Replace VALIDATE_PORTS option with built-in protocol and service tables

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6617 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-20 18:10:23 +00:00
parent 1ca8ef92c5
commit c7f68018a9
9 changed files with 1188 additions and 72 deletions

View File

@ -64,17 +64,15 @@ Other changes in Shorewall 4.0.0 Beta 6
are installed, the additional shorewall.conf file is read to see if
it specifies a SHOREWALL_COMPILER.
3) Shorewall-perl validates protocol names and service names against
/etc/protocols and /etc/services. That's the good news. The bad
news is that this extra validation has a fixed overhead of almost
.8 seconds on my x86_64 box. This fixed cost is mostly attributable
to the cost of reading and digesting /etc/services.
To give people the choice of whether they want to incur this fixed
cost on each compilation, I've added a VALIDATE_PORTS option in
/etc/shorewall/shorewall.conf. If you set this to 'No', you can
save the extra processing time but the compiled script may fail at
runtime because of typing errors.
3) Previously, Shorewall-perl read /etc/protocols and /etc/services
during compiler startup to build internal protocol and service
tables. This had a fixed cost of up to one second or more,
depending on the speed of the system and the distribution
(The /etc/services released with OpenSuSE 10.2 is over 14,000
lines!!) These tables are now initialized by the Perl compiler
which speeds up compilation considerably. The /etc/protocols and
/etc/services used to build these tables are from Ubuntu Fiesty
Fawn and are included in /usr/share/shorewall-perl/.
Migration Considerations:

View File

@ -31,12 +31,6 @@ VERBOSITY=1
SHOREWALL_COMPILER=
###############################################################################
# C O M P I L E R O P T I O N S
###############################################################################
VALIDATE_PORTS=Yes
###############################################################################
# L O G G I N G
###############################################################################

View File

@ -756,7 +756,6 @@ sub clearrule() {
sub validate_proto( $ ) {
my $proto = $_[0];
return $proto unless $config{VALIDATE_PORTS};
my $value = $protocols{$proto};
return $value if defined $value;
return $proto if $proto =~ /^(\d+)$/ && $proto <= 65535;
@ -774,22 +773,20 @@ sub validate_portpair( $ ) {
my @ports = split/:/, $portpair, 2;
if ( $config{VALIDATE_PORTS} ) {
for my $port ( @ports ) {
my $value = $services{$port};
unless ( defined $value ) {
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
}
for my $port ( @ports ) {
my $value = $services{$port};
unless ( defined $value ) {
$value = $port if $port =~ /^(\d+)$/ && $port <= 65535;
}
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
fatal_error "Invalid/Unknown port/service ($port)" unless defined $value;
$port = $value;
}
$port = $value;
}
if ( @ports == 2 ) {
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
}
if ( @ports == 2 ) {
fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
}
join ':', @ports;

View File

@ -46,8 +46,10 @@ our @EXPORT = qw(
push_open
pop_open
read_a_line
read_a_line1
validate_level
qt
ensure_config_path
get_configuration
require_capability
report_capabilities
@ -87,9 +89,488 @@ our %capabilities;
#
# /etc/protocols and /etc/services
#
our %protocols;
our %services;
# Protocol and Services tables generated using buildproto.pl - Wed Jun 19 21:05:31 2007
#
our %protocols = (
ip => 0,
IP => 0,
icmp => 1,
ICMP => 1,
igmp => 2,
IGMP => 2,
ggp => 3,
GGP => 3,
ipencap => 4,
'IP-ENCAP' => 4,
st => 5,
ST => 5,
tcp => 6,
TCP => 6,
egp => 8,
EGP => 8,
igp => 9,
IGP => 9,
pup => 12,
PUP => 12,
udp => 17,
UDP => 17,
hmp => 20,
HMP => 20,
'xns-idp' => 22,
'XNS-IDP' => 22,
rdp => 27,
RDP => 27,
'iso-tp4' => 29,
'ISO-TP4' => 29,
xtp => 36,
XTP => 36,
ddp => 37,
DDP => 37,
'idpr-cmtp' => 38,
'IDPR-CMTP' => 38,
ipv6 => 41,
IPv6 => 41,
'ipv6-route' => 43,
'IPv6-Route' => 43,
'ipv6-frag' => 44,
'IPv6-Frag' => 44,
idrp => 45,
IDRP => 45,
rsvp => 46,
RSVP => 46,
gre => 47,
GRE => 47,
esp => 50,
'IPSEC-ESP' => 50,
ah => 51,
'IPSEC-AH' => 51,
skip => 57,
SKIP => 57,
'ipv6-icmp' => 58,
'IPv6-ICMP' => 58,
'ipv6-nonxt' => 59,
'IPv6-NoNxt' => 59,
'ipv6-opts' => 60,
'IPv6-Opts' => 60,
rspf => 73,
vmtp => 81,
VMTP => 81,
eigrp => 88,
EIGRP => 88,
ospf => 89,
OSPFIGP => 89,
'ax.25' => 93,
'AX.25' => 93,
ipip => 94,
IPIP => 94,
etherip => 97,
ETHERIP => 97,
encap => 98,
ENCAP => 98,
pim => 103,
PIM => 103,
ipcomp => 108,
IPCOMP => 108,
vrrp => 112,
VRRP => 112,
l2tp => 115,
L2TP => 115,
isis => 124,
ISIS => 124,
sctp => 132,
SCTP => 132,
fc => 133,
FC => 133,
);
our %services = (
tcpmux => 1,
echo => 7,
discard => 9,
sink => 9,
null => 9,
systat => 11,
users => 11,
daytime => 13,
netstat => 15,
qotd => 17,
quote => 17,
msp => 18,
chargen => 19,
ttytst => 19,
source => 19,
'ftp-data' => 20,
ftp => 21,
fsp => 21,
fspd => 21,
ssh => 22,
telnet => 23,
smtp => 25,
mail => 25,
time => 37,
timserver => 37,
rlp => 39,
resource => 39,
nameserver => 42,
name => 42,
whois => 43,
nicname => 43,
tacacs => 49,
're-mail-ck' => 50,
domain => 53,
mtp => 57,
'tacacs-ds' => 65,
bootps => 67,
bootpc => 68,
tftp => 69,
gopher => 70,
rje => 77,
netrjs => 77,
finger => 79,
www => 80,
http => 80,
link => 87,
ttylink => 87,
kerberos => 88,
kerberos5 => 88,
krb5 => 88,
'kerberos-sec' => 88,
supdup => 95,
hostnames => 101,
hostname => 101,
'iso-tsap' => 102,
tsap => 102,
'acr-nema' => 104,
dicom => 104,
'csnet-ns' => 105,
'cso-ns' => 105,
rtelnet => 107,
pop2 => 109,
postoffice => 109,
'pop-2' => 109,
pop3 => 110,
'pop-3' => 110,
sunrpc => 111,
portmapper => 111,
auth => 113,
authentication => 113,
tap => 113,
ident => 113,
sftp => 115,
'uucp-path' => 117,
nntp => 119,
readnews => 119,
untp => 119,
ntp => 123,
pwdgen => 129,
'loc-srv' => 135,
epmap => 135,
'netbios-ns' => 137,
'netbios-dgm' => 138,
'netbios-ssn' => 139,
imap2 => 143,
imap => 143,
snmp => 161,
'snmp-trap' => 162,
snmptrap => 162,
'cmip-man' => 163,
'cmip-agent' => 164,
mailq => 174,
xdmcp => 177,
nextstep => 178,
NeXTStep => 178,
NextStep => 178,
bgp => 179,
prospero => 191,
irc => 194,
smux => 199,
'at-rtmp' => 201,
'at-nbp' => 202,
'at-echo' => 204,
'at-zis' => 206,
qmtp => 209,
z3950 => 210,
wais => 210,
ipx => 213,
imap3 => 220,
pawserv => 345,
zserv => 346,
fatserv => 347,
rpc2portmap => 369,
codaauth2 => 370,
clearcase => 371,
Clearcase => 371,
ulistserv => 372,
ldap => 389,
imsp => 406,
https => 443,
snpp => 444,
'microsoft-ds' => 445,
kpasswd => 464,
saft => 487,
isakmp => 500,
rtsp => 554,
nqs => 607,
'npmp-local' => 610,
dqs313_qmaster => 610,
'npmp-gui' => 611,
dqs313_execd => 611,
'hmmp-ind' => 612,
dqs313_intercell => 612,
ipp => 631,
exec => 512,
biff => 512,
comsat => 512,
login => 513,
who => 513,
whod => 513,
shell => 514,
cmd => 514,
syslog => 514,
printer => 515,
spooler => 515,
talk => 517,
ntalk => 518,
route => 520,
router => 520,
routed => 520,
timed => 525,
timeserver => 525,
tempo => 526,
newdate => 526,
courier => 530,
rpc => 530,
conference => 531,
chat => 531,
netnews => 532,
netwall => 533,
gdomap => 538,
uucp => 540,
uucpd => 540,
klogin => 543,
kshell => 544,
krcmd => 544,
afpovertcp => 548,
remotefs => 556,
rfs_server => 556,
rfs => 556,
nntps => 563,
snntp => 563,
submission => 587,
ldaps => 636,
tinc => 655,
silc => 706,
'kerberos-adm' => 749,
webster => 765,
rsync => 873,
'ftps-data' => 989,
ftps => 990,
telnets => 992,
imaps => 993,
ircs => 994,
pop3s => 995,
socks => 1080,
proofd => 1093,
rootd => 1094,
openvpn => 1194,
rmiregistry => 1099,
kazaa => 1214,
nessus => 1241,
lotusnote => 1352,
lotusnotes => 1352,
'ms-sql-s' => 1433,
'ms-sql-m' => 1434,
ingreslock => 1524,
'prospero-np' => 1525,
datametrics => 1645,
'old-radius' => 1645,
'sa-msg-port' => 1646,
'old-radacct' => 1646,
kermit => 1649,
l2f => 1701,
l2tp => 1701,
radius => 1812,
'radius-acct' => 1813,
radacct => 1813,
msnp => 1863,
'unix-status' => 1957,
'log-server' => 1958,
remoteping => 1959,
nfs => 2049,
'rtcm-sc104' => 2101,
cvspserver => 2401,
venus => 2430,
'venus-se' => 2431,
codasrv => 2432,
'codasrv-se' => 2433,
mon => 2583,
dict => 2628,
gpsd => 2947,
gds_db => 3050,
icpv2 => 3130,
icp => 3130,
mysql => 3306,
nut => 3493,
distcc => 3632,
daap => 3689,
svn => 3690,
subversion => 3690,
iax => 4569,
'radmin-port' => 4899,
rfe => 5002,
mmcc => 5050,
sip => 5060,
'sip-tls' => 5061,
aol => 5190,
'xmpp-client' => 5222,
'jabber-client' => 5222,
'xmpp-server' => 5269,
'jabber-server' => 5269,
cfengine => 5308,
postgresql => 5432,
postgres => 5432,
x11 => 6000,
'x11-0' => 6000,
'x11-1' => 6001,
'x11-2' => 6002,
'x11-3' => 6003,
'x11-4' => 6004,
'x11-5' => 6005,
'x11-6' => 6006,
'x11-7' => 6007,
'gnutella-svc' => 6346,
'gnutella-rtr' => 6347,
'afs3-fileserver' => 7000,
bbs => 7000,
'afs3-callback' => 7001,
'afs3-prserver' => 7002,
'afs3-vlserver' => 7003,
'afs3-kaserver' => 7004,
'afs3-volser' => 7005,
'afs3-errors' => 7006,
'afs3-bos' => 7007,
'afs3-update' => 7008,
'afs3-rmtsys' => 7009,
'font-service' => 7100,
xfs => 7100,
'bacula-dir' => 9101,
'bacula-fd' => 9102,
'bacula-sd' => 9103,
amanda => 10080,
hkp => 11371,
bprd => 13720,
bpdbm => 13721,
'bpjava-msvc' => 13722,
vnetd => 13724,
bpcd => 13782,
vopied => 13783,
wnn6 => 22273,
rtmp => 1,
nbp => 2,
zip => 6,
kerberos4 => 750,
'kerberos-iv' => 750,
kdc => 750,
kerberos_master => 751,
passwd_server => 752,
krb_prop => 754,
krb5_prop => 754,
hprop => 754,
krbupdate => 760,
kreg => 760,
swat => 901,
kpop => 1109,
knetd => 2053,
'zephyr-srv' => 2102,
'zephyr-clt' => 2103,
'zephyr-hm' => 2104,
eklogin => 2105,
kx => 2111,
iprop => 2121,
supfilesrv => 871,
supfiledbg => 1127,
linuxconf => 98,
poppassd => 106,
ssmtp => 465,
smtps => 465,
moira_db => 775,
moira_update => 777,
moira_ureg => 779,
spamd => 783,
omirr => 808,
omirrd => 808,
customs => 1001,
skkserv => 1178,
predict => 1210,
rmtcfg => 1236,
wipld => 1300,
xtel => 1313,
xtelw => 1314,
support => 1529,
sieve => 2000,
cfinger => 2003,
ndtp => 2010,
frox => 2121,
ninstall => 2150,
zebrasrv => 2600,
zebra => 2601,
ripd => 2602,
ripngd => 2603,
ospfd => 2604,
bgpd => 2605,
ospf6d => 2606,
ospfapi => 2607,
isisd => 2608,
afbackup => 2988,
afmbackup => 2989,
xtell => 4224,
fax => 4557,
hylafax => 4559,
distmp3 => 4600,
munin => 4949,
lrrd => 4949,
'enbd-cstatd' => 5051,
'enbd-sstatd' => 5052,
pcrd => 5151,
noclog => 5354,
hostmon => 5355,
rplay => 5555,
rptp => 5556,
nsca => 5667,
mrtd => 5674,
bgpsim => 5675,
canna => 5680,
'sane-port' => 6566,
sane => 6566,
saned => 6566,
ircd => 6667,
'zope-ftp' => 8021,
webcache => 8080,
tproxy => 8081,
omniorb => 8088,
'clc-build-daemon' => 8990,
xinetd => 9098,
mandelspawn => 9359,
mandelbrot => 9359,
zope => 9673,
kamanda => 10081,
amandaidx => 10082,
amidxtape => 10083,
smsqp => 11201,
xpilot => 15345,
'sgi-cmsd' => 17001,
'sgi-crsd' => 17002,
'sgi-gcd' => 17003,
'sgi-cad' => 17004,
isdnlog => 20011,
vboxd => 20012,
binkp => 24554,
asp => 27374,
csync2 => 30865,
dircproxy => 57000,
tfido => 60177,
fido => 60179,
);
#
# Capabilities
#
@ -221,10 +702,6 @@ sub initialize() {
EXPORTPARAMS => undef,
SHOREWALL_COMPILER => undef,
#
# Compiler Options
#
VALIDATE_PORTS => undef,
#
# Packet Disposition
#
MACLIST_DISPOSITION => undef,
@ -266,11 +743,6 @@ sub initialize() {
CAPVERSION => undef,
);
#
# /etc/protocols and /etc/services
#
%protocols = ();
%services = ();
#
# Capabilities
#
%capdesc = ( NAT_ENABLED => 'NAT',
@ -1017,31 +1489,6 @@ sub get_capabilities( $ ) {
}
}
sub get_protos_and_ports() {
open_file '/etc/protocols' or fatal_error "Cannot open /etc/protocols: $!";
while ( read_a_line1 ) {
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
$protocols{ $proto1 } = $number;
$protocols{ $proto2 } = $number unless $proto2 eq '-' || $proto3 ne '-';
}
open_file '/etc/services' or fatal_error "Cannot open /etc/services: $!";
while ( read_a_line1 ) {
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
my ( $number, $proto ) = split '/', $proto_number;
$services{ $name1 } = $number;
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
$services{ $name1 } = $number;
}
}
}
#
# - Read the shorewall.conf file
# - Read the capabilities file, if any
@ -1134,7 +1581,6 @@ sub get_configuration( $ ) {
default_yes_no 'EXPORTPARAMS' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'VALIDATE_PORTS' , 'Yes';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
@ -1251,8 +1697,6 @@ sub get_configuration( $ ) {
} else {
$config{LOCKFILE} = '';
}
get_protos_and_ports if $config{VALIDATE_PORTS};
}
#

View File

@ -0,0 +1,76 @@
#! /usr/bin/perl -w
use strict;
use lib '/usr/share/shorewall-perl';
use Shorewall::Common;
use Shorewall::Config;
our $offset = "\t\t ";
our %service_hash;
sub print_it( $$ ) {
my ( $name, $number ) = @_;
my $tabs;
my $length = length $name;
if ( $name =~ /[-.]/ ) {
$tabs = $length < 4 ? "\t\t\t" : $length < 12 ? "\t\t" : "\t";
print "${offset}'${name}'${tabs}=> $number,\n";
} else {
$tabs = $length < 6 ? "\t\t\t" : $length < 14 ? "\t\t" : "\t";
print "${offset}${name}${tabs}=> $number,\n";
}
}
sub print_service( $$ ) {
my ( $service, $number ) = @_;
unless ( exists $service_hash{$service} ) {
print_it( $service, $number );
$service_hash{$service} = $number;
}
}
set_shorewall_dir($ARGV[0] ? $ARGV[0] : '.');
ensure_config_path;
our $date = localtime;
print <<"EOF";
#
# Protocol and Services tables generated using buildproto.pl - $date
#
EOF
print "our %protocols = (\n";
open_file 'protocols' or fatal_error "Cannot open protocols: $!";
while ( read_a_line1 ) {
my ( $proto1, $number, $proto2, $proto3 ) = split_line( 2, 4, '/etc/protocols entry');
print_it( $proto1, $number );
print_it( $proto2, $number ) unless $proto2 eq '-' || $proto3 ne '-';
}
print "\t\t );\n\n";
print "our %services = (\n";
open_file 'services' or fatal_error "Cannot open services: $!";
while ( read_a_line1 ) {
my ( $name1, $proto_number, @names ) = split_line( 2, 10, '/etc/services entry');
my ( $number, $proto ) = split '/', $proto_number;
print_service( $name1 , $number );
while ( defined ( $name1 = shift @names ) && $name1 ne '-' ) {
print_service ($name1, $number );
}
}
print "\t\t );\n";

View File

@ -185,6 +185,12 @@ for f in prog.* ; do
echo "Program skeleton file ${f#*.} installed as ${PREFIX}/usr/share/shorewall-perl/$f"
done
#
# Install the /etc/protocols and /etc/services used to generate tables
#
install_file protocols ${PREFIX}/usr/share/shorewall-perl/protocols 444
install_file services ${PREFIX}/usr/share/shorewall-perl/services 444
echo $VERSION > ${PREFIX}/usr/share/shorewall-perl/version
#
# Report Success

56
Shorewall-perl/protocols Normal file
View File

@ -0,0 +1,56 @@
# Internet (IP) protocols
#
# Updated from http://www.iana.org/assignments/protocol-numbers and other
# sources.
# New protocols will be added on request if they have been officially
# assigned by IANA and are not historical.
# If you need a huge list of used numbers please install the nmap package.
ip 0 IP # internet protocol, pseudo protocol number
#hopopt 0 HOPOPT # IPv6 Hop-by-Hop Option [RFC1883]
icmp 1 ICMP # internet control message protocol
igmp 2 IGMP # Internet Group Management
ggp 3 GGP # gateway-gateway protocol
ipencap 4 IP-ENCAP # IP encapsulated in IP (officially ``IP'')
st 5 ST # ST datagram mode
tcp 6 TCP # transmission control protocol
egp 8 EGP # exterior gateway protocol
igp 9 IGP # any private interior gateway (Cisco)
pup 12 PUP # PARC universal packet protocol
udp 17 UDP # user datagram protocol
hmp 20 HMP # host monitoring protocol
xns-idp 22 XNS-IDP # Xerox NS IDP
rdp 27 RDP # "reliable datagram" protocol
iso-tp4 29 ISO-TP4 # ISO Transport Protocol class 4 [RFC905]
xtp 36 XTP # Xpress Transfer Protocol
ddp 37 DDP # Datagram Delivery Protocol
idpr-cmtp 38 IDPR-CMTP # IDPR Control Message Transport
ipv6 41 IPv6 # Internet Protocol, version 6
ipv6-route 43 IPv6-Route # Routing Header for IPv6
ipv6-frag 44 IPv6-Frag # Fragment Header for IPv6
idrp 45 IDRP # Inter-Domain Routing Protocol
rsvp 46 RSVP # Reservation Protocol
gre 47 GRE # General Routing Encapsulation
esp 50 IPSEC-ESP # Encap Security Payload [RFC2406]
ah 51 IPSEC-AH # Authentication Header [RFC2402]
skip 57 SKIP # SKIP
ipv6-icmp 58 IPv6-ICMP # ICMP for IPv6
ipv6-nonxt 59 IPv6-NoNxt # No Next Header for IPv6
ipv6-opts 60 IPv6-Opts # Destination Options for IPv6
rspf 73 RSPF CPHB # Radio Shortest Path First (officially CPHB)
vmtp 81 VMTP # Versatile Message Transport
eigrp 88 EIGRP # Enhanced Interior Routing Protocol (Cisco)
ospf 89 OSPFIGP # Open Shortest Path First IGP
ax.25 93 AX.25 # AX.25 frames
ipip 94 IPIP # IP-within-IP Encapsulation Protocol
etherip 97 ETHERIP # Ethernet-within-IP Encapsulation [RFC3378]
encap 98 ENCAP # Yet Another IP encapsulation [RFC1241]
# 99 # any private encryption scheme
pim 103 PIM # Protocol Independent Multicast
ipcomp 108 IPCOMP # IP Payload Compression Protocol
vrrp 112 VRRP # Virtual Router Redundancy Protocol
l2tp 115 L2TP # Layer Two Tunneling Protocol [RFC2661]
isis 124 ISIS # IS-IS over IPv4
sctp 132 SCTP # Stream Control Transmission Protocol
fc 133 FC # Fibre Channel

543
Shorewall-perl/services Normal file
View File

@ -0,0 +1,543 @@
# Network services, Internet style
#
# Note that it is presently the policy of IANA to assign a single well-known
# port number for both TCP and UDP; hence, officially ports have two entries
# even if the protocol doesn't support UDP operations.
#
# Updated from http://www.iana.org/assignments/port-numbers and other
# sources like http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/services .
# New ports will be added on request if they have been officially assigned
# by IANA and used in the real-world or are needed by a debian package.
# If you need a huge list of used numbers please install the nmap package.
tcpmux 1/tcp # TCP port service multiplexer
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
qotd 17/tcp quote
msp 18/tcp # message send protocol
msp 18/udp
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp
telnet 23/tcp
smtp 25/tcp mail
time 37/tcp timserver
time 37/udp timserver
rlp 39/udp resource # resource location
nameserver 42/tcp name # IEN 116
whois 43/tcp nicname
tacacs 49/tcp # Login Host Protocol (TACACS)
tacacs 49/udp
re-mail-ck 50/tcp # Remote Mail Checking Protocol
re-mail-ck 50/udp
domain 53/tcp nameserver # name-domain server
domain 53/udp nameserver
mtp 57/tcp # deprecated
tacacs-ds 65/tcp # TACACS-Database Service
tacacs-ds 65/udp
bootps 67/tcp # BOOTP server
bootps 67/udp
bootpc 68/tcp # BOOTP client
bootpc 68/udp
tftp 69/udp
gopher 70/tcp # Internet Gopher
gopher 70/udp
rje 77/tcp netrjs
finger 79/tcp
www 80/tcp http # WorldWideWeb HTTP
www 80/udp # HyperText Transfer Protocol
link 87/tcp ttylink
kerberos 88/tcp kerberos5 krb5 kerberos-sec # Kerberos v5
kerberos 88/udp kerberos5 krb5 kerberos-sec # Kerberos v5
supdup 95/tcp
hostnames 101/tcp hostname # usually from sri-nic
iso-tsap 102/tcp tsap # part of ISODE
acr-nema 104/tcp dicom # Digital Imag. & Comm. 300
acr-nema 104/udp dicom # Digital Imag. & Comm. 300
csnet-ns 105/tcp cso-ns # also used by CSO name server
csnet-ns 105/udp cso-ns
rtelnet 107/tcp # Remote Telnet
rtelnet 107/udp
pop2 109/tcp postoffice pop-2 # POP version 2
pop2 109/udp pop-2
pop3 110/tcp pop-3 # POP version 3
pop3 110/udp pop-3
sunrpc 111/tcp portmapper # RPC 4.0 portmapper
sunrpc 111/udp portmapper
auth 113/tcp authentication tap ident
sftp 115/tcp
uucp-path 117/tcp
nntp 119/tcp readnews untp # USENET News Transfer Protocol
ntp 123/tcp
ntp 123/udp # Network Time Protocol
pwdgen 129/tcp # PWDGEN service
pwdgen 129/udp # PWDGEN service
loc-srv 135/tcp epmap # Location Service
loc-srv 135/udp epmap
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp
imap2 143/tcp imap # Interim Mail Access P 2 and 4
imap2 143/udp imap
snmp 161/tcp # Simple Net Mgmt Protocol
snmp 161/udp # Simple Net Mgmt Protocol
snmp-trap 162/tcp snmptrap # Traps for SNMP
snmp-trap 162/udp snmptrap # Traps for SNMP
cmip-man 163/tcp # ISO mgmt over IP (CMOT)
cmip-man 163/udp
cmip-agent 164/tcp
cmip-agent 164/udp
mailq 174/tcp # Mailer transport queue for Zmailer
mailq 174/udp # Mailer transport queue for Zmailer
xdmcp 177/tcp # X Display Mgr. Control Proto
xdmcp 177/udp
nextstep 178/tcp NeXTStep NextStep # NeXTStep window
nextstep 178/udp NeXTStep NextStep # server
bgp 179/tcp # Border Gateway Protocol
bgp 179/udp
prospero 191/tcp # Cliff Neuman's Prospero
prospero 191/udp
irc 194/tcp # Internet Relay Chat
irc 194/udp
smux 199/tcp # SNMP Unix Multiplexer
smux 199/udp
at-rtmp 201/tcp # AppleTalk routing
at-rtmp 201/udp
at-nbp 202/tcp # AppleTalk name binding
at-nbp 202/udp
at-echo 204/tcp # AppleTalk echo
at-echo 204/udp
at-zis 206/tcp # AppleTalk zone information
at-zis 206/udp
qmtp 209/tcp # Quick Mail Transfer Protocol
qmtp 209/udp # Quick Mail Transfer Protocol
z3950 210/tcp wais # NISO Z39.50 database
z3950 210/udp wais
ipx 213/tcp # IPX
ipx 213/udp
imap3 220/tcp # Interactive Mail Access
imap3 220/udp # Protocol v3
pawserv 345/tcp # Perf Analysis Workbench
pawserv 345/udp
zserv 346/tcp # Zebra server
zserv 346/udp
fatserv 347/tcp # Fatmen Server
fatserv 347/udp
rpc2portmap 369/tcp
rpc2portmap 369/udp # Coda portmapper
codaauth2 370/tcp
codaauth2 370/udp # Coda authentication server
clearcase 371/tcp Clearcase
clearcase 371/udp Clearcase
ulistserv 372/tcp # UNIX Listserv
ulistserv 372/udp
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp
imsp 406/tcp # Interactive Mail Support Protocol
imsp 406/udp
https 443/tcp # http protocol over TLS/SSL
https 443/udp
snpp 444/tcp # Simple Network Paging Protocol
snpp 444/udp
microsoft-ds 445/tcp # Microsoft Naked CIFS
microsoft-ds 445/udp
kpasswd 464/tcp
kpasswd 464/udp
saft 487/tcp # Simple Asynchronous File Transfer
saft 487/udp
isakmp 500/tcp # IPsec - Internet Security Association
isakmp 500/udp # and Key Management Protocol
rtsp 554/tcp # Real Time Stream Control Protocol
rtsp 554/udp # Real Time Stream Control Protocol
nqs 607/tcp # Network Queuing system
nqs 607/udp
npmp-local 610/tcp dqs313_qmaster # npmp-local / DQS
npmp-local 610/udp dqs313_qmaster
npmp-gui 611/tcp dqs313_execd # npmp-gui / DQS
npmp-gui 611/udp dqs313_execd
hmmp-ind 612/tcp dqs313_intercell # HMMP Indication / DQS
hmmp-ind 612/udp dqs313_intercell
ipp 631/tcp # Internet Printing Protocol
ipp 631/udp
#
# UNIX specific services
#
exec 512/tcp
biff 512/udp comsat
login 513/tcp
who 513/udp whod
shell 514/tcp cmd # no passwords used
syslog 514/udp
printer 515/tcp spooler # line printer spooler
talk 517/udp
ntalk 518/udp
route 520/udp router routed # RIP
timed 525/udp timeserver
tempo 526/tcp newdate
courier 530/tcp rpc
conference 531/tcp chat
netnews 532/tcp readnews
netwall 533/udp # for emergency broadcasts
gdomap 538/tcp # GNUstep distributed objects
gdomap 538/udp
uucp 540/tcp uucpd # uucp daemon
klogin 543/tcp # Kerberized `rlogin' (v5)
kshell 544/tcp krcmd # Kerberized `rsh' (v5)
afpovertcp 548/tcp # AFP over TCP
afpovertcp 548/udp
remotefs 556/tcp rfs_server rfs # Brunhoff remote filesystem
nntps 563/tcp snntp # NNTP over SSL
nntps 563/udp snntp
submission 587/tcp # Submission [RFC2476]
submission 587/udp
ldaps 636/tcp # LDAP over SSL
ldaps 636/udp
tinc 655/tcp # tinc control port
tinc 655/udp
silc 706/tcp
silc 706/udp
kerberos-adm 749/tcp # Kerberos `kadmin' (v5)
#
webster 765/tcp # Network dictionary
webster 765/udp
rsync 873/tcp
rsync 873/udp
ftps-data 989/tcp # FTP over SSL (data)
ftps 990/tcp
telnets 992/tcp # Telnet over SSL
telnets 992/udp
imaps 993/tcp # IMAP over SSL
imaps 993/udp
ircs 994/tcp # IRC over SSL
ircs 994/udp
pop3s 995/tcp # POP-3 over SSL
pop3s 995/udp
#
# From ``Assigned Numbers'':
#
#> The Registered Ports are not controlled by the IANA and on most systems
#> can be used by ordinary user processes or programs executed by ordinary
#> users.
#
#> Ports are used in the TCP [45,106] to name the ends of logical
#> connections which carry long term conversations. For the purpose of
#> providing services to unknown callers, a service contact port is
#> defined. This list specifies the port used by the server process as its
#> contact port. While the IANA can not control uses of these ports it
#> does register or list uses of these ports as a convienence to the
#> community.
#
socks 1080/tcp # socks proxy server
socks 1080/udp
proofd 1093/tcp
proofd 1093/udp
rootd 1094/tcp
rootd 1094/udp
openvpn 1194/tcp
openvpn 1194/udp
rmiregistry 1099/tcp # Java RMI Registry
rmiregistry 1099/udp
kazaa 1214/tcp
kazaa 1214/udp
nessus 1241/tcp # Nessus vulnerability
nessus 1241/udp # assessment scanner
lotusnote 1352/tcp lotusnotes # Lotus Note
lotusnote 1352/udp lotusnotes
ms-sql-s 1433/tcp # Microsoft SQL Server
ms-sql-s 1433/udp
ms-sql-m 1434/tcp # Microsoft SQL Monitor
ms-sql-m 1434/udp
ingreslock 1524/tcp
ingreslock 1524/udp
prospero-np 1525/tcp # Prospero non-privileged
prospero-np 1525/udp
datametrics 1645/tcp old-radius
datametrics 1645/udp old-radius
sa-msg-port 1646/tcp old-radacct
sa-msg-port 1646/udp old-radacct
kermit 1649/tcp
kermit 1649/udp
l2f 1701/tcp l2tp
l2f 1701/udp l2tp
radius 1812/tcp
radius 1812/udp
radius-acct 1813/tcp radacct # Radius Accounting
radius-acct 1813/udp radacct
msnp 1863/tcp # MSN Messenger
msnp 1863/udp
unix-status 1957/tcp # remstats unix-status server
log-server 1958/tcp # remstats log server
remoteping 1959/tcp # remstats remoteping server
nfs 2049/tcp # Network File System
nfs 2049/udp # Network File System
rtcm-sc104 2101/tcp # RTCM SC-104 IANA 1/29/99
rtcm-sc104 2101/udp
cvspserver 2401/tcp # CVS client/server operations
cvspserver 2401/udp
venus 2430/tcp # codacon port
venus 2430/udp # Venus callback/wbc interface
venus-se 2431/tcp # tcp side effects
venus-se 2431/udp # udp sftp side effect
codasrv 2432/tcp # not used
codasrv 2432/udp # server port
codasrv-se 2433/tcp # tcp side effects
codasrv-se 2433/udp # udp sftp side effect
mon 2583/tcp # MON
mon 2583/udp
dict 2628/tcp # Dictionary server
dict 2628/udp
gpsd 2947/tcp
gpsd 2947/udp
gds_db 3050/tcp # InterBase server
gds_db 3050/udp
icpv2 3130/tcp icp # Internet Cache Protocol
icpv2 3130/udp icp
mysql 3306/tcp
mysql 3306/udp
nut 3493/tcp # Network UPS Tools
nut 3493/udp
distcc 3632/tcp # distributed compiler
distcc 3632/udp
daap 3689/tcp # Digital Audio Access Protocol
daap 3689/udp
svn 3690/tcp subversion # Subversion protocol
svn 3690/udp subversion
iax 4569/tcp # Inter-Asterisk eXchange
iax 4569/udp
radmin-port 4899/tcp # RAdmin Port
radmin-port 4899/udp
rfe 5002/udp # Radio Free Ethernet
rfe 5002/tcp
mmcc 5050/tcp # multimedia conference control tool (Yahoo IM)
mmcc 5050/udp
sip 5060/tcp # Session Initiation Protocol
sip 5060/udp
sip-tls 5061/tcp
sip-tls 5061/udp
aol 5190/tcp # AIM
aol 5190/udp
xmpp-client 5222/tcp jabber-client # Jabber Client Connection
xmpp-client 5222/udp jabber-client
xmpp-server 5269/tcp jabber-server # Jabber Server Connection
xmpp-server 5269/udp jabber-server
cfengine 5308/tcp
cfengine 5308/udp
postgresql 5432/tcp postgres # PostgreSQL Database
postgresql 5432/udp postgres
x11 6000/tcp x11-0 # X Window System
x11 6000/udp x11-0
x11-1 6001/tcp
x11-1 6001/udp
x11-2 6002/tcp
x11-2 6002/udp
x11-3 6003/tcp
x11-3 6003/udp
x11-4 6004/tcp
x11-4 6004/udp
x11-5 6005/tcp
x11-5 6005/udp
x11-6 6006/tcp
x11-6 6006/udp
x11-7 6007/tcp
x11-7 6007/udp
gnutella-svc 6346/tcp # gnutella
gnutella-svc 6346/udp
gnutella-rtr 6347/tcp # gnutella
gnutella-rtr 6347/udp
afs3-fileserver 7000/tcp bbs # file server itself
afs3-fileserver 7000/udp bbs
afs3-callback 7001/tcp # callbacks to cache managers
afs3-callback 7001/udp
afs3-prserver 7002/tcp # users & groups database
afs3-prserver 7002/udp
afs3-vlserver 7003/tcp # volume location database
afs3-vlserver 7003/udp
afs3-kaserver 7004/tcp # AFS/Kerberos authentication
afs3-kaserver 7004/udp
afs3-volser 7005/tcp # volume managment server
afs3-volser 7005/udp
afs3-errors 7006/tcp # error interpretation service
afs3-errors 7006/udp
afs3-bos 7007/tcp # basic overseer process
afs3-bos 7007/udp
afs3-update 7008/tcp # server-to-server updater
afs3-update 7008/udp
afs3-rmtsys 7009/tcp # remote cache manager service
afs3-rmtsys 7009/udp
font-service 7100/tcp xfs # X Font Service
font-service 7100/udp xfs
bacula-dir 9101/tcp # Bacula Director
bacula-dir 9101/udp
bacula-fd 9102/tcp # Bacula File Daemon
bacula-fd 9102/udp
bacula-sd 9103/tcp # Bacula Storage Daemon
bacula-sd 9103/udp
amanda 10080/tcp # amanda backup services
amanda 10080/udp
hkp 11371/tcp # OpenPGP HTTP Keyserver
hkp 11371/udp # OpenPGP HTTP Keyserver
bprd 13720/tcp # VERITAS NetBackup
bprd 13720/udp
bpdbm 13721/tcp # VERITAS NetBackup
bpdbm 13721/udp
bpjava-msvc 13722/tcp # BP Java MSVC Protocol
bpjava-msvc 13722/udp
vnetd 13724/tcp # Veritas Network Utility
vnetd 13724/udp
bpcd 13782/tcp # VERITAS NetBackup
bpcd 13782/udp
vopied 13783/tcp # VERITAS NetBackup
vopied 13783/udp
wnn6 22273/tcp # wnn6
wnn6 22273/udp
#
# Datagram Delivery Protocol services
#
rtmp 1/ddp # Routing Table Maintenance Protocol
nbp 2/ddp # Name Binding Protocol
echo 4/ddp # AppleTalk Echo Protocol
zip 6/ddp # Zone Information Protocol
#=========================================================================
# The remaining port numbers are not as allocated by IANA.
#=========================================================================
# Kerberos (Project Athena/MIT) services
# Note that these are for Kerberos v4, and are unofficial. Sites running
# v4 should uncomment these and comment out the v5 entries above.
#
kerberos4 750/udp kerberos-iv kdc # Kerberos (server)
kerberos4 750/tcp kerberos-iv kdc
kerberos_master 751/udp # Kerberos authentication
kerberos_master 751/tcp
passwd_server 752/udp # Kerberos passwd server
krb_prop 754/tcp krb5_prop hprop # Kerberos slave propagation
krbupdate 760/tcp kreg # Kerberos registration
swat 901/tcp # swat
kpop 1109/tcp # Pop with Kerberos
knetd 2053/tcp # Kerberos de-multiplexor
zephyr-srv 2102/udp # Zephyr server
zephyr-clt 2103/udp # Zephyr serv-hm connection
zephyr-hm 2104/udp # Zephyr hostmanager
eklogin 2105/tcp # Kerberos encrypted rlogin
# Hmmm. Are we using Kv4 or Kv5 now? Worrying.
# The following is probably Kerberos v5 --- ajt@debian.org (11/02/2000)
kx 2111/tcp # X over Kerberos
iprop 2121/tcp # incremental propagation
#
# Unofficial but necessary (for NetBSD) services
#
supfilesrv 871/tcp # SUP server
supfiledbg 1127/tcp # SUP debugging
#
# Services added for the Debian GNU/Linux distribution
#
linuxconf 98/tcp # LinuxConf
poppassd 106/tcp # Eudora
poppassd 106/udp
ssmtp 465/tcp smtps # SMTP over SSL
moira_db 775/tcp # Moira database
moira_update 777/tcp # Moira update protocol
moira_ureg 779/udp # Moira user registration
spamd 783/tcp # spamassassin daemon
omirr 808/tcp omirrd # online mirror
omirr 808/udp omirrd
customs 1001/tcp # pmake customs server
customs 1001/udp
skkserv 1178/tcp # skk jisho server port
predict 1210/udp # predict -- satellite tracking
rmtcfg 1236/tcp # Gracilis Packeten remote config server
wipld 1300/tcp # Wipl network monitor
xtel 1313/tcp # french minitel
xtelw 1314/tcp # french minitel
support 1529/tcp # GNATS
sieve 2000/tcp # Sieve mail filter daemon
cfinger 2003/tcp # GNU Finger
ndtp 2010/tcp # Network dictionary transfer protocol
frox 2121/tcp # frox: caching ftp proxy
ninstall 2150/tcp # ninstall service
ninstall 2150/udp
zebrasrv 2600/tcp # zebra service
zebra 2601/tcp # zebra vty
ripd 2602/tcp # ripd vty (zebra)
ripngd 2603/tcp # ripngd vty (zebra)
ospfd 2604/tcp # ospfd vty (zebra)
bgpd 2605/tcp # bgpd vty (zebra)
ospf6d 2606/tcp # ospf6d vty (zebra)
ospfapi 2607/tcp # OSPF-API
isisd 2608/tcp # ISISd vty (zebra)
afbackup 2988/tcp # Afbackup system
afbackup 2988/udp
afmbackup 2989/tcp # Afmbackup system
afmbackup 2989/udp
xtell 4224/tcp # xtell server
fax 4557/tcp # FAX transmission service (old)
hylafax 4559/tcp # HylaFAX client-server protocol (new)
distmp3 4600/tcp # distmp3host daemon
munin 4949/tcp lrrd # Munin
enbd-cstatd 5051/tcp # ENBD client statd
enbd-sstatd 5052/tcp # ENBD server statd
pcrd 5151/tcp # PCR-1000 Daemon
noclog 5354/tcp # noclogd with TCP (nocol)
noclog 5354/udp # noclogd with UDP (nocol)
hostmon 5355/tcp # hostmon uses TCP (nocol)
hostmon 5355/udp # hostmon uses UDP (nocol)
rplay 5555/udp # RPlay audio service
rplay 5555/tcp
rptp 5556/udp # Remote Play Transfer Protocol
rptp 5556/tcp
nsca 5667/tcp # Nagios Agent - NSCA
mrtd 5674/tcp # MRT Routing Daemon
bgpsim 5675/tcp # MRT Routing Simulator
canna 5680/tcp # cannaserver
sane-port 6566/tcp sane saned # SANE network scanner daemon
ircd 6667/tcp # Internet Relay Chat
zope-ftp 8021/tcp # zope management by ftp
webcache 8080/tcp # WWW caching service
tproxy 8081/tcp # Transparent Proxy
omniorb 8088/tcp # OmniORB
omniorb 8088/udp
clc-build-daemon 8990/tcp # Common lisp build daemon
xinetd 9098/tcp
mandelspawn 9359/udp mandelbrot # network mandelbrot
zope 9673/tcp # zope server
kamanda 10081/tcp # amanda backup services (Kerberos)
kamanda 10081/udp
amandaidx 10082/tcp # amanda backup services
amidxtape 10083/tcp # amanda backup services
smsqp 11201/tcp # Alamin SMS gateway
smsqp 11201/udp
xpilot 15345/tcp # XPilot Contact Port
xpilot 15345/udp
sgi-cmsd 17001/udp # Cluster membership services daemon
sgi-crsd 17002/udp
sgi-gcd 17003/udp # SGI Group membership daemon
sgi-cad 17004/tcp # Cluster Admin daemon
isdnlog 20011/tcp # isdn logging system
isdnlog 20011/udp
vboxd 20012/tcp # voice box system
vboxd 20012/udp
binkp 24554/tcp # binkp fidonet protocol
asp 27374/tcp # Address Search Protocol
asp 27374/udp
csync2 30865/tcp # cluster synchronization tool
dircproxy 57000/tcp # Detachable IRC Proxy
tfido 60177/tcp # fidonet EMSI over telnet
fido 60179/tcp # fidonet EMSI over TCP
# Local services

View File

@ -1,6 +1,6 @@
%define name shorewall-perl
%define version 4.0.0
%define release 0Beta5
%define release 0Beta6
%define prefix /usr
Summary: Shoreline Firewall Perl-based compiler.
@ -59,6 +59,8 @@ rm -rf $RPM_BUILD_ROOT
%attr(0644,root,root) /usr/share/shorewall-perl/prog.functions
%attr(0644,root,root) /usr/share/shorewall-perl/prog.footer
%attr(0644,root,root) /usr/share/shorewall-perl/version
%attr(0444,root,root) /usr/share/shorewall-perl/protocols
%attr(0444,root,root) /usr/share/shorewall-perl/services
%attr(0555,root,root) /usr/share/shorewall-perl/Shorewall/Accounting.pm
%attr(0555,root,root) /usr/share/shorewall-perl/Shorewall/Actions.pm
%attr(0555,root,root) /usr/share/shorewall-perl/Shorewall/Chains.pm