forked from extern/shorewall_code
76 lines
21 KiB
HTML
76 lines
21 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Ports Required for Various Services/Applications</title><meta name="generator" content="DocBook XSL Stylesheets V1.62.4" /><meta name="description" content="In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate." /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2590562"></a>Ports Required for Various Services/Applications</h1></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2001-2002, 2004 Thomas M. Eastep</p></div><div><div class="legalnotice"><p>Permission is granted to copy, distribute and/or modify this
|
|||
|
document under the terms of the GNU Free Documentation License, Version
|
|||
|
1.2 or any later version published by the Free Software Foundation; with
|
|||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|||
|
Texts. A copy of the license is included in the section entitled
|
|||
|
“<span class="quote"><a href="GnuCopyright.htm" target="_self">GNU Free Documentation License</a></span>”.</p></div></div><div><p class="pubdate">2004-02-12</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>In addition to those applications described in the
|
|||
|
/etc/shorewall/rules documentation, here are some other
|
|||
|
services/applications that you may need to configure your firewall to
|
|||
|
accommodate.</p></div></div></div><div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2807696">Auth (identd)</a></span></dt><dt><span class="section"><a href="#id2807721">DNS</a></span></dt><dt><span class="section"><a href="#id2807755">FTP</a></span></dt><dt><span class="section"><a href="#id2807785">ICQ</a></span></dt><dt><span class="section"><a href="#id2807824">IMAP</a></span></dt><dt><span class="section"><a href="#id2807860">IPSEC</a></span></dt><dt><span class="section"><a href="#id2805799">NFS</a></span></dt><dt><span class="section"><a href="#id2805858">NTP (Network Time Protocol)</a></span></dt><dt><span class="section"><a href="#id2805883">PCAnywhere</a></span></dt><dt><span class="section"><a href="#id2810144">Pop3</a></span></dt><dt><span class="section"><a href="#id2810185">PPTP</a></span></dt><dt><span class="section"><a href="#id2810236">rdate</a></span></dt><dt><span class="section"><a href="#id2810261">SSH</a></span></dt><dt><span class="section"><a href="#id2810287">SMB/NMB (Samba/Windows Browsing/File Sharing)</a></span></dt><dt><span class="section"><a href="#id2859431">SMTP</a></span></dt><dt><span class="section"><a href="#id2859455">Telnet</a></span></dt><dt><span class="section"><a href="#id2859481">Traceroute</a></span></dt><dt><span class="section"><a href="#id2859520">Usenet (NNTP)</a></span></dt><dt><span class="section"><a href="#id2859550">VNC</a></span></dt><dt><span class="section"><a href="#id2859615">Web Access</a></span></dt><dt><span class="section"><a href="#id2809845">Other Source of Port Information</a></span></dt><dt><span class="appendix"><a href="#id2809872">A. Revision History</a></span></dt></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Beginning with Shorewall 2.0.0, the Shorewall distribution contains
|
|||
|
a library of user-defined actions that allow for easily allowing or
|
|||
|
blocking a particular application. Check your <tt class="filename">/etc/shorewall/actions.std</tt>
|
|||
|
file for a list of the actions in your distribution. If you find what you
|
|||
|
need, you simply use the action in a rule. For example, to allow DNS
|
|||
|
queries from the <span class="bold"><b>dmz</b></span> zone to the
|
|||
|
<span class="bold"><b>net</b></span> zone:</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION
|
|||
|
AllowPing dmz net</pre></td></tr></table></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>In the rules that are shown in this document, the ACTION is shown as
|
|||
|
ACCEPT. You may need to use DNAT (see <a href="FAQ.htm#faq30" target="_self">FAQ 30</a>)
|
|||
|
or you may want DROP or REJECT if you are trying to block the application.</p><p>Example: You want to port forward FTP from the net to your server at
|
|||
|
192.168.1.4 in your DMZ. The FTP section below gives you:</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 21</pre></td></tr></table><p>You would code your rule as follows:</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
DNAT net dmz:192.168.1.4 tcp 21</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807696"></a>Auth (identd)</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 113</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807721"></a>DNS</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 53
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 53</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807755"></a>FTP</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 21</pre></td></tr></table><p>Look <a href="FTP.html" target="_self">here</a> for much more information.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807785"></a>ICQ</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 4000
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 4000:4100</pre></td></tr></table><p>UDP Port 4000. You will also need to open a range of TCP ports which
|
|||
|
you can specify to your ICQ client. By default, clients use 4000-4100.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807824"></a>IMAP</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 143 #Unsecure IMAP
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 993 #Secure IMAP</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2807860"></a>IPSEC</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> 50
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> 51
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> udp 500
|
|||
|
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> 50
|
|||
|
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> 51
|
|||
|
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> udp 500</pre></td></tr></table><p>Lots more information <a href="IPSEC.htm" target="_self">here</a> and <a href="VPN.htm" target="_self">here</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2805799"></a>NFS</h2></div></div><div></div></div><p>I personally use the following rules for opening access from zone z1
|
|||
|
to a server with IP address a.b.c.d in zone z2. I have found though that
|
|||
|
different distributions behave differently so your milage may vary.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><z1></em></span> <span class="emphasis"><em> <z2></em></span>:a.b.c.d tcp 111
|
|||
|
ACCEPT <span class="emphasis"><em><z1></em></span> <span class="emphasis"><em> <z2></em></span>:a.b.c.d udp 111
|
|||
|
ACCEPT <span class="emphasis"><em><z1></em></span> <span class="emphasis"><em> <z2></em></span>:a.b.c.d udp 2049
|
|||
|
ACCEPT <span class="emphasis"><em><z1></em></span> <span class="emphasis"><em> <z2></em></span>:a.b.c.d udp 32700:</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2805858"></a>NTP (Network Time Protocol)</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 123</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2805883"></a><span class="trademark">PCAnywhere</span>™</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 5632
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 5631</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810144"></a>Pop3</h2></div></div><div></div></div><p>TCP Port 110 (Secure Pop3 is TCP Port 995)</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 110 #Unsecure Pop3
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 995 #Secure Pop3</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810185"></a>PPTP</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> 47
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 1723</pre></td></tr></table><p>Lots more information <a href="PPTP.htm" target="_self">here</a> and <a href="VPN.htm" target="_self">here</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810236"></a>rdate</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 37</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810261"></a>SSH</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 22</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2810287"></a>SMB/NMB (Samba/Windows Browsing/File Sharing)</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> tcp 137,139,445
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> udp 137:139
|
|||
|
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> tcp 137,139,445
|
|||
|
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> udp 137:139</pre></td></tr></table><p>Also, see <a href="samba.htm" target="_self">this page</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859431"></a>SMTP</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 25</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859455"></a>Telnet</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 23</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859481"></a>Traceroute</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 33434:33443 #Good for 10 hops
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> icmp 8</pre></td></tr></table><p>UDP traceroute uses ports 33434 through 33434+<max number of
|
|||
|
hops>-1</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859520"></a>Usenet (NNTP)</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 119</pre></td></tr></table><p>TCP Port 119</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859550"></a>VNC</h2></div></div><div></div></div><p>Vncviewer to Vncserver -- TCP port 5900 + <display number>.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 5901 #Display Number 1
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 5902 #Display Number 2
|
|||
|
...</pre></td></tr></table><p>Vncserver to Vncviewer in listen mode -- TCP port 5500.</p><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 5500</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2859615"></a>Web Access</h2></div></div><div></div></div><table border="0" bgcolor="#E0E0E0"><tr><td><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 80 #Insecure HTTP
|
|||
|
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 443 #Secure HTTP</pre></td></tr></table></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2809845"></a>Other Source of Port Information</h2></div></div><div></div></div><p>Didn't find what you are looking for -- have you looked in your
|
|||
|
own /etc/services file?</p><p>Still looking? Try <a href="http://www.networkice.com/advice/Exploits/Ports" target="_self">http://www.networkice.com/advice/Exploits/Ports</a></p></div><div class="appendix" lang="en" xml:lang="en"><h2 class="title" style="clear: both"><a id="id2809872"></a>A. Revision History</h2><div class="revhistory"><table border="0" width="100%" summary="Revision history"><tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr><tr><td align="left">Revision 1.6</td><td align="left">2004-01-26</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Add
|
|||
|
PCAnywhere.</td></tr><tr><td align="left">Revision 1.5</td><td align="left">2004-02-05</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Added
|
|||
|
information about VNC viewers in listen mode.</td></tr><tr><td align="left">Revision 1.4</td><td align="left">2004-01-26</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Correct
|
|||
|
ICQ.</td></tr><tr><td align="left">Revision 1.3</td><td align="left">2004-01-04</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Alphabetize</td></tr><tr><td align="left">Revision 1.2</td><td align="left">2004-01-03</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Add
|
|||
|
rules file entries.</td></tr><tr><td align="left">Revision 1.1</td><td align="left">2002-07-30</td><td align="left">TE</td></tr><tr><td align="left" colspan="3">Initial
|
|||
|
version converted to Docbook XML</td></tr></table></div></div></div></body></html>
|