mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-30 19:43:45 +01:00
bf85e3475b
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1657 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
510 lines
19 KiB
XML
510 lines
19 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<articleinfo>
|
|
<title>Ports Required for Various Services/Applications</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2004-10-01</pubdate>
|
|
|
|
<copyright>
|
|
<year>2001-2002</year>
|
|
|
|
<year>2004</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
|
|
<abstract>
|
|
<para>In addition to those applications described in the
|
|
/etc/shorewall/rules documentation, here are some other
|
|
services/applications that you may need to configure your firewall to
|
|
accommodate.</para>
|
|
</abstract>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>Important Notes</title>
|
|
|
|
<note>
|
|
<para>Beginning with Shorewall 2.0.0, the Shorewall distribution
|
|
contains a library of user-defined actions that allow for easily
|
|
allowing or blocking a particular application. Check your
|
|
<filename>/usr/share/shorewall/actions.std</filename> file for a list of
|
|
the actions in your distribution. If you find what you need, you simply
|
|
use the action in a rule. For example, to allow DNS queries from the
|
|
<emphasis role="bold">dmz</emphasis> zone to the <emphasis
|
|
role="bold">net</emphasis> zone:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION
|
|
AllowDNS dmz net</programlisting>
|
|
</note>
|
|
|
|
<note>
|
|
<para>In the rules that are shown in this document, the ACTION is shown
|
|
as ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ
|
|
30</ulink>) or you may want DROP or REJECT if you are trying to block
|
|
the application.</para>
|
|
|
|
<para>Example: You want to port forward FTP from the net to your server
|
|
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 21</programlisting>
|
|
|
|
<para>You would code your rule as follows:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
|
|
</note>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Auth (identd)</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 113</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>DNS</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 53
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 53</programlisting>
|
|
|
|
<para>Note that if you are setting up a DNS server that supports recursive
|
|
resolution, the server is the <<emphasis>destination</emphasis>> for
|
|
resolution requests (from clients) and is also the
|
|
<<emphasis>source</emphasis>> of recursive resolution requests
|
|
(usually to other servers in the 'net' zone). So for example, if you have
|
|
a public DNS server in your DMZ that supports recursive resolution for
|
|
local clients then you would need:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT all dmz udp 53
|
|
ACCEPT all dmz tcp 53
|
|
ACCEPT dmz net udp 53
|
|
ACCEPT dmz net tcp 53</programlisting>
|
|
|
|
<note>
|
|
<para>Recursive Resolution means that if the server itself can't resolve
|
|
the name presented to it, the server will attempt to resolve the name
|
|
with the help of other servers.</para>
|
|
</note>
|
|
</section>
|
|
|
|
<section>
|
|
<title>FTP</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 21</programlisting>
|
|
|
|
<para>Look <ulink url="FTP.html">here</ulink> for much more
|
|
information.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>ICQ/AIM</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> net tcp 5190</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IMAP</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 143 #Unsecure IMAP
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 993 #Secure IMAP</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>IPSEC</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 50
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 51
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 500</programlisting>
|
|
|
|
<para>Lots more information <ulink url="IPSEC.htm">here</ulink> and <ulink
|
|
url="VPN.htm">here</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NFS</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d tcp 111
|
|
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d udp</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>NTP (Network Time Protocol)</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 123</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title><trademark>PCAnywhere</trademark></title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 5632
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5631</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Pop3</title>
|
|
|
|
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 110 #Unsecure Pop3
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 995 #Secure Pop3</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>PPTP</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting>
|
|
|
|
<para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
|
|
url="VPN.htm">here</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rdate</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 37</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>rsync</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 873</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SSH</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 22</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> tcp 137,139,445
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 137:139
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> tcp 137,139,445
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 137:139</programlisting>
|
|
|
|
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SMTP</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 25 #Insecure SMTP
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 465 #SMTP over SSL (TLS)</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>SNMP</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 161:162
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 161</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Telnet</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 23</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>TFTP</title>
|
|
|
|
<para>You must have TFTP connection tracking support in your kernel. If
|
|
modularized, the modules are <emphasis
|
|
role="bold">ip_conntrack_tftp</emphasis> (and <emphasis
|
|
role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These
|
|
modules may be loaded using entries in
|
|
<filename>/etc/shorewall/modules</filename>. The <emphasis
|
|
role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note
|
|
that the <filename>/etc/shorewall/modules</filename> file released with
|
|
recent Shorewall versions contains entries for these modules.</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 69</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Traceroute</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 33434:33443 #Good for 10 hops
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> icmp 8</programlisting>
|
|
|
|
<para>UDP traceroute uses ports 33434 through 33434+<max number of
|
|
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
|
|
reply, you will need to allow ICMP 11 outbound from the firewall. The
|
|
standard Shorewall sample configurations all set this up for you
|
|
automatically since those sample configurations enable all ICMP packet
|
|
types originating on the firewall itself.</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT fw net icmp
|
|
ACCEPT fw loc icmp
|
|
ACCEPT fw ...</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Usenet (NNTP)</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 119</programlisting>
|
|
|
|
<para>TCP Port 119</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>VNC</title>
|
|
|
|
<para>Vncviewer to Vncserver -- TCP port 5900 + <display
|
|
number>.</para>
|
|
|
|
<para>Vncviewer to Vncserver -- TCP port 5900 + <display
|
|
number>.</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5901 #Display Number 1
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5902 #Display Number 2
|
|
...</programlisting>
|
|
|
|
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 5500</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title><trademark>Vonage</trademark></title>
|
|
|
|
<para>The standard Shorewall loc->net ACCEPT policy is all that is
|
|
required for <trademark>Vonage</trademark> IP phone service to work,
|
|
provided that you have loaded the tftp helper modules (add the following
|
|
entries to /etc/shorewall/modules if they are not there already):</para>
|
|
|
|
<programlisting> loadmodule ip_conntrack_tftp
|
|
loadmodule ip_nat_tftp</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Web Access</title>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 80 #Insecure HTTP
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 443 #Secure HTTP</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>X/XDMCP</title>
|
|
|
|
<para>Assume that the Choser and/or X Server are running at
|
|
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
|
applications are running at <<emphasis>apps</emphasis>>.</para>
|
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|
ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP
|
|
ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Other Source of Port Information</title>
|
|
|
|
<para>Didn't find what you are looking for -- have you looked in your own
|
|
/etc/services file?</para>
|
|
|
|
<para>Still looking? Try <ulink
|
|
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
|
|
</section>
|
|
|
|
<appendix>
|
|
<title>Revision History</title>
|
|
|
|
<para><revhistory>
|
|
<revision>
|
|
<revnumber>1.14</revnumber>
|
|
|
|
<date>2004-10-01</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add rsync.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.13</revnumber>
|
|
|
|
<date>2004-09-21</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add note about ICMP type 11 to Traceroute.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.12</revnumber>
|
|
|
|
<date>2004-09-09</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add note about <trademark>Vonage</trademark>.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.11</revnumber>
|
|
|
|
<date>2004-05-28</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Corrected directory for actions.std and enhanced the DNS
|
|
section.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.10</revnumber>
|
|
|
|
<date>2004-05-09</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Added TFTP.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.9</revnumber>
|
|
|
|
<date>2004-04-24</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Revised ICQ/AIM.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.8</revnumber>
|
|
|
|
<date>2004-04-23</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Added SNMP.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.7</revnumber>
|
|
|
|
<date>2004-02-18</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Make NFS work for everyone.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.6</revnumber>
|
|
|
|
<date>2004-02-14</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add PCAnywhere.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.5</revnumber>
|
|
|
|
<date>2004-02-05</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Added information about VNC viewers in listen
|
|
mode.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.4</revnumber>
|
|
|
|
<date>2004-01-26</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Correct ICQ.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.3</revnumber>
|
|
|
|
<date>2004-01-04</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Alphabetize</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.2</revnumber>
|
|
|
|
<date>2004-01-03</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Add rules file entries.</revremark>
|
|
</revision>
|
|
|
|
<revision>
|
|
<revnumber>1.1</revnumber>
|
|
|
|
<date>2002-07-30</date>
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
<revremark>Initial version converted to Docbook XML</revremark>
|
|
</revision>
|
|
</revhistory></para>
|
|
</appendix>
|
|
</article> |