From 21694406bfd18a48601a7359f4bd7ff08451e04e Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 3 Jan 2004 23:03:36 +0000 Subject: [PATCH] Add rules to ports.xml git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1052 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/ports.xml | 206 +++++++++++++++++---------------------- 1 file changed, 90 insertions(+), 116 deletions(-) diff --git a/Shorewall-docs/ports.xml b/Shorewall-docs/ports.xml index 99ae5e9cd..dc8b9b8a3 100644 --- a/Shorewall-docs/ports.xml +++ b/Shorewall-docs/ports.xml @@ -2,8 +2,6 @@
- - Ports Required for Various Services/Applications @@ -15,11 +13,13 @@ - 2002-07-30 + 2004-01-03 2001-2002 + 2004 + Thomas M. Eastep @@ -40,37 +40,50 @@ + + In the rules that are shown in this document, the ACTION is shown as + ACCEPT. You may need to use DNAT (see FAQ 30) + or you may want DROP or REJECT if you are trying to block the application. + +
NTP (Network Time Protocol) - UDP Port 123 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> udp 123
rdate - TCP Port 37 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 37
Usenet (NNTP) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 119 + TCP Port 119
DNS - UDP Port 53. If you are configuring a DNS client, you will probably - want to open TCP Port 53 as well. If you are configuring a server, only - open TCP Port 53 if you will return long replies to queries or if you need - to enable ZONE transfers. In the latter case, be sure that your server is - properly configured. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> udp 53 +ACCEPT <source> <destination> tcp 53
ICQ + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> udp 4000 +ACCEPT <source> <destination> tcp 53 + UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.
@@ -78,73 +91,100 @@
PPTP - Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information - here and here). + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> 47 +ACCEPT <source> <destination> tcp 1723 + + Lots more information here and here.
IPSEC - Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. These - should be opened in both directions (Lots more information here and here) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> 50 +ACCEPT <source> <destination> 51 +ACCEPT <source> <destination> udp 500 +ACCEPT <destination> <source> 50 +ACCEPT <destination> <source> 51 +ACCEPT <destination> <source> udp 500 + + Lots more information here and here.
- SMTP (email) + SMTP - TCP Port 25. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 25
Pop3 TCP Port 110 (Secure Pop3 is TCP Port 995) + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 110 #Unsecure Pop3 +ACCEPT <source> <destination> tcp 995 #Secure Pop3
IMAP - TCP Port 143 (Secure IMAP is TCP Port 993) + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 143 #Unsecure IMAP +ACCEPT <source> <destination> tcp 993 #Secure IMAP
Telnet - TCP Port 23. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 23
SSH - TCP Port 22. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 22
Auth (identd) - TCP Port 113 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 113
Web Access - TCP Ports 80 and 443. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 80 #Insecure HTTP +ACCEPT <source> <destination> tcp 443 #Secure HTTP
FTP - TCP port 21 plus look here for much - more information. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 21 + + Look here for much more information.
SMB/NMB (Samba/Windows Browsing/File Sharing) - TCP Ports 137, 139 and 445. - - UDP Ports 137-139. + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 137,139,445 +ACCEPT <source> <destination> udp 137:139 +ACCEPT <destination> <source> tcp 137,139,445 +ACCEPT <destination> <source> udp 137:139 Also, see this page.
@@ -152,9 +192,12 @@
Traceroute - UDP ports 33434 through 33434+<max number of hops>-1 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops +ACCEPT <source> <destination> icmp 8 - ICMP type 8 (ping) + UDP traceroute uses ports 33434 through 33434+<max number of + hops>-1
@@ -163,99 +206,22 @@ I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - z1 - - z2:a.b.c.d - - udp - - 111 - - - - - - - - ACCEPT - - z1 - - z2:a.b.c.d - - tcp - - 111 - - - - - - - - ACCEPT - - z1 - - z2:a.b.c.d - - udp - - 2049 - - - - - - - - ACCEPT - - z1 - - z2:a.b.c.d - - udp - - 32700: - - - - - - - - + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <z1> <z2>:a.b.c.d tcp 111 +ACCEPT <z1> <z2>:a.b.c.d udp 111 +ACCEPT <z1> <z2>:a.b.c.d udp 2049 +ACCEPT <z1> <z2>:a.b.c.d udp 32700:
VNC TCP port 5900 + <display number>. + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +ACCEPT <source> <destination> tcp 5901 #Display Number 1 +ACCEPT <source> <destination> tcp 5902 #Display Number 2 +...
@@ -267,4 +233,12 @@ Still looking? Try http://www.networkice.com/advice/Exploits/Ports
+ + + Revision History + + 1.22004-01-03TEAdd + rules file entries.1.12002-07-30TEInitial + version converted to Docbook XML +
\ No newline at end of file