<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <articleinfo> <title>Ports Required for Various Services/Applications</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <othercredit> <surname>Cristian Rodriguez R.</surname> </othercredit> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2001-<?dbtimestamp format="Y"?></year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> <abstract> <para>In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.</para> </abstract> </articleinfo> <caution> <para><emphasis role="bold">This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release</emphasis></para> </caution> <section id="Notes"> <title>Important Notes</title> <note> <para>Shorewall distribution contains a library of user-defined macros that allow for easily allowing or blocking a particular application. <command>ls <filename>/usr/share/shorewall/</filename>macro.*</command> for the list of macros in your distribution. If you find what you need, you simply use the macro in a rule. For example, to allow DNS queries from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis role="bold">net</emphasis> zone:</para> <programlisting>#ACTION SOURCE DEST DNS(ACCEPT) dmz net</programlisting> </note> <note> <para>In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see <ulink url="FAQ.htm#faq30">FAQ 30</ulink>) or you may want DROP or REJECT if you are trying to block the application.</para> <para>Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> <programlisting>#ACTION SOURCE DEST PROTO DPORT FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> <para>You would code your rule as follows:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT FTP(DNAT) net dmz:192.168.1.4 </programlisting> </note> </section> <section id="Auth"> <title>Auth (identd)</title> <caution> <para><emphasis role="bold"><emphasis>It is now the 21st Century</emphasis> ; don't use identd in production anymore.</emphasis></para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Auth(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="BT"> <title>BitTorrent</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <caution> <para><emphasis role="bold"><emphasis>This rule assumes that your BitTorrent client listens on the default port(s)</emphasis></emphasis></para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT BitTorrent(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="DNS"> <title>DNS</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) <emphasis> <source></emphasis> <emphasis><destination></emphasis> </programlisting> <para>Note that if you are setting up a DNS server that supports recursive resolution, the server is the <<emphasis>destination</emphasis>> for resolution requests (from clients) and is also the <<emphasis>source</emphasis>> of recursive resolution requests (usually to other servers in the 'net' zone). So for example, if you have a public DNS server in your DMZ that supports recursive resolution for local clients then you would need:</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT DNS(ACCEPT) all dmz DNS(ACCEPT) dmz net </programlisting> <note> <para>Recursive Resolution means that if the server itself can't resolve the name presented to it, the server will attempt to resolve the name with the help of other servers.</para> </note> </section> <section id="Emule"> <title>Emule</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <para>In contrast to how the rest of this article is organized, for emule I will give you the rules necessary to run emule on a single machine in your loc network (since that's what 99.99% of you want to do). Assume that:</para> <orderedlist> <listitem> <para>The internal machine running emule has IP address 192.168.1.4.</para> </listitem> <listitem> <para>You use Masquerading or SNAT for the local network.</para> </listitem> <listitem> <para>The zones are named as they are in the <ulink url="shorewall_quickstart_guide.htm">two- and three-interface QuickStart guides)</ulink>.</para> </listitem> <listitem> <para>Your loc->net policy is ACCEPT</para> </listitem> </orderedlist> <para><filename>/etc/shorewall/rules:</filename></para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Edonkey(DNAT) net loc:192.168.1.4 #if you wish to enable the Emule webserver, add this rule too. DNAT net loc:192.168.1.4 tcp 4711</programlisting> </section> <section id="FTP"> <title>FTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT FTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> <para>Look <ulink url="FTP.html">here</ulink> for much more information.</para> </section> <section id="Gnutella"> <title>Gnutella</title> <para><orderedlist> <listitem> <para>The internal machine running a Gnutella Client has IP address 192.168.1.4.</para> </listitem> <listitem> <para>You use Masquerading or SNAT for the local network.</para> </listitem> <listitem> <para>The zones are named as they are in the <ulink url="shorewall_quickstart_guide.htm">two- and three-interface QuickStart guides)</ulink>.</para> </listitem> <listitem> <para>Your loc->net policy is ACCEPT</para> </listitem> </orderedlist><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Gnutella(DNAT) net loc:192.168.1.4</programlisting></para> </section> <section id="ICQ"> <title>ICQ/AIM</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ICQ(ACCEPT) <emphasis><source></emphasis> net</programlisting> </section> <section id="IMAP"> <title>IMAP</title> <caution> <para>When accessing your mail from the Internet, use <emphasis role="bold">only</emphasis> <emphasis role="bold">IMAP over SSL.</emphasis></para> </caution> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT IMAP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Unsecure IMAP IMAPS(ACCEPT) <source> <destination> # IMAP over SSL.</programlisting> </section> <section id="IPSEC"> <title>IPsec</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 50 ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> 51 ACCEPT <emphasis><source></emphasis> <emphasis> <destination></emphasis> udp 500 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 50 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> 51 ACCEPT <emphasis><destination></emphasis> <emphasis><source></emphasis> udp 500</programlisting> <para>Lots more information <ulink url="IPSEC-2.6.html">here</ulink> and <ulink url="VPN.htm">here</ulink>.</para> </section> <section id="LDAP"> <title>LDAP</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT LDAP(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> #Insecure LDAP</emphasis> LDAPS(ACCEPT) <emphasis><emphasis><source></emphasis> <emphasis> <destination></emphasis></emphasis><emphasis/> # LDAP over SSL</programlisting> </section> <section id="MySQL"> <title><trademark>My\SQL</trademark></title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <caution> <para>Allowing access from untrusted hosts to your <trademark>MySQL</trademark> server represents a <emphasis role="bold">severe security risk</emphasis>.</para> <para><emphasis role="bold">DO NOT USE THIS </emphasis>if you don't know how to deal with the consequences, you have been warned.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT MySQL(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> <emphasis> </emphasis></programlisting> </section> <section id="NFS"> <title>NFS</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d tcp 111 ACCEPT <emphasis><z1></emphasis>:<list of client IPs> <emphasis> <z2></emphasis>:a.b.c.d udp</programlisting> <para>For more NFS information, see <ulink url="http://lists.shorewall.net/~kb/">http://lists.shorewall.net/~kb/</ulink>.</para> </section> <section id="NTP"> <title>NTP (Network Time Protocol)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT NTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="PCA"> <title><trademark>PCAnywhere</trademark></title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT PCA(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="POP3"> <title>POP3</title> <caution> <para>If Possible , <emphasis role="bold">Avoid this protocol</emphasis> , use <emphasis role="bold">IMAP</emphasis> instead.</para> </caution> <caution> <para>This information is valid only for Shorewall 3.2 or later</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT POP3(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> # Secure POP3S(ACCEPT) <source> <destination> #Unsecure Pop3</programlisting> </section> <section id="PPTP"> <title>PPTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> 47 ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> tcp 1723</programlisting> <para>Lots more information <ulink url="PPTP.htm">here</ulink> and <ulink url="VPN.htm">here</ulink>.</para> </section> <section id="Rdate"> <title>rdate</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Rdate(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="rsync"> <title>rsync</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Rsync(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="Siproxd"> <title>Siproxd</title> <caution> <para>This assumes siproxd is running <emphasis role="bold">on the firewall and is using the default ports</emphasis>.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT REDIRECT loc 5060 udp 5060 ACCEPT net fw udp 5060 ACCEPT <emphasis> net fw udp 7070:7089</emphasis><emphasis/></programlisting> </section> <section id="SSH"> <title>SSH/SFTP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SSH(ACCEPT)<emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting> </section> <section id="SMB"> <title>SMB/NMB (Samba/<trademark>Windows</trademark> Browsing/File Sharing)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SMB(ACCEPT) <emphasis><source></emphasis> <emphasis> <destination></emphasis> SMB(ACCEPT) <emphasis><destination></emphasis> <emphasis><source></emphasis></programlisting> <para>Also, see <ulink url="samba.htm">this page</ulink>.</para> </section> <section id="SMTP"> <title>SMTP</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SMTP(ACCEPT)<emphasis> <source></emphasis> <emphasis><destination></emphasis> #Insecure SMTP SMTPS(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #SMTP over SSL (TLS)</programlisting> </section> <section id="SNMP"> <title>SNMP</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SNMP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="SVN"> <title>SVN</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <caution> <para>This rule is for Subversion running in <emphasis role="bold">svnserve mode only.</emphasis></para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT SVN(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="Telnet"> <title>Telnet</title> <caution> <para><emphasis role="bold"><emphasis>The telnet protocol is very insecure</emphasis>, don't use it.</emphasis></para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Telnet(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="TFTP"> <title>TFTP</title> <para>You must have TFTP connection tracking support in your kernel. If modularized, the modules are <emphasis role="bold">ip_conntrack_tftp</emphasis> (and <emphasis role="bold">ip_nat_tftp</emphasis> if any form of NAT is involved) These modules may be loaded using entries in <filename>/etc/shorewall/modules</filename>. The <emphasis role="bold">ip_conntrack_tftp</emphasis> module must be loaded first. Note that the <filename>/etc/shorewall/modules</filename> file released with recent Shorewall versions contains entries for these modules.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <emphasis><source></emphasis> <emphasis><destination></emphasis> udp 69</programlisting> </section> <section id="Traceroute"> <title>Traceroute</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Trcrt(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Good for 10 hops</programlisting> <para>UDP traceroute uses ports 33434 through 33434+<max number of hops>-1. Note that for the firewall to respond with a TTL expired ICMP reply, you will need to allow ICMP 11 outbound from the firewall. The standard Shorewall sample configurations all set this up for you automatically since those sample configurations enable all ICMP packet types originating on the firewall itself.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT fw ...</programlisting> </section> <section id="NNTP"> <title>Usenet (NNTP)</title> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT NNTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> NNTPS(ACCEPT) <source> <destination> # secure NNTP</programlisting> <para>TCP Port 119</para> </section> <section id="VNC"> <title>VNC</title> <caution> <para>This information is valid only for Shorewall 3.2 or later.</para> </caution> <para>Vncviewer to Vncserver -- TCP port 5900 + <display number>.</para> <para>the following rule handles VNC traffic for VNC displays 0 - 9.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT VNC(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting> <para>Vncserver to Vncviewer in listen mode -- TCP port 5500.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT VNCL(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis></programlisting> </section> <section id="Vonage"> <title><trademark>Vonage</trademark></title> <para>The standard Shorewall loc->net ACCEPT policy is all that is required for <trademark>Vonage</trademark> IP phone service to work, provided that you have loaded the tftp helper modules (add the following entries to /etc/shorewall/modules if they are not there already):</para> </section> <section id="Web"> <title>Web Access</title> <caution> <para>This information is valid for Shorewall 3.2 or later.</para> </caution> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT HTTP(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> #Insecure HTTP HTTPS(ACCEPT) <source> <destination> #Secure HTTP</programlisting> </section> <section id="Webmin"> <title>Webmin</title> <para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Webmin(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting>Webmin use TCP port 10000.</para> </section> <section id="Whois"> <title>Whois</title> <para><programlisting>#ACTION SOURCE DESTINATION PROTO DPORT Whois(ACCEPT) <emphasis><source></emphasis> <emphasis><destination></emphasis> </programlisting></para> </section> <section id="X"> <title>X/XDMCP</title> <para>Assume that the Chooser and/or X Server are running at <<emphasis>chooser</emphasis>> and the Display Manager/X applications are running at <<emphasis>apps</emphasis>>.</para> <programlisting>#ACTION SOURCE DESTINATION PROTO DPORT ACCEPT <<emphasis>chooser</emphasis>> <<emphasis>apps</emphasis>> udp 177 #XDMCP ACCEPT <<emphasis>apps</emphasis>> <<emphasis>chooser</emphasis>> tcp 6000:6009 #X Displays 0-9</programlisting> </section> <section id="Other"> <title>Other Source of Port Information</title> <para>Didn't find what you are looking for -- have you looked in your own /etc/services file?</para> <para>Still looking? Try <ulink url="http://www.networkice.com/advice/Exploits/Ports">http://www.networkice.com/advice/Exploits/Ports</ulink></para> </section> </article>