis> <emphasis> <z2></emphasis>:a.b.c.d udp 32700:</programlisting> </section> <section> <title>NTP (Network Time Protocol)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 123</programlisting> </section> <section> <title>Pop3</title> <para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 110 #Unsecure Pop3 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 995 #Secure Pop3</programlisting> </section> <section> <title>PPTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting> <para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>.</para> </section> <section> <title>rdate</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 37</programlisting> </section> <section> <title>SSH</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 22</programlisting> </section> <section> <title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> tcp 137,139,445 ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 137:139 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> tcp 137,139,445 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 137:139</programlisting> <para>Also, see <ulink url="samba.htm">this page</ulink>.</para> </section> <section> <title>SMTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 25</programlisting> </section> <section> <title>Telnet</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 23</programlisting> </section> <section> <title>Traceroute</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 33434:33443 #Good for 10 hops ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> icmp 8</programlisting> <para>UDP traceroute uses ports 33434 through 33434+<max number of hops>-1</para> </section> <section> <title>Usenet (NNTP)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 119</programlisting> <para>TCP Port 119</para> </section> <section> <title>VNC</title> <para>Vncviewer -> Vncserver is TCP port 5900 + <display number>.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5901 #Display Number 1 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5902 #Display Number 2 ...</programlisting> <para>Vncserver to Vncviewer in listen mode is TCP port 5500.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5500</programlisting> </section> <section> <title>Web Access</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 80 #Insecure HTTP ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 443 #Secure HTTP</programlisting> </section> <section> <title>Other Source of Port Information</title> <para>Didn't find what you are looking for -- have you looked in your own /etc/services file?</para> <para>Still looking? Try <ulink url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para> </section> <appendix> <title>Revision History</title> <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial version converted to Docbook XML</revremark></revision></revhistory></para> </appendix> </article>