2003-12-26 16:52:12 +01:00
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article >
<articleinfo >
<title > Ports Required for Various Services/Applications</title>
<authorgroup >
<author >
<firstname > Tom</firstname>
<surname > Eastep</surname>
</author>
</authorgroup>
2004-02-08 19:31:31 +01:00
<pubdate > 2004-02-05</pubdate>
2003-12-26 16:52:12 +01:00
<copyright >
<year > 2001-2002</year>
2004-01-04 00:03:36 +01:00
<year > 2004</year>
2003-12-26 16:52:12 +01:00
<holder > Thomas M. Eastep</holder>
</copyright>
<legalnotice >
<para > Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote > <ulink url= "GnuCopyright.htm" > GNU Free Documentation License</ulink> </quote> .</para>
</legalnotice>
<abstract >
<para > In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.</para>
</abstract>
</articleinfo>
2004-01-04 00:03:36 +01:00
<note >
<para > In the rules that are shown in this document, the ACTION is shown as
ACCEPT. You may need to use DNAT (see <ulink url= "FAQ.htm#faq30" > FAQ 30</ulink> )
or you may want DROP or REJECT if you are trying to block the application.</para>
2004-01-31 04:24:02 +01:00
<para > Example: You want to port forward FTP from the net to your server at
192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 21</programlisting>
<para > You would code your rule as follows:</para>
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
2004-01-04 00:03:36 +01:00
</note>
2003-12-26 16:52:12 +01:00
<section >
2004-01-04 17:10:11 +01:00
<title > Auth (identd)</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 113</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > DNS</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 53
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 53</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > FTP</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 21</programlisting>
2003-12-26 16:52:12 +01:00
2004-01-04 17:10:11 +01:00
<para > Look <ulink url= "FTP.html" > here</ulink> for much more information.</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > ICQ</title>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 4000
2004-01-31 04:24:02 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 4000:4100</programlisting>
2004-01-04 00:03:36 +01:00
2003-12-26 16:52:12 +01:00
<para > UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</para>
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > IMAP</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 993 #Secure IMAP</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > IPSEC</title>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> 50
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> 51
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 500
ACCEPT <emphasis > < destination> </emphasis> <emphasis > < source> </emphasis> 50
ACCEPT <emphasis > < destination> </emphasis> <emphasis > < source> </emphasis> 51
ACCEPT <emphasis > < destination> </emphasis> <emphasis > < source> </emphasis> udp 500</programlisting>
<para > Lots more information <ulink url= "IPSEC.htm" > here</ulink> and <ulink
url="VPN.htm">here</ulink> .</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > NFS</title>
<para > I personally use the following rules for opening access from zone z1
2004-01-31 04:24:02 +01:00
to a server with IP address a.b.c.d in zone z2. I have found though that
different distributions behave differently so your milage may vary.</para>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < z1> </emphasis> <emphasis > < z2> </emphasis> :a.b.c.d tcp 111
ACCEPT <emphasis > < z1> </emphasis> <emphasis > < z2> </emphasis> :a.b.c.d udp 111
ACCEPT <emphasis > < z1> </emphasis> <emphasis > < z2> </emphasis> :a.b.c.d udp 2049
ACCEPT <emphasis > < z1> </emphasis> <emphasis > < z2> </emphasis> :a.b.c.d udp 32700:</programlisting>
</section>
<section >
<title > NTP (Network Time Protocol)</title>
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 123</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > Pop3</title>
<para > TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 110 #Unsecure Pop3
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 995 #Secure Pop3</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > PPTP</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> 47
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 1723</programlisting>
<para > Lots more information <ulink url= "PPTP.htm" > here</ulink> and <ulink
url="VPN.htm">here</ulink> .</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > rdate</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 37</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > SSH</title>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 22</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
2003-12-26 16:52:12 +01:00
2004-01-04 17:10:11 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 137,139,445
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 137:139
ACCEPT <emphasis > < destination> </emphasis> <emphasis > < source> </emphasis> tcp 137,139,445
ACCEPT <emphasis > < destination> </emphasis> <emphasis > < source> </emphasis> udp 137:139</programlisting>
2003-12-26 16:52:12 +01:00
2004-01-04 17:10:11 +01:00
<para > Also, see <ulink url= "samba.htm" > this page</ulink> .</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > SMTP</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 25</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > Telnet</title>
2003-12-26 16:52:12 +01:00
2004-01-04 17:10:11 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 23</programlisting>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > Traceroute</title>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> udp 33434:33443 #Good for 10 hops
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> icmp 8</programlisting>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<para > UDP traceroute uses ports 33434 through 33434+< max number of
hops> -1</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
2004-01-04 17:10:11 +01:00
<title > Usenet (NNTP)</title>
2003-12-26 16:52:12 +01:00
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
2004-01-04 17:10:11 +01:00
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 119</programlisting>
<para > TCP Port 119</para>
2003-12-26 16:52:12 +01:00
</section>
<section >
<title > VNC</title>
2004-02-08 19:31:31 +01:00
<para > Vncviewer -> Vncserver is TCP port 5900 + < display
number> .</para>
2004-01-04 00:03:36 +01:00
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 5901 #Display Number 1
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 5902 #Display Number 2
...</programlisting>
2004-02-08 19:31:31 +01:00
<para > Vncserver to Vncviewer in listen mode is TCP port 5500.</para>
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 5500</programlisting>
2003-12-26 16:52:12 +01:00
</section>
2004-01-04 17:10:11 +01:00
<section >
<title > Web Access</title>
<programlisting > #ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 80 #Insecure HTTP
ACCEPT <emphasis > < source> </emphasis> <emphasis > < destination> </emphasis> tcp 443 #Secure HTTP</programlisting>
</section>
2003-12-26 16:52:12 +01:00
<section >
<title > Other Source of Port Information</title>
<para > Didn' t find what you are looking for -- have you looked in your
own /etc/services file?</para>
<para > Still looking? Try <ulink
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink> </para>
</section>
2004-01-04 00:03:36 +01:00
<appendix >
<title > Revision History</title>
2004-02-08 19:31:31 +01:00
<para > <revhistory > <revision > <revnumber > 1.5</revnumber> <date > 2004-02-05</date> <authorinitials > TE</authorinitials> <revremark > Added
information about VNC viewers in listen mode.</revremark> </revision> <revision > <revnumber > 1.4</revnumber> <date > 2004-01-26</date> <authorinitials > TE</authorinitials> <revremark > Correct
2004-01-31 04:24:02 +01:00
ICQ.</revremark> </revision> <revision > <revnumber > 1.3</revnumber> <date > 2004-01-04</date> <authorinitials > TE</authorinitials> <revremark > Alphabetize</revremark> </revision> <revision > <revnumber > 1.2</revnumber> <date > 2004-01-03</date> <authorinitials > TE</authorinitials> <revremark > Add
2004-01-04 00:03:36 +01:00
rules file entries.</revremark> </revision> <revision > <revnumber > 1.1</revnumber> <date > 2002-07-30</date> <authorinitials > TE</authorinitials> <revremark > Initial
version converted to Docbook XML</revremark> </revision> </revhistory> </para>
</appendix>
2003-12-26 16:52:12 +01:00
</article>