<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <articleinfo>
    <title>Ports Required for Various Services/Applications</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <othercredit>
      <surname>Cristian Rodriguez R.</surname>
    </othercredit>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2001-<?dbtimestamp format="Y"?></year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>

    <abstract>
      <para>In addition to those applications described in the
      /etc/shorewall/rules documentation, here are some other
      services/applications that you may need to configure your firewall to
      accommodate.</para>
    </abstract>
  </articleinfo>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that release</emphasis></para>
  </caution>

  <section id="Notes">
    <title>Important Notes</title>

    <note>
      <para>Shorewall distribution contains a library of user-defined macros
      that allow for easily allowing or blocking a particular application.
      <command>ls <filename>/usr/share/shorewall/</filename>macro.*</command>
      for the list of macros in your distribution. If you find what you need,
      you simply use the macro in a rule. For example, to allow DNS queries
      from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
      role="bold">net</emphasis> zone:</para>

      <programlisting>#ACTION         SOURCE        DEST
DNS(ACCEPT)     dmz           net</programlisting>
    </note>

    <note>
      <para>In the rules that are shown in this document, the ACTION is shown
      as ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ
      30</ulink>) or you may want DROP or REJECT if you are trying to block
      the application.</para>

      <para>Example: You want to port forward FTP from the net to your server
      at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>

      <programlisting>#ACTION        SOURCE    DEST             PROTO      DPORT
FTP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>

      <para>You would code your rule as follows:</para>

      <programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
FTP(DNAT)       net       dmz:192.168.1.4  </programlisting>
    </note>
  </section>

  <section id="Auth">
    <title>Auth (identd)</title>

    <caution>
      <para><emphasis role="bold"><emphasis>It is now the 21st
      Century</emphasis> ; don't use identd in production
      anymore.</emphasis></para>
    </caution>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Auth(ACCEPT)    <emphasis> &lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="BT">
    <title>BitTorrent</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <caution>
      <para><emphasis role="bold"><emphasis>This rule assumes that your
      BitTorrent client listens on the default
      port(s)</emphasis></emphasis></para>
    </caution>

    <programlisting>#ACTION           SOURCE    DESTINATION      PROTO      DPORT
BitTorrent(ACCEPT)<emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="DNS">
    <title>DNS</title>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
DNS(ACCEPT)    <emphasis>  &lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>    </programlisting>

    <para>Note that if you are setting up a DNS server that supports recursive
    resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
    resolution requests (from clients) and is also the
    &lt;<emphasis>source</emphasis>&gt; of recursive resolution requests
    (usually to other servers in the 'net' zone). So for example, if you have
    a public DNS server in your DMZ that supports recursive resolution for
    local clients then you would need:</para>

    <programlisting>#ACTION     SOURCE    DESTINATION      PROTO      DPORT
DNS(ACCEPT) all       dmz              
DNS(ACCEPT) dmz       net              </programlisting>

    <note>
      <para>Recursive Resolution means that if the server itself can't resolve
      the name presented to it, the server will attempt to resolve the name
      with the help of other servers.</para>
    </note>
  </section>

  <section id="Emule">
    <title>Emule</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <para>In contrast to how the rest of this article is organized, for emule
    I will give you the rules necessary to run emule on a single machine in
    your loc network (since that's what 99.99% of you want to do). Assume
    that:</para>

    <orderedlist>
      <listitem>
        <para>The internal machine running emule has IP address
        192.168.1.4.</para>
      </listitem>

      <listitem>
        <para>You use Masquerading or SNAT for the local network.</para>
      </listitem>

      <listitem>
        <para>The zones are named as they are in the <ulink
        url="shorewall_quickstart_guide.htm">two- and three-interface
        QuickStart guides)</ulink>.</para>
      </listitem>

      <listitem>
        <para>Your loc-&gt;net policy is ACCEPT</para>
      </listitem>
    </orderedlist>

    <para><filename>/etc/shorewall/rules:</filename></para>

    <programlisting>#ACTION       SOURCE   DESTINATION          PROTO         DPORT
Edonkey(DNAT)  net      loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too.
DNAT        net      loc:192.168.1.4      tcp           4711</programlisting>
  </section>

  <section id="FTP">
    <title>FTP</title>

    <programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
FTP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>

    <para>Look <ulink url="FTP.html">here</ulink> for much more
    information.</para>
  </section>

  <section id="Gnutella">
    <title>Gnutella</title>

    <para><orderedlist>
        <listitem>
          <para>The internal machine running a Gnutella Client has IP address
          192.168.1.4.</para>
        </listitem>

        <listitem>
          <para>You use Masquerading or SNAT for the local network.</para>
        </listitem>

        <listitem>
          <para>The zones are named as they are in the <ulink
          url="shorewall_quickstart_guide.htm">two- and three-interface
          QuickStart guides)</ulink>.</para>
        </listitem>

        <listitem>
          <para>Your loc-&gt;net policy is ACCEPT</para>
        </listitem>
      </orderedlist><programlisting>#ACTION              SOURCE   DESTINATION      PROTO      DPORT
Gnutella(DNAT)       net      loc:192.168.1.4</programlisting></para>
  </section>

  <section id="ICQ">
    <title>ICQ/AIM</title>

    <programlisting>#ACTION     SOURCE    DESTINATION      PROTO      DPORT
ICQ(ACCEPT) <emphasis>&lt;source&gt;</emphasis>  net</programlisting>
  </section>

  <section id="IMAP">
    <title>IMAP</title>

    <caution>
      <para>When accessing your mail from the Internet, use <emphasis
      role="bold">only</emphasis> <emphasis role="bold">IMAP over
      SSL.</emphasis></para>
    </caution>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
IMAP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis> # Unsecure IMAP 
IMAPS(ACCEPT)   &lt;source&gt;  &lt;destination&gt; # IMAP over SSL.</programlisting>
  </section>

  <section id="IPSEC">
    <title>IPsec</title>

    <programlisting>#ACTION    SOURCE         DESTINATION      PROTO      DPORT
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>    50     
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>    51
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>    udp        500
ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         50     
ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         51
ACCEPT     <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis>         udp        500</programlisting>

    <para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and
    <ulink url="VPN.htm">here</ulink>.</para>
  </section>

  <section id="LDAP">
    <title>LDAP</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <programlisting>#ACTION          SOURCE           DESTINATION      PROTO      DPORT
LDAP(ACCEPT)     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis> <emphasis>     #Insecure LDAP</emphasis>
LDAPS(ACCEPT)    <emphasis><emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis></emphasis><emphasis/>   # LDAP over SSL</programlisting>
  </section>

  <section id="MySQL">
    <title><trademark>My\SQL</trademark></title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <caution>
      <para>Allowing access from untrusted hosts to your
      <trademark>MySQL</trademark> server represents a <emphasis
      role="bold">severe security risk</emphasis>.</para>

      <para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know
      how to deal with the consequences, you have been warned.</para>
    </caution>

    <programlisting>#ACTION          SOURCE           DESTINATION      PROTO      DPORT
MySQL(ACCEPT)     <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis> <emphasis>    </emphasis></programlisting>
  </section>

  <section id="NFS">
    <title>NFS</title>

    <programlisting>#ACTION    SOURCE                         DESTINATION      PROTO      DPORT
ACCEPT     <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt;  <emphasis>    &lt;z2&gt;</emphasis>:a.b.c.d     tcp        111
ACCEPT     <emphasis>&lt;z1&gt;</emphasis>:&lt;list of client IPs&gt;  <emphasis>    &lt;z2&gt;</emphasis>:a.b.c.d     udp</programlisting>

    <para>For more NFS information, see <ulink
    url="http://lists.shorewall.net/~kb/">http://lists.shorewall.net/~kb/</ulink>.</para>
  </section>

  <section id="NTP">
    <title>NTP (Network Time Protocol)</title>

    <programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
NTP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="PCA">
    <title><trademark>PCAnywhere</trademark></title>

    <programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
PCA(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="POP3">
    <title>POP3</title>

    <caution>
      <para>If Possible , <emphasis role="bold">Avoid this protocol</emphasis>
      , use <emphasis role="bold">IMAP</emphasis> instead.</para>
    </caution>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later</para>
    </caution>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
POP3(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>   # Secure
POP3S(ACCEPT)   &lt;source&gt;  &lt;destination&gt;  #Unsecure Pop3</programlisting>
  </section>

  <section id="PPTP">
    <title>PPTP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>    47    
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>    tcp        1723</programlisting>

    <para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink
    url="VPN.htm">here</ulink>.</para>
  </section>

  <section id="Rdate">
    <title>rdate</title>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Rdate(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="rsync">
    <title>rsync</title>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Rsync(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="Siproxd">
    <title>Siproxd</title>

    <caution>
      <para>This assumes siproxd is running <emphasis role="bold">on the
      firewall and is using the default ports</emphasis>.</para>
    </caution>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
REDIRECT          loc           5060         udp        5060
ACCEPT            net           fw           udp        5060
ACCEPT     <emphasis>       net           fw           udp        7070:7089</emphasis><emphasis/></programlisting>
  </section>

  <section id="SSH">
    <title>SSH/SFTP</title>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
SSH(ACCEPT)<emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis> </programlisting>
  </section>

  <section id="SMB">
    <title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File
    Sharing)</title>

    <programlisting>#ACTION        SOURCE         DESTINATION      PROTO      DPORT
SMB(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>     &lt;destination&gt;</emphasis>
SMB(ACCEPT)    <emphasis>&lt;destination&gt;</emphasis>  <emphasis>&lt;source&gt;</emphasis></programlisting>

    <para>Also, see <ulink url="samba.htm">this page</ulink>.</para>
  </section>

  <section id="SMTP">
    <title>SMTP</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SMTP(ACCEPT)<emphasis>     &lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>                      #Insecure SMTP
SMTPS(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>                      #SMTP over SSL (TLS)</programlisting>
  </section>

  <section id="SNMP">
    <title>SNMP</title>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SNMP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="SVN">
    <title>SVN</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <caution>
      <para>This rule is for Subversion running in <emphasis
      role="bold">svnserve mode only.</emphasis></para>
    </caution>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SVN(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="Telnet">
    <title>Telnet</title>

    <caution>
      <para><emphasis role="bold"><emphasis>The telnet protocol is very
      insecure</emphasis>, don't use it.</emphasis></para>
    </caution>

    <programlisting>#ACTION           SOURCE    DESTINATION      PROTO      DPORT
Telnet(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="TFTP">
    <title>TFTP</title>

    <para>You must have TFTP connection tracking support in your kernel. If
    modularized, the modules are <emphasis
    role="bold">ip_conntrack_tftp</emphasis> (and <emphasis
    role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These
    modules may be loaded using entries in
    <filename>/etc/shorewall/modules</filename>. The <emphasis
    role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note
    that the <filename>/etc/shorewall/modules</filename> file released with
    recent Shorewall versions contains entries for these modules.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>    udp        69</programlisting>
  </section>

  <section id="Traceroute">
    <title>Traceroute</title>

    <programlisting>#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Trcrt(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>  #Good for 10 hops</programlisting>

    <para>UDP traceroute uses ports 33434 through 33434+&lt;max number of
    hops&gt;-1. Note that for the firewall to respond with a TTL expired ICMP
    reply, you will need to allow ICMP 11 outbound from the firewall. The
    standard Shorewall sample configurations all set this up for you
    automatically since those sample configurations enable all ICMP packet
    types originating on the firewall itself.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     fw        net              icmp
ACCEPT     fw        loc              icmp
ACCEPT     fw        ...</programlisting>
  </section>

  <section id="NNTP">
    <title>Usenet (NNTP)</title>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
NNTP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>
NNTPS(ACCEPT)   &lt;source&gt;  &lt;destination&gt;  # secure NNTP</programlisting>

    <para>TCP Port 119</para>
  </section>

  <section id="VNC">
    <title>VNC</title>

    <caution>
      <para>This information is valid only for Shorewall 3.2 or later.</para>
    </caution>

    <para>Vncviewer to Vncserver -- TCP port 5900 + &lt;display
    number&gt;.</para>

    <para>the following rule handles VNC traffic for VNC displays 0 -
    9.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
VNC(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>      
</programlisting>

    <para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para>

    <programlisting>#ACTION         SOURCE    DESTINATION      PROTO      DPORT
VNCL(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis></programlisting>
  </section>

  <section id="Vonage">
    <title><trademark>Vonage</trademark></title>

    <para>The standard Shorewall loc-&gt;net ACCEPT policy is all that is
    required for <trademark>Vonage</trademark> IP phone service to work,
    provided that you have loaded the tftp helper modules (add the following
    entries to /etc/shorewall/modules if they are not there already):</para>
  </section>

  <section id="Web">
    <title>Web Access</title>

    <caution>
      <para>This information is valid for Shorewall 3.2 or later.</para>
    </caution>

    <programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
HTTP(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis> #Insecure HTTP 
HTTPS(ACCEPT)   &lt;source&gt;  &lt;destination&gt; #Secure   HTTP</programlisting>
  </section>

  <section id="Webmin">
    <title>Webmin</title>

    <para><programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
Webmin(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>  </programlisting>Webmin
    use TCP port 10000.</para>
  </section>

  <section id="Whois">
    <title>Whois</title>

    <para><programlisting>#ACTION        SOURCE    DESTINATION      PROTO      DPORT
Whois(ACCEPT)    <emphasis>&lt;source&gt;</emphasis>  <emphasis>&lt;destination&gt;</emphasis>  </programlisting></para>
  </section>

  <section id="X">
    <title>X/XDMCP</title>

    <para>Assume that the Chooser and/or X Server are running at
    &lt;<emphasis>chooser</emphasis>&gt; and the Display Manager/X
    applications are running at &lt;<emphasis>apps</emphasis>&gt;.</para>

    <programlisting>#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     &lt;<emphasis>chooser</emphasis>&gt; &lt;<emphasis>apps</emphasis>&gt;           udp        177         #XDMCP
ACCEPT     &lt;<emphasis>apps</emphasis>&gt;    &lt;<emphasis>chooser</emphasis>&gt;        tcp        6000:6009   #X Displays 0-9</programlisting>
  </section>

  <section id="Other">
    <title>Other Source of Port Information</title>

    <para>Didn't find what you are looking for -- have you looked in your own
    /etc/services file?</para>

    <para>Still looking? Try <ulink
    url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para>
  </section>
</article>