Ports Required for Various Services/Applications
Copyright © 2001-2002, 2004 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation License”.
Abstract
In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.
Note
Beginning with Shorewall 2.0.0, the Shorewall distribution
contains a library of user-defined actions that allow for easily
allowing or blocking a particular application. Check your
/etc/shorewall/actions.std file for a list of the
actions in your distribution. If you find what you need, you simply use
the action in a rule. For example, to allow DNS queries from the
dmz zone to the net
zone:
#ACTION SOURCE DESTINATION
AllowDNS dmz net |
Note
In the rules that are shown in this document, the ACTION is shown
as ACCEPT. You may need to use DNAT (see FAQ
30) or you may want DROP or REJECT if you are trying to block
the application.
Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21 |
You would code your rule as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 113 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 53
ACCEPT <source> <destination> tcp 53 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 21 |
Look here for much more information.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> net tcp 5190 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 143 #Unsecure IMAP
ACCEPT <source> <destination> tcp 993 #Secure IMAP |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 50
ACCEPT <source> <destination> 51
ACCEPT <source> <destination> udp 500
ACCEPT <destination> <source> 50
ACCEPT <destination> <source> 51
ACCEPT <destination> <source> udp 500 |
Lots more information here and here.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111
ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp |
NTP (Network Time Protocol)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 123 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 5632
ACCEPT <source> <destination> tcp 5631 |
TCP Port 110 (Secure Pop3 is TCP Port 995)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 110 #Unsecure Pop3
ACCEPT <source> <destination> tcp 995 #Secure Pop3 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> 47
ACCEPT <source> <destination> tcp 1723 |
Lots more information here and here.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 37 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 22 |
SMB/NMB (Samba/Windows Browsing/File Sharing)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 137,139,445
ACCEPT <source> <destination> udp 137:139
ACCEPT <destination> <source> tcp 137,139,445
ACCEPT <destination> <source> udp 137:139 |
Also, see this page.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 25 #Insecure SMTP
ACCEPT <source> <destination> tcp 465 #SMTP over SSL (TLS) |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 161:162
ACCEPT <source> <destination> tcp 161 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 23 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops
ACCEPT <source> <destination> icmp 8 |
UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 119 |
TCP Port 119
Vncviewer to Vncserver -- TCP port 5900 + <display number>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 5901 #Display Number 1
ACCEPT <source> <destination> tcp 5902 #Display Number 2
... |
Vncserver to Vncviewer in listen mode -- TCP port 5500.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 5500 |
#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <source> <destination> tcp 80 #Insecure HTTP
ACCEPT <source> <destination> tcp 443 #Secure HTTP |
A. Revision History
Revision History |
---|
Revision 1.8 | 2004-04-24 | TE |
Revised
ICQ/AIM. |
Revision 1.8 | 2004-04-23 | TE |
Added
SNMP. |
Revision 1.7 | 2004-02-18 | TE |
Make
NFS work for everyone. |
Revision 1.6 | 2004-02-14 | TE |
Add
PCAnywhere. |
Revision 1.5 | 2004-02-05 | TE |
Added
information about VNC viewers in listen mode. |
Revision 1.4 | 2004-01-26 | TE |
Correct
ICQ. |
Revision 1.3 | 2004-01-04 | TE |
Alphabetize |
Revision 1.2 | 2004-01-03 | TE |
Add
rules file entries. |
Revision 1.1 | 2002-07-30 | TE |
Initial
version converted to Docbook XML |