2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-07-07 22:42:54 +02:00
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2004-02-14 19:06:39 +01:00
|
|
|
<article>
|
|
|
|
|
<articleinfo>
|
|
|
|
|
<title>Ports Required for Various Services/Applications</title>
|
|
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
|
<author>
|
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
|
</author>
|
|
|
|
|
</authorgroup>
|
|
|
|
|
|
2006-07-27 05:28:19 +02:00
|
|
|
<othercredit>
|
|
|
|
|
<surname>Cristian Rodriguez R.</surname>
|
|
|
|
|
</othercredit>
|
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<copyright>
|
2006-07-27 05:28:19 +02:00
|
|
|
<year>2001-<?dbtimestamp format="Y"?></year>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2004-09-24 00:50:12 +02:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
|
|
|
|
|
|
<abstract>
|
|
|
|
|
<para>In addition to those applications described in the
|
|
|
|
|
/etc/shorewall/rules documentation, here are some other
|
|
|
|
|
services/applications that you may need to configure your firewall to
|
|
|
|
|
accommodate.</para>
|
|
|
|
|
</abstract>
|
|
|
|
|
</articleinfo>
|
|
|
|
|
|
2005-09-02 11:01:13 +02:00
|
|
|
<caution>
|
|
|
|
|
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
|
|
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
|
|
|
3.0.0 then please see the documentation for that release</emphasis></para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Notes">
|
2004-04-05 23:13:45 +02:00
|
|
|
<title>Important Notes</title>
|
|
|
|
|
|
|
|
|
|
<note>
|
2005-09-08 03:32:28 +02:00
|
|
|
<para>Shorewall distribution contains a library of user-defined macros
|
2005-09-02 11:01:13 +02:00
|
|
|
that allow for easily allowing or blocking a particular application.
|
2005-09-21 00:31:53 +02:00
|
|
|
<command>ls <filename>/usr/share/shorewall/</filename>macro.*</command>
|
|
|
|
|
for the list of macros in your distribution. If you find what you need,
|
|
|
|
|
you simply use the macro in a rule. For example, to allow DNS queries
|
2005-09-02 11:01:13 +02:00
|
|
|
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
|
2004-09-24 00:50:12 +02:00
|
|
|
role="bold">net</emphasis> zone:</para>
|
2004-04-05 23:13:45 +02:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DEST
|
2009-03-15 21:46:56 +01:00
|
|
|
DNS(ACCEPT) dmz net</programlisting>
|
2004-04-05 23:13:45 +02:00
|
|
|
</note>
|
|
|
|
|
|
|
|
|
|
<note>
|
|
|
|
|
<para>In the rules that are shown in this document, the ACTION is shown
|
|
|
|
|
as ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ
|
|
|
|
|
30</ulink>) or you may want DROP or REJECT if you are trying to block
|
|
|
|
|
the application.</para>
|
|
|
|
|
|
|
|
|
|
<para>Example: You want to port forward FTP from the net to your server
|
|
|
|
|
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
<para>You would code your rule as follows:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
FTP(DNAT) net dmz:192.168.1.4 </programlisting>
|
2004-04-05 23:13:45 +02:00
|
|
|
</note>
|
|
|
|
|
</section>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Auth">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Auth (identd)</title>
|
|
|
|
|
|
2005-09-02 11:01:13 +02:00
|
|
|
<caution>
|
2005-09-21 00:31:53 +02:00
|
|
|
<para><emphasis role="bold"><emphasis>It is now the 21st
|
|
|
|
|
Century</emphasis> ; don't use identd in production
|
|
|
|
|
anymore.</emphasis></para>
|
2005-09-02 11:01:13 +02:00
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="BT">
|
2006-08-16 09:25:10 +02:00
|
|
|
<title>BitTorrent</title>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
|
|
|
|
<caution>
|
2007-01-17 04:55:06 +01:00
|
|
|
<para><emphasis role="bold"><emphasis>This rule assumes that your
|
|
|
|
|
BitTorrent client listens on the default
|
|
|
|
|
port(s)</emphasis></emphasis></para>
|
2006-08-16 09:25:10 +02:00
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
BitTorrent(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2006-08-16 09:25:10 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="DNS">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>DNS</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
2004-05-29 17:12:25 +02:00
|
|
|
|
|
|
|
|
<para>Note that if you are setting up a DNS server that supports recursive
|
2004-09-24 00:50:12 +02:00
|
|
|
resolution, the server is the <<emphasis>destination</emphasis>> for
|
|
|
|
|
resolution requests (from clients) and is also the
|
|
|
|
|
<<emphasis>source</emphasis>> of recursive resolution requests
|
|
|
|
|
(usually to other servers in the 'net' zone). So for example, if you have
|
|
|
|
|
a public DNS server in your DMZ that supports recursive resolution for
|
|
|
|
|
local clients then you would need:</para>
|
2004-05-29 17:12:25 +02:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
DNS(ACCEPT) all dmz
|
|
|
|
|
DNS(ACCEPT) dmz net </programlisting>
|
2004-05-29 17:12:25 +02:00
|
|
|
|
|
|
|
|
<note>
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>Recursive Resolution means that if the server itself can't resolve
|
|
|
|
|
the name presented to it, the server will attempt to resolve the name
|
|
|
|
|
with the help of other servers.</para>
|
2004-05-29 17:12:25 +02:00
|
|
|
</note>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2005-05-02 22:09:35 +02:00
|
|
|
<section id="Emule">
|
|
|
|
|
<title>Emule</title>
|
|
|
|
|
|
2006-08-16 09:25:10 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2005-05-02 22:09:35 +02:00
|
|
|
<para>In contrast to how the rest of this article is organized, for emule
|
|
|
|
|
I will give you the rules necessary to run emule on a single machine in
|
|
|
|
|
your loc network (since that's what 99.99% of you want to do). Assume
|
|
|
|
|
that:</para>
|
|
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The internal machine running emule has IP address
|
|
|
|
|
192.168.1.4.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>You use Masquerading or SNAT for the local network.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The zones are named as they are in the <ulink
|
|
|
|
|
url="shorewall_quickstart_guide.htm">two- and three-interface
|
|
|
|
|
QuickStart guides)</ulink>.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Your loc->net policy is ACCEPT</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
|
|
<para><filename>/etc/shorewall/rules:</filename></para>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Edonkey(DNAT) net loc:192.168.1.4
|
2006-08-16 09:25:10 +02:00
|
|
|
#if you wish to enable the Emule webserver, add this rule too.
|
2005-05-02 22:09:35 +02:00
|
|
|
DNAT net loc:192.168.1.4 tcp 4711</programlisting>
|
|
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="FTP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>FTP</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>Look <ulink url="FTP.html">here</ulink> for much more
|
|
|
|
|
information.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Gnutella">
|
2005-09-08 03:32:28 +02:00
|
|
|
<title>Gnutella</title>
|
|
|
|
|
|
|
|
|
|
<para><orderedlist>
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The internal machine running a Gnutella Client has IP address
|
|
|
|
|
192.168.1.4.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>You use Masquerading or SNAT for the local network.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>The zones are named as they are in the <ulink
|
|
|
|
|
url="shorewall_quickstart_guide.htm">two- and three-interface
|
|
|
|
|
QuickStart guides)</ulink>.</para>
|
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
|
<para>Your loc->net policy is ACCEPT</para>
|
|
|
|
|
</listitem>
|
2016-02-19 00:57:40 +01:00
|
|
|
</orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Gnutella(DNAT) net loc:192.168.1.4</programlisting></para>
|
2005-09-08 03:32:28 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="ICQ">
|
2004-05-09 00:31:54 +02:00
|
|
|
<title>ICQ/AIM</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="IMAP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>IMAP</title>
|
|
|
|
|
|
2005-09-02 11:01:13 +02:00
|
|
|
<caution>
|
2008-08-15 07:03:24 +02:00
|
|
|
<para>When accessing your mail from the Internet, use <emphasis
|
2005-09-02 11:01:13 +02:00
|
|
|
role="bold">only</emphasis> <emphasis role="bold">IMAP over
|
2006-07-27 05:28:19 +02:00
|
|
|
SSL.</emphasis></para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
2005-09-02 11:01:13 +02:00
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
IMAP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP
|
|
|
|
|
IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="IPSEC">
|
2018-02-09 20:20:22 +01:00
|
|
|
<title>IPsec</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50
|
|
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51
|
|
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500
|
|
|
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 50
|
|
|
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 51
|
|
|
|
|
ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 500</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2018-02-09 20:20:22 +01:00
|
|
|
<para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
|
|
|
|
|
<ulink url="VPN.htm">here</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="LDAP">
|
2006-07-27 05:28:19 +02:00
|
|
|
<title>LDAP</title>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
LDAP(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis>
|
2016-02-19 00:57:40 +01:00
|
|
|
LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting>
|
2006-07-27 05:28:19 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="MySQL">
|
|
|
|
|
<title><trademark>My\SQL</trademark></title>
|
2006-08-16 09:25:10 +02:00
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>Allowing access from untrusted hosts to your
|
|
|
|
|
<trademark>MySQL</trademark> server represents a <emphasis
|
|
|
|
|
role="bold">severe security risk</emphasis>.</para>
|
|
|
|
|
|
|
|
|
|
<para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
|
2008-08-15 07:03:24 +02:00
|
|
|
how to deal with the consequences, you have been warned.</para>
|
2006-08-16 09:25:10 +02:00
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
MySQL(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting>
|
2006-08-16 09:25:10 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="NFS">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>NFS</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d tcp 111
|
|
|
|
|
ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d udp</programlisting>
|
2005-11-17 18:55:06 +01:00
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<para>For more NFS information, see <ulink
|
|
|
|
|
url="http://lists.shorewall.net/~kb/">http://lists.shorewall.net/~kb/</ulink>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="NTP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>NTP (Network Time Protocol)</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
NTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="PCA">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title><trademark>PCAnywhere</trademark></title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="POP3">
|
2006-07-27 05:28:19 +02:00
|
|
|
<title>POP3</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-09-02 11:01:13 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>If Possible , <emphasis role="bold">Avoid this protocol</emphasis>
|
|
|
|
|
, use <emphasis role="bold">IMAP</emphasis> instead.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2006-07-27 05:28:19 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later</para>
|
|
|
|
|
</caution>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
POP3(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure
|
|
|
|
|
POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="PPTP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>PPTP</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47
|
|
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
|
|
|
|
|
url="VPN.htm">here</ulink>.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Rdate">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>rdate</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Rdate(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="rsync">
|
2004-10-02 16:49:34 +02:00
|
|
|
<title>rsync</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-10-02 16:49:34 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Siproxd">
|
2006-10-28 07:08:02 +02:00
|
|
|
<title>Siproxd</title>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This assumes siproxd is running <emphasis role="bold">on the
|
|
|
|
|
firewall and is using the default ports</emphasis>.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2007-03-30 09:25:44 +02:00
|
|
|
REDIRECT loc 5060 udp 5060
|
2006-10-28 07:08:02 +02:00
|
|
|
ACCEPT net fw udp 5060
|
2016-02-19 00:57:40 +01:00
|
|
|
ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting>
|
2006-10-28 07:08:02 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="SSH">
|
2005-09-02 11:01:13 +02:00
|
|
|
<title>SSH/SFTP</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="SMB">
|
2006-07-27 05:28:19 +02:00
|
|
|
<title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
|
|
|
|
|
Sharing)</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
SMB(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis>
|
|
|
|
|
SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="SMTP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>SMTP</title>
|
|
|
|
|
|
2006-07-27 05:28:19 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
SMTP(ACCEPT)<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP
|
|
|
|
|
SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting>
|
2004-05-09 00:31:54 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="SNMP">
|
2004-05-09 00:31:54 +02:00
|
|
|
<title>SNMP</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="SVN">
|
2006-07-27 05:28:19 +02:00
|
|
|
<title>SVN</title>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
|
|
|
|
<caution>
|
|
|
|
|
<para>This rule is for Subversion running in <emphasis
|
|
|
|
|
role="bold">svnserve mode only.</emphasis></para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2006-07-27 05:28:19 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Telnet">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Telnet</title>
|
|
|
|
|
|
2006-07-27 05:28:19 +02:00
|
|
|
<caution>
|
|
|
|
|
<para><emphasis role="bold"><emphasis>The telnet protocol is very
|
|
|
|
|
insecure</emphasis>, don't use it.</emphasis></para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="TFTP">
|
2004-05-14 00:07:06 +02:00
|
|
|
<title>TFTP</title>
|
|
|
|
|
|
|
|
|
|
<para>You must have TFTP connection tracking support in your kernel. If
|
2004-09-24 00:50:12 +02:00
|
|
|
modularized, the modules are <emphasis
|
|
|
|
|
role="bold">ip_conntrack_tftp</emphasis> (and <emphasis
|
|
|
|
|
role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These
|
|
|
|
|
modules may be loaded using entries in
|
|
|
|
|
<filename>/etc/shorewall/modules</filename>. The <emphasis
|
|
|
|
|
role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note
|
|
|
|
|
that the <filename>/etc/shorewall/modules</filename> file released with
|
|
|
|
|
recent Shorewall versions contains entries for these modules.</para>
|
2004-05-14 00:07:06 +02:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 69</programlisting>
|
2004-05-14 00:07:06 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Traceroute">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Traceroute</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>UDP traceroute uses ports 33434 through 33434+<max number of
|
|
|
|
|
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
|
|
|
|
|
reply, you will need to allow ICMP 11 outbound from the firewall. The
|
|
|
|
|
standard Shorewall sample configurations all set this up for you
|
|
|
|
|
automatically since those sample configurations enable all ICMP packet
|
|
|
|
|
types originating on the firewall itself.</para>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT fw net icmp
|
|
|
|
|
ACCEPT fw loc icmp
|
|
|
|
|
ACCEPT fw ...</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="NNTP">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Usenet (NNTP)</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
NNTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
|
|
|
|
NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>TCP Port 119</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="VNC">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>VNC</title>
|
|
|
|
|
|
2006-08-16 09:25:10 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid only for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
2004-09-24 00:50:12 +02:00
|
|
|
|
|
|
|
|
<para>Vncviewer to Vncserver -- TCP port 5900 + <display
|
|
|
|
|
number>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2006-08-16 09:25:10 +02:00
|
|
|
<para>the following rule handles VNC traffic for VNC displays 0 -
|
|
|
|
|
9.</para>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
VNC(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis>
|
2006-08-16 09:25:10 +02:00
|
|
|
</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting>
|
2004-09-24 00:50:12 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Vonage">
|
2004-09-24 00:50:12 +02:00
|
|
|
<title><trademark>Vonage</trademark></title>
|
|
|
|
|
|
|
|
|
|
<para>The standard Shorewall loc->net ACCEPT policy is all that is
|
|
|
|
|
required for <trademark>Vonage</trademark> IP phone service to work,
|
|
|
|
|
provided that you have loaded the tftp helper modules (add the following
|
|
|
|
|
entries to /etc/shorewall/modules if they are not there already):</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Web">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Web Access</title>
|
|
|
|
|
|
2006-07-27 05:28:19 +02:00
|
|
|
<caution>
|
|
|
|
|
<para>This information is valid for Shorewall 3.2 or later.</para>
|
|
|
|
|
</caution>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
HTTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP
|
|
|
|
|
HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Webmin">
|
2005-11-23 04:39:06 +01:00
|
|
|
<title>Webmin</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin
|
2005-11-23 04:39:06 +01:00
|
|
|
use TCP port 10000.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Whois">
|
2006-01-22 04:06:52 +01:00
|
|
|
<title>Whois</title>
|
|
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2009-03-15 21:46:56 +01:00
|
|
|
Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para>
|
2006-01-22 04:06:52 +01:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="X">
|
2004-08-07 04:13:32 +02:00
|
|
|
<title>X/XDMCP</title>
|
|
|
|
|
|
2008-08-15 07:03:24 +02:00
|
|
|
<para>Assume that the Chooser and/or X Server are running at
|
2004-09-24 00:50:12 +02:00
|
|
|
<<emphasis>chooser</emphasis>> and the Display Manager/X
|
|
|
|
|
applications are running at <<emphasis>apps</emphasis>>.</para>
|
2004-08-07 04:13:32 +02:00
|
|
|
|
2016-02-19 00:57:40 +01:00
|
|
|
<programlisting>#ACTION SOURCE DESTINATION PROTO DPORT
|
2004-09-24 00:50:12 +02:00
|
|
|
ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP
|
|
|
|
|
ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting>
|
2004-08-07 04:13:32 +02:00
|
|
|
</section>
|
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="Other">
|
2004-02-14 19:06:39 +01:00
|
|
|
<title>Other Source of Port Information</title>
|
|
|
|
|
|
2004-09-24 00:50:12 +02:00
|
|
|
<para>Didn't find what you are looking for -- have you looked in your own
|
|
|
|
|
/etc/services file?</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
|
<para>Still looking? Try <ulink
|
|
|
|
|
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
|
|
|
|
|
</section>
|
2008-07-07 22:42:54 +02:00
|
|
|
</article>
|
