Tom Eastep 2004-05-09 2001-2002 2004 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.

Beginning with Shorewall 2.0.0, the Shorewall distribution contains a library of user-defined actions that allow for easily allowing or blocking a particular application. Check your /etc/shorewall/actions.std file for a list of the actions in your distribution. If you find what you need, you simply use the action in a rule. For example, to allow DNS queries from the dmz zone to the net zone: #ACTION SOURCE DESTINATION AllowDNS dmz net In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application. Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 You would code your rule as follows: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 113

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 53 ACCEPT <source> <destination> tcp 53

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21 Look here for much more information.

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> net tcp 5190

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 143 #Unsecure IMAP ACCEPT <source> <destination> tcp 993 #Secure IMAP

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 ACCEPT <destination> <source> 50 ACCEPT <destination> <source> 51 ACCEPT <destination> <source> udp 500 Lots more information here and here.

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111 ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 123

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 5632 ACCEPT <source> <destination> tcp 5631

TCP Port 110 (Secure Pop3 is TCP Port 995) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 110 #Unsecure Pop3 ACCEPT <source> <destination> tcp 995 #Secure Pop3

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723 Lots more information here and here.

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 37

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 22

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 137,139,445 ACCEPT <source> <destination> udp 137:139 ACCEPT <destination> <source> tcp 137,139,445 ACCEPT <destination> <source> udp 137:139 Also, see this page.

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 25 #Insecure SMTP ACCEPT <source> <destination> tcp 465 #SMTP over SSL (TLS)

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 161:162 ACCEPT <source> <destination> tcp 161

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 23

You must have TFTP connection tracking support in your kernel. If modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These modules may be loaded using entries in /etc/shorewall/modules. The ip_conntrack_tftp module must be loaded first. Note that the /etc/shorewall/modules file released with recent Shorewall versions contains entries for these modules. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 69

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops ACCEPT <source> <destination> icmp 8 UDP traceroute uses ports 33434 through 33434+<max number of hops>-1

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 119 TCP Port 119

Vncviewer to Vncserver -- TCP port 5900 + <display number>. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5901 #Display Number 1 ACCEPT <source> <destination> tcp 5902 #Display Number 2 ... Vncserver to Vncviewer in listen mode -- TCP port 5500. #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5500

#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 80 #Insecure HTTP ACCEPT <source> <destination> tcp 443 #Secure HTTP

Didn't find what you are looking for -- have you looked in your own /etc/services file? Still looking? Try http://www.networkice.com/advice/Exploits/Ports

1.102004-05-09TEAdded TFTP.1.92004-04-24TERevised ICQ/AIM.1.82004-04-23TEAdded SNMP.1.72004-02-18TEMake NFS work for everyone.1.62004-02-14TEAdd PCAnywhere.1.52004-02-05TEAdded information about VNC viewers in listen mode.1.42004-01-26TECorrect ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd rules file entries.1.12002-07-30TEInitial version converted to Docbook XML