Ports Required for Various Services/Applications
Tom
Eastep
2004-05-28
2001-2002
2004
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation License
.
In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.
Important Notes
Beginning with Shorewall 2.0.0, the Shorewall distribution
contains a library of user-defined actions that allow for easily
allowing or blocking a particular application. Check your
/usr/share/shorewall/actions.std file for a list of
the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the
dmz zone to the net
zone:
#ACTION SOURCE DESTINATION
AllowDNS dmz net
In the rules that are shown in this document, the ACTION is shown
as ACCEPT. You may need to use DNAT (see FAQ
30) or you may want DROP or REJECT if you are trying to block
the application.
Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21
You would code your rule as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21
Auth (identd)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 113
DNS
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 53
ACCEPT <source> <destination> tcp 53
Note that if you are setting up a DNS server that supports recursive
resolution, the server is the <destination>
for resolution requests (from clients) and is also the <source>
of recursive resolution requests (usually to other servers in the
'net' zone). So for example, if you have a public DNS server in
your DMZ that supports recursive resolution for local clients then you
would need:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53
ACCEPT all dmz tcp 53
ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53
Recursive Resolution means that if the server itself can't
resolve the name presented to it, the server will attempt to resolve the
name with the help of other servers.
FTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21
Look here for much more information.
ICQ/AIM
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> net tcp 5190
IMAP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 143 #Unsecure IMAP
ACCEPT <source> <destination> tcp 993 #Secure IMAP
IPSEC
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 50
ACCEPT <source> <destination> 51
ACCEPT <source> <destination> udp 500
ACCEPT <destination> <source> 50
ACCEPT <destination> <source> 51
ACCEPT <destination> <source> udp 500
Lots more information here and here.
NFS
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111
ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp
NTP (Network Time Protocol)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 123
PCAnywhere
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 5632
ACCEPT <source> <destination> tcp 5631
Pop3
TCP Port 110 (Secure Pop3 is TCP Port 995)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 110 #Unsecure Pop3
ACCEPT <source> <destination> tcp 995 #Secure Pop3
PPTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 47
ACCEPT <source> <destination> tcp 1723
Lots more information here and here.
rdate
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 37
SSH
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 22
SMB/NMB (Samba/Windows Browsing/File Sharing)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 137,139,445
ACCEPT <source> <destination> udp 137:139
ACCEPT <destination> <source> tcp 137,139,445
ACCEPT <destination> <source> udp 137:139
Also, see this page.
SMTP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 25 #Insecure SMTP
ACCEPT <source> <destination> tcp 465 #SMTP over SSL (TLS)
SNMP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 161:162
ACCEPT <source> <destination> tcp 161
Telnet
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 23
TFTP
You must have TFTP connection tracking support in your kernel. If
modularized, the modules are ip_conntrack_tftp
(and ip_nat_tftp if any form of NAT is
involved) These modules may be loaded using entries in
/etc/shorewall/modules. The ip_conntrack_tftp
module must be loaded first. Note that the /etc/shorewall/modules
file released with recent Shorewall versions contains entries for these
modules.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 69
Traceroute
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops
ACCEPT <source> <destination> icmp 8
UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1
Usenet (NNTP)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 119
TCP Port 119
VNC
Vncviewer to Vncserver -- TCP port 5900 + <display number>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 5901 #Display Number 1
ACCEPT <source> <destination> tcp 5902 #Display Number 2
...
Vncserver to Vncviewer in listen mode -- TCP port 5500.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 5500
Web Access
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 80 #Insecure HTTP
ACCEPT <source> <destination> tcp 443 #Secure HTTP
Other Source of Port Information
Didn't find what you are looking for -- have you looked in your
own /etc/services file?
Still looking? Try http://www.networkice.com/advice/Exploits/Ports
Revision History
1.112004-05-28TECorrected
directory for actions.std and enhanced the DNS section.1.102004-05-09TEAdded
TFTP.1.92004-04-24TERevised
ICQ/AIM.1.82004-04-23TEAdded
SNMP.1.72004-02-18TEMake
NFS work for everyone.1.62004-02-14TEAdd
PCAnywhere.1.52004-02-05TEAdded
information about VNC viewers in listen mode.1.42004-01-26TECorrect
ICQ.1.32004-01-04TEAlphabetize1.22004-01-03TEAdd
rules file entries.1.12002-07-30TEInitial
version converted to Docbook XML