2003-12-26 16:52:12 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
|
<article>
|
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
|
|
<articleinfo>
|
|
|
|
|
<title>Ports Required for Various Services/Applications</title>
|
|
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
|
<author>
|
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
|
</author>
|
|
|
|
|
</authorgroup>
|
|
|
|
|
|
|
|
|
|
<pubdate>2002-07-30</pubdate>
|
|
|
|
|
|
|
|
|
|
<copyright>
|
|
|
|
|
<year>2001-2002</year>
|
|
|
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
|
|
|
|
</legalnotice>
|
|
|
|
|
|
|
|
|
|
<abstract>
|
|
|
|
|
<para>In addition to those applications described in the
|
|
|
|
|
/etc/shorewall/rules documentation, here are some other
|
|
|
|
|
services/applications that you may need to configure your firewall to
|
|
|
|
|
accommodate.</para>
|
|
|
|
|
</abstract>
|
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>NTP (Network Time Protocol)</title>
|
|
|
|
|
|
|
|
|
|
<para>UDP Port 123</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>rdate</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 37</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Usenet (NNTP)</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 119</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>DNS</title>
|
|
|
|
|
|
|
|
|
|
<para>UDP Port 53. If you are configuring a DNS client, you will probably
|
|
|
|
|
want to open TCP Port 53 as well. If you are configuring a server, only
|
|
|
|
|
open TCP Port 53 if you will return long replies to queries or if you need
|
|
|
|
|
to enable ZONE transfers. In the latter case, be sure that your server is
|
|
|
|
|
properly configured.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>ICQ</title>
|
|
|
|
|
|
|
|
|
|
<para>UDP Port 4000. You will also need to open a range of TCP ports which
|
|
|
|
|
you can specify to your ICQ client. By default, clients use 4000-4100.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>PPTP</title>
|
|
|
|
|
|
|
|
|
|
<para>Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information
|
|
|
|
|
<ulink url="PPTP.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>).</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>IPSEC</title>
|
|
|
|
|
|
|
|
|
|
<para>Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. These
|
|
|
|
|
should be opened in both directions (Lots more information <ulink
|
|
|
|
|
url="IPSEC.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>)</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>SMTP (email)</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 25.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Pop3</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>IMAP</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 143 (Secure IMAP is TCP Port 993)</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Telnet</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 23.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>SSH</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 22.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Auth (identd)</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Port 113</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Web Access</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Ports 80 and 443.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>FTP</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP port 21 plus look <ulink url="FTP.html">here</ulink> for much
|
|
|
|
|
more information.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>SMB/NMB (Samba/Windows Browsing/File Sharing)</title>
|
|
|
|
|
|
|
|
|
|
<para>TCP Ports 137, 139 and 445.</para>
|
|
|
|
|
|
|
|
|
|
<para>UDP Ports 137-139.</para>
|
|
|
|
|
|
|
|
|
|
<para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Traceroute</title>
|
|
|
|
|
|
|
|
|
|
<para>UDP ports 33434 through 33434+<max number of hops>-1</para>
|
|
|
|
|
|
2003-12-26 19:13:03 +01:00
|
|
|
<para>ICMP type 8 (<quote>ping</quote>)</para>
|
2003-12-26 16:52:12 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>NFS</title>
|
|
|
|
|
|
|
|
|
|
<para>I personally use the following rules for opening access from zone z1
|
|
|
|
|
to a server with IP address a.b.c.d in zone z2:</para>
|
|
|
|
|
|
|
|
|
|
<informaltable>
|
|
|
|
|
<tgroup cols="7">
|
|
|
|
|
<thead>
|
|
|
|
|
<row>
|
|
|
|
|
<entry align="center">ACTION</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">SOURCE</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">DESTINATION</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">PROTOCOL</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">PORT(S)</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">SOURCE PORT(S)</entry>
|
|
|
|
|
|
|
|
|
|
<entry align="center">ORIGINAL DEST</entry>
|
|
|
|
|
</row>
|
|
|
|
|
</thead>
|
|
|
|
|
|
|
|
|
|
<tbody>
|
|
|
|
|
<row>
|
|
|
|
|
<entry>ACCEPT</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z1</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z2:a.b.c.d</entry>
|
|
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
|
|
<entry>111</entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
</row>
|
|
|
|
|
|
|
|
|
|
<row>
|
|
|
|
|
<entry>ACCEPT</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z1</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z2:a.b.c.d</entry>
|
|
|
|
|
|
|
|
|
|
<entry>tcp</entry>
|
|
|
|
|
|
|
|
|
|
<entry>111</entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
</row>
|
|
|
|
|
|
|
|
|
|
<row>
|
|
|
|
|
<entry>ACCEPT</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z1</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z2:a.b.c.d</entry>
|
|
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
|
|
<entry>2049</entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
</row>
|
|
|
|
|
|
|
|
|
|
<row>
|
|
|
|
|
<entry>ACCEPT</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z1</entry>
|
|
|
|
|
|
|
|
|
|
<entry>z2:a.b.c.d</entry>
|
|
|
|
|
|
|
|
|
|
<entry>udp</entry>
|
|
|
|
|
|
|
|
|
|
<entry>32700:</entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
|
|
|
|
|
<entry></entry>
|
|
|
|
|
</row>
|
|
|
|
|
</tbody>
|
|
|
|
|
</tgroup>
|
|
|
|
|
</informaltable>
|
|
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>VNC</title>
|
|
|
|
|
|
2003-12-26 19:13:03 +01:00
|
|
|
<para>TCP port 5900 + <display number>.</para>
|
2003-12-26 16:52:12 +01:00
|
|
|
</section>
|
|
|
|
|
|
|
|
|
|
<section>
|
|
|
|
|
<title>Other Source of Port Information</title>
|
|
|
|
|
|
|
|
|
|
<para>Didn't find what you are looking for -- have you looked in your
|
|
|
|
|
own /etc/services file?</para>
|
|
|
|
|
|
|
|
|
|
<para>Still looking? Try <ulink
|
|
|
|
|
url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
|
|
|
|
|
</section>
|
|
|
|
|
</article>
|
