<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
  <articleinfo>
    <title>Ports Required for Various Services/Applications</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate>2004-02-05</pubdate>

    <copyright>
      <year>2001-2002</year>

      <year>2004</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
    </legalnotice>

    <abstract>
      <para>In addition to those applications described in the
      /etc/shorewall/rules documentation, here are some other
      services/applications that you may need to configure your firewall to
      accommodate.</para>
    </abstract>
  </articleinfo>

  <note>
    <para>In the rules that are shown in this document, the ACTION is shown as
    ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>)
    or you may want DROP or REJECT if you are trying to block the application.</para>

    <para>Example: You want to port forward FTP from the net to your server at
    192.168.1.4 in your DMZ. The FTP section below gives you:</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        21</programlisting>

    <para>You would code your rule as follows:</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
DNAT       net       dmz:192.168.1.4  tcp        21</programlisting>
  </note>

  <section>
    <title>Auth (identd)</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        113</programlisting>
  </section>

  <section>
    <title>DNS</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        53
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        53</programlisting>
  </section>

  <section>
    <title>FTP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        21</programlisting>

    <para>Look <ulink url="FTP.html">here</ulink> for much more information.</para>
  </section>

  <section>
    <title>ICQ</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        4000
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        4000:4100</programlisting>

    <para>UDP Port 4000. You will also need to open a range of TCP ports which
    you can specify to your ICQ client. By default, clients use 4000-4100.</para>
  </section>

  <section>
    <title>IMAP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        143           #Unsecure IMAP
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        993           #Secure IMAP</programlisting>
  </section>

  <section>
    <title>IPSEC</title>

    <programlisting>#ACTION    SOURCE         DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>     &#60;destination&#62;</emphasis>    50     
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>     &#60;destination&#62;</emphasis>    51
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>     &#60;destination&#62;</emphasis>    udp        500
ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62;</emphasis>         50     
ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62;</emphasis>         51
ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62;</emphasis>         udp        500</programlisting>

    <para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
    url="VPN.htm">here</ulink>.</para>
  </section>

  <section>
    <title>NFS</title>

    <para>I personally use the following rules for opening access from zone z1
    to a server with IP address a.b.c.d in zone z2. I have found though that
    different distributions behave differently so your milage may vary.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     tcp        111
ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        111
ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        2049
ACCEPT     <emphasis>&#60;z1&#62;</emphasis>  <emphasis>    &#60;z2&#62;</emphasis>:a.b.c.d     udp        32700:</programlisting>
  </section>

  <section>
    <title>NTP (Network Time Protocol)</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        123</programlisting>
  </section>

  <section>
    <title>Pop3</title>

    <para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        110           #Unsecure Pop3
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        995           #Secure Pop3</programlisting>
  </section>

  <section>
    <title>PPTP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    47    
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        1723</programlisting>

    <para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
    url="VPN.htm">here</ulink>.</para>
  </section>

  <section>
    <title>rdate</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        37</programlisting>
  </section>

  <section>
    <title>SSH</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        22</programlisting>
  </section>

  <section>
    <title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>

    <programlisting>#ACTION    SOURCE         DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>     &#60;destination&#62;</emphasis>    tcp        137,139,445     
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>     &#60;destination&#62;</emphasis>    udp        137:139
ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62;</emphasis>         tcp        137,139,445
ACCEPT     <emphasis>&#60;destination&#62;</emphasis>  <emphasis>&#60;source&#62;</emphasis>         udp        137:139</programlisting>

    <para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
  </section>

  <section>
    <title>SMTP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        25</programlisting>
  </section>

  <section>
    <title>Telnet</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        23</programlisting>
  </section>

  <section>
    <title>Traceroute</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    udp        33434:33443        #Good for 10 hops
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    icmp       8</programlisting>

    <para>UDP traceroute uses ports 33434 through 33434+&#60;max number of
    hops&#62;-1</para>
  </section>

  <section>
    <title>Usenet (NNTP)</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        119</programlisting>

    <para>TCP Port 119</para>
  </section>

  <section>
    <title>VNC</title>

    <para>Vncviewer -&#62; Vncserver is TCP port 5900 + &#60;display
    number&#62;.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        5901               #Display Number 1
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        5902               #Display Number 2
...</programlisting>

    <para>Vncserver to Vncviewer in listen mode is TCP port 5500.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        5500</programlisting>
  </section>

  <section>
    <title>Web Access</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DEST PORT(S)
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        80       #Insecure HTTP
ACCEPT     <emphasis>&#60;source&#62;</emphasis>  <emphasis>&#60;destination&#62;</emphasis>    tcp        443      #Secure HTTP</programlisting>
  </section>

  <section>
    <title>Other Source of Port Information</title>

    <para>Didn&#39;t find what you are looking for -- have you looked in your
    own /etc/services file?</para>

    <para>Still looking? Try <ulink
    url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
  </section>

  <appendix>
    <title>Revision History</title>

    <para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
    information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
    ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
    rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial
    version converted to Docbook XML</revremark></revision></revhistory></para>
  </appendix>
</article>