Ports required for Various Services/Applications |
In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.
NTP (Network Time Protocol)
UDP Port 123
rdate
TCP Port 37
UseNet (NNTP)
TCP Port 119
DNS
UDP Port 53. If you are configuring a DNS client, you will probably want to open TCP Port 53 as well.
If you are configuring a server, only open TCP Port 53 if you will return long replies to queries or if you need to enable ZONE transfers. In the latter case, be sure that your server is properly configured.
ICQ
UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.
PPTP
Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information here).
IPSEC
Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. These should be opened in both directions (Lots more information here and here).
SMTP
TCP Port 25.
RealPlayer
UDP Port 6790 inbound
POP3
TCP Port 110.
TELNET
TCP Port 23.
SSH
TCP Port 22.
Auth (identd)
TCP Port 113
Web Access
TCP Ports 80 and 443.
FTP
Server configuration is covered on in the /etc/shorewall/rules documentation,
For a client, you must open outbound TCP port 21 and be sure that your kernel is compiled to support FTP connection tracking. If you build this support as a module, Shorewall will automatically load the module from /var/lib/<kernel version>/kernel/net/ipv4/netfilter.
If you run an FTP server on a nonstandard port or you need to access such a server, then you must specify that port in /etc/shorewall/modules. For example, if you run an FTP server that listens on port 49 then you would have:
loadmodule ip_conntrack_ftp ports=21,49
loadmodule ip_nat_ftp ports=21,49
Note that you MUST include port 21 in the ports list or you may have problems accessing regular FTP servers.
If there is a possibility that these modules might be loaded before Shorewall starts, then you should include the port list in /etc/modules.conf:
options ip_conntrack_ftp ports=21,49
options ip_nat_ftp ports=21,49
IMPORTANT: Once you have made these changes to /etc/shorewall/modules and/or /etc/modules.conf, you must either:
- Unload the modules and restart shorewall: (rmmod ip_nat_ftp; rmmod ip_conntrack_ftp; shorewall restart); or
- Reboot
SMB/NMB (Samba/Windows Browsing/File Sharing)
TCP Ports 137, 139 and 445.
UDP Ports 137-139.
Also, see this page.
Traceroute
UDP ports 33434 through 33434+<max number of hops>-1
NFS
I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2:
ACCEPT z1 z2:a.b.c.d udp 111
ACCEPT z1 z2:a.b.c.d tcp 111
ACCEPT z1 z2:a.b.c.d udp 2049
ACCEPT z1 z2:a.b.c.d udp 32700:
Note that my rules only cover NFS using UDP (the normal case). There is lots of additional information at http://nfs.sourceforge.net/nfs-howto/security.html
VNC
TCP port 5900 + <display number>
Didn't find what you are looking for -- have you looked in your own /etc/services file?
Still looking? Try http://www.networkice.com/advice/Exploits/Ports
Last updated 5/5/2003 - Tom Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.