<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Ports Required for Various Services/Applications</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /><meta name="description" content="In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate." /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257523"></a>Ports Required for Various Services/Applications</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><div class="othercredit"><h3 class="othercredit"><span class="surname">Cristian Rodriguez R.</span></h3></div></div><div><p class="copyright">Copyright © 2001-2008 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id257912"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div><div><div class="abstract"><p class="title"><b>Abstract</b></p><p>In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.</p></div></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#Notes">Important Notes</a></span></dt><dt><span class="section"><a href="#Auth">Auth (identd)</a></span></dt><dt><span class="section"><a href="#BT">BitTorrent</a></span></dt><dt><span class="section"><a href="#DNS">DNS</a></span></dt><dt><span class="section"><a href="#Emule">Emule</a></span></dt><dt><span class="section"><a href="#FTP">FTP</a></span></dt><dt><span class="section"><a href="#Gnutella">Gnutella</a></span></dt><dt><span class="section"><a href="#ICQ">ICQ/AIM</a></span></dt><dt><span class="section"><a href="#IMAP">IMAP</a></span></dt><dt><span class="section"><a href="#IPSEC">IPSEC</a></span></dt><dt><span class="section"><a href="#LDAP">LDAP</a></span></dt><dt><span class="section"><a href="#MySQL"><span class="trademark">My\SQL</span>™</a></span></dt><dt><span class="section"><a href="#NFS">NFS</a></span></dt><dt><span class="section"><a href="#NTP">NTP (Network Time Protocol)</a></span></dt><dt><span class="section"><a href="#PCA"><span class="trademark">PCAnywhere</span>™</a></span></dt><dt><span class="section"><a href="#POP3">POP3</a></span></dt><dt><span class="section"><a href="#PPTP">PPTP</a></span></dt><dt><span class="section"><a href="#Rdate">rdate</a></span></dt><dt><span class="section"><a href="#rsync">rsync</a></span></dt><dt><span class="section"><a href="#Siproxd">Siproxd</a></span></dt><dt><span class="section"><a href="#SSH">SSH/SFTP</a></span></dt><dt><span class="section"><a href="#SMB">SMB/NMB (Samba/<span class="trademark">Windows</span>™ Browsing/File
Sharing)</a></span></dt><dt><span class="section"><a href="#SMTP">SMTP</a></span></dt><dt><span class="section"><a href="#SNMP">SNMP</a></span></dt><dt><span class="section"><a href="#SVN">SVN</a></span></dt><dt><span class="section"><a href="#Telnet">Telnet</a></span></dt><dt><span class="section"><a href="#TFTP">TFTP</a></span></dt><dt><span class="section"><a href="#Traceroute">Traceroute</a></span></dt><dt><span class="section"><a href="#NNTP">Usenet (NNTP)</a></span></dt><dt><span class="section"><a href="#VNC">VNC</a></span></dt><dt><span class="section"><a href="#Vonage"><span class="trademark">Vonage</span>™</a></span></dt><dt><span class="section"><a href="#Web">Web Access</a></span></dt><dt><span class="section"><a href="#Webmin">Webmin</a></span></dt><dt><span class="section"><a href="#Whois">Whois</a></span></dt><dt><span class="section"><a href="#X">X/XDMCP</a></span></dt><dt><span class="section"><a href="#Other">Other Source of Port Information</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</strong></span></p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Notes"></a>Important Notes</h2></div></div></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Shorewall distribution contains a library of user-defined macros
that allow for easily allowing or blocking a particular application.
<span class="command"><strong>ls <code class="filename">/usr/share/shorewall/</code>macro.*</strong></span>
for the list of macros in your distribution. If you find what you need,
you simply use the macro in a rule. For example, to allow DNS queries
from the <span class="bold"><strong>dmz</strong></span> zone to the <span class="bold"><strong>net</strong></span> zone:</p><pre class="programlisting">#ACTION SOURCE DESTINATION
DNS/ACCEPT dmz net</pre></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>In the rules that are shown in this document, the ACTION is shown
as ACCEPT. You may need to use DNAT (see <a class="ulink" href="FAQ.htm#faq30" target="_self">FAQ
30</a>) or you may want DROP or REJECT if you are trying to block
the application.</p><p>Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre><p>You would code your rule as follows:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/DNAT net dmz:192.168.1.4 </pre></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Auth"></a>Auth (identd)</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong><span class="emphasis"><em>It is now the 21st
Century</em></span> ; don't use identd in production
anymore.</strong></span></p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Auth/ACCEPT <span class="emphasis"><em> <source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="BT"></a>BitTorrent</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong><span class="emphasis"><em>This rule assumes that your
BitTorrent client listens on the default
port(s)</em></span></strong></span></p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
BitTorrent/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="DNS"></a>DNS</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNS/ACCEPT <span class="emphasis"><em> <source></em></span> <span class="emphasis"><em><destination></em></span> </pre><p>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the <<span class="emphasis"><em>destination</em></span>> for
resolution requests (from clients) and is also the
<<span class="emphasis"><em>source</em></span>> of recursive resolution requests
(usually to other servers in the 'net' zone). So for example, if you have
a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNS/ACCEPT all dmz
DNS/ACCEPT dmz net </pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>Recursive Resolution means that if the server itself can't resolve
the name presented to it, the server will attempt to resolve the name
with the help of other servers.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Emule"></a>Emule</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><p>In contrast to how the rest of this article is organized, for emule
I will give you the rules necessary to run emule on a single machine in
your loc network (since that's what 99.99% of you want to do). Assume
that:</p><div class="orderedlist"><ol type="1"><li><p>The internal machine running emule has IP address
192.168.1.4.</p></li><li><p>You use Masquerading or SNAT for the local network.</p></li><li><p>The zones are named as they are in the <a class="ulink" href="shorewall_quickstart_guide.htm" target="_self">two- and three-interface
QuickStart guides)</a>.</p></li><li><p>Your loc->net policy is ACCEPT</p></li></ol></div><p><code class="filename">/etc/shorewall/rules:</code></p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Edonkey/DNAT net loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too.
DNAT net loc:192.168.1.4 tcp 4711</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="FTP"></a>FTP</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
FTP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre><p>Look <a class="ulink" href="FTP.html" target="_self">here</a> for much more
information.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Gnutella"></a>Gnutella</h2></div></div></div><div class="orderedlist"><ol type="1"><li><p>The internal machine running a Gnutella Client has IP address
192.168.1.4.</p></li><li><p>You use Masquerading or SNAT for the local network.</p></li><li><p>The zones are named as they are in the <a class="ulink" href="shorewall_quickstart_guide.htm" target="_self">two- and three-interface
QuickStart guides)</a>.</p></li><li><p>Your loc->net policy is ACCEPT</p></li></ol></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Gnutella/DNAT net loc:192.168.1.4</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="ICQ"></a>ICQ/AIM</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ICQ/ACCEPT <span class="emphasis"><em><source></em></span> net</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="IMAP"></a>IMAP</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>When accessing your mail from the Internet, use <span class="bold"><strong>only</strong></span> <span class="bold"><strong>IMAP over
SSL.</strong></span></p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
IMAP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> # Unsecure IMAP
IMAPS/ACCEPT <source> <destination> # IMAP over SSL.</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="IPSEC"></a>IPSEC</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> 50
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> 51
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> udp 500
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> 50
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> 51
ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span> udp 500</pre><p>Lots more information <a class="ulink" href="IPSEC.htm" target="_self">here</a> and <a class="ulink" href="VPN.htm" target="_self">here</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="LDAP"></a>LDAP</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
LDAP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> <span class="emphasis"><em> #Insecure LDAP</em></span>
LDAPS/ACCEPT <span class="emphasis"><em><span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span></em></span><span class="emphasis"><em></em></span> # LDAP over SSL</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="MySQL"></a><span class="trademark">My\SQL</span>™</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>Allowing access from untrusted hosts to your
<span class="trademark">MySQL</span>™ server represents a <span class="bold"><strong>severe security risk</strong></span>.</p><p><span class="bold"><strong>DO NOT USE THIS </strong></span>if you don't know
how to deal with the consequences, you have been warned.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
MySQL/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span> <span class="emphasis"><em> </em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="NFS"></a>NFS</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <span class="emphasis"><em><z1></em></span>:<list of client IPs> <span class="emphasis"><em> <z2></em></span>:a.b.c.d tcp 111
ACCEPT <span class="emphasis"><em><z1></em></span>:<list of client IPs> <span class="emphasis"><em> <z2></em></span>:a.b.c.d udp</pre><p>For more NFS information, see <a class="ulink" href="http://lists.shorewall.net/~kb/" target="_self">http://lists.shorewall.net/~kb/</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="NTP"></a>NTP (Network Time Protocol)</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NTP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="PCA"></a><span class="trademark">PCAnywhere</span>™</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
PCA/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="POP3"></a>POP3</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>If Possible , <span class="bold"><strong>Avoid this protocol</strong></span>
, use <span class="bold"><strong>IMAP</strong></span> instead.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
POP3/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> # Secure
POP3S/ACCEPT <source> <destination> #Unsecure Pop3</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="PPTP"></a>PPTP</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> 47
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> tcp 1723</pre><p>Lots more information <a class="ulink" href="PPTP.htm" target="_self">here</a> and <a class="ulink" href="VPN.htm" target="_self">here</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Rdate"></a>rdate</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rdate/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="rsync"></a>rsync</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Rsync/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Siproxd"></a>Siproxd</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This assumes siproxd is running <span class="bold"><strong>on the
firewall and is using the default ports</strong></span>.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
REDIRECT loc 5060 udp 5060
ACCEPT net fw udp 5060
ACCEPT <span class="emphasis"><em> net fw udp 7070:7089</em></span><span class="emphasis"><em></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="SSH"></a>SSH/SFTP</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SSH/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> </pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="SMB"></a>SMB/NMB (Samba/<span class="trademark">Windows</span>™ Browsing/File
Sharing)</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SMB/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em> <destination></em></span>
SMB/ACCEPT <span class="emphasis"><em><destination></em></span> <span class="emphasis"><em><source></em></span></pre><p>Also, see <a class="ulink" href="samba.htm" target="_self">this page</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="SMTP"></a>SMTP</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SMTP/ACCEPT<span class="emphasis"><em> <source></em></span> <span class="emphasis"><em><destination></em></span> #Insecure SMTP
SMTPS/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> #SMTP over SSL (TLS)</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="SNMP"></a>SNMP</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SNMP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="SVN"></a>SVN</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This rule is for Subversion running in <span class="bold"><strong>svnserve mode only.</strong></span></p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
SVN/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Telnet"></a>Telnet</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong><span class="emphasis"><em>The telnet protocol is very
insecure</em></span>, don't use it.</strong></span></p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Telnet/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="TFTP"></a>TFTP</h2></div></div></div><p>You must have TFTP connection tracking support in your kernel. If
modularized, the modules are <span class="bold"><strong>ip_conntrack_tftp</strong></span> (and <span class="bold"><strong>ip_nat_tftp</strong></span> if any form of NAT is involved) These
modules may be loaded using entries in
<code class="filename">/etc/shorewall/modules</code>. The <span class="bold"><strong>ip_conntrack_tftp</strong></span> module must be loaded first. Note
that the <code class="filename">/etc/shorewall/modules</code> file released with
recent Shorewall versions contains entries for these modules.</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> udp 69</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Traceroute"></a>Traceroute</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Trcrt/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> #Good for 10 hops</pre><p>UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
reply, you will need to allow ICMP 11 outbound from the firewall. The
standard Shorewall sample configurations all set this up for you
automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT fw net icmp
ACCEPT fw loc icmp
ACCEPT fw ...</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="NNTP"></a>Usenet (NNTP)</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
NNTP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span>
NNTPS/ACCEPT <source> <destination> # secure NNTP</pre><p>TCP Port 119</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="VNC"></a>VNC</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid only for Shorewall 3.2 or later.</p></div><p>Vncviewer to Vncserver -- TCP port 5900 + <display
number>.</p><p>the following rule handles VNC traffic for VNC displays 0 -
9.</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
VNC/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span>
</pre><p>Vncserver to Vncviewer in listen mode -- TCP port 5500.</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
VNCL/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span></pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Vonage"></a><span class="trademark">Vonage</span>™</h2></div></div></div><p>The standard Shorewall loc->net ACCEPT policy is all that is
required for <span class="trademark">Vonage</span>™ IP phone service to work,
provided that you have loaded the tftp helper modules (add the following
entries to /etc/shorewall/modules if they are not there already):</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Web"></a>Web Access</h2></div></div></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>This information is valid for Shorewall 3.2 or later.</p></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
HTTP/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> #Insecure HTTP
HTTPS/ACCEPT <source> <destination> #Secure HTTP</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Webmin"></a>Webmin</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Webmin/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> </pre><p>Webmin
use TCP port 10000.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Whois"></a>Whois</h2></div></div></div><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
Whois/ACCEPT <span class="emphasis"><em><source></em></span> <span class="emphasis"><em><destination></em></span> </pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="X"></a>X/XDMCP</h2></div></div></div><p>Assume that the Chooser and/or X Server are running at
<<span class="emphasis"><em>chooser</em></span>> and the Display Manager/X
applications are running at <<span class="emphasis"><em>apps</em></span>>.</p><pre class="programlisting">#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <<span class="emphasis"><em>chooser</em></span>> <<span class="emphasis"><em>apps</em></span>> udp 177 #XDMCP
ACCEPT <<span class="emphasis"><em>apps</em></span>> <<span class="emphasis"><em>chooser</em></span>> tcp 6000:6009 #X Displays 0-9</pre></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Other"></a>Other Source of Port Information</h2></div></div></div><p>Didn't find what you are looking for -- have you looked in your own
/etc/services file?</p><p>Still looking? Try <a class="ulink" href="http://www.networkice.com/advice/Exploits/Ports" target="_self">http://www.networkice.com/advice/Exploits/Ports</a></p></div></div></body></html>
