Ports Required for Various Services/Applications

Tom Eastep

Cristian Rodriguez R.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License.

2016/02/18

Abstract

In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.


Caution

This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release

Important Notes

Note

Shorewall distribution contains a library of user-defined macros that allow for easily allowing or blocking a particular application. ls /usr/share/shorewall/macro.* for the list of macros in your distribution. If you find what you need, you simply use the macro in a rule. For example, to allow DNS queries from the dmz zone to the net zone:

#ACTION         SOURCE        DEST
DNS(ACCEPT)     dmz           net

Note

In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application.

Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you:

#ACTION        SOURCE    DEST             PROTO      DPORT
FTP(ACCEPT)    <source>  <destination>

You would code your rule as follows:

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
FTP(DNAT)       net       dmz:192.168.1.4  

Auth (identd)

Caution

It is now the 21st Century ; don't use identd in production anymore.

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Auth(ACCEPT)     <source>  <destination>

BitTorrent

Caution

This information is valid only for Shorewall 3.2 or later.

Caution

This rule assumes that your BitTorrent client listens on the default port(s)

#ACTION           SOURCE    DESTINATION      PROTO      DPORT
BitTorrent(ACCEPT)<source>  <destination>

DNS

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
DNS(ACCEPT)      <source>  <destination>    

Note that if you are setting up a DNS server that supports recursive resolution, the server is the <destination> for resolution requests (from clients) and is also the <source> of recursive resolution requests (usually to other servers in the 'net' zone). So for example, if you have a public DNS server in your DMZ that supports recursive resolution for local clients then you would need:

#ACTION     SOURCE    DESTINATION      PROTO      DPORT
DNS(ACCEPT) all       dmz              
DNS(ACCEPT) dmz       net              

Note

Recursive Resolution means that if the server itself can't resolve the name presented to it, the server will attempt to resolve the name with the help of other servers.

Emule

Caution

This information is valid only for Shorewall 3.2 or later.

In contrast to how the rest of this article is organized, for emule I will give you the rules necessary to run emule on a single machine in your loc network (since that's what 99.99% of you want to do). Assume that:

  1. The internal machine running emule has IP address 192.168.1.4.

  2. You use Masquerading or SNAT for the local network.

  3. The zones are named as they are in the two- and three-interface QuickStart guides).

  4. Your loc->net policy is ACCEPT

/etc/shorewall/rules:

#ACTION       SOURCE   DESTINATION          PROTO         DPORT
Edonkey(DNAT)  net      loc:192.168.1.4
#if you wish to enable the Emule webserver, add this rule too.
DNAT        net      loc:192.168.1.4      tcp           4711

FTP

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
FTP(ACCEPT)    <source>  <destination>

Look here for much more information.

Gnutella

  1. The internal machine running a Gnutella Client has IP address 192.168.1.4.

  2. You use Masquerading or SNAT for the local network.

  3. The zones are named as they are in the two- and three-interface QuickStart guides).

  4. Your loc->net policy is ACCEPT

#ACTION              SOURCE   DESTINATION      PROTO      DPORT
Gnutella(DNAT)       net      loc:192.168.1.4

ICQ/AIM

#ACTION     SOURCE    DESTINATION      PROTO      DPORT
ICQ(ACCEPT) <source>  net

IMAP

Caution

When accessing your mail from the Internet, use only IMAP over SSL.

Caution

This information is valid only for Shorewall 3.2 or later.

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
IMAP(ACCEPT)    <source>  <destination> # Unsecure IMAP 
IMAPS(ACCEPT)   <source>  <destination> # IMAP over SSL.

IPSEC

#ACTION    SOURCE         DESTINATION      PROTO      DPORT
ACCEPT     <source>       <destination>    50     
ACCEPT     <source>       <destination>    51
ACCEPT     <source>       <destination>    udp        500
ACCEPT     <destination>  <source>         50     
ACCEPT     <destination>  <source>         51
ACCEPT     <destination>  <source>         udp        500

Lots more information here and here.

LDAP

Caution

This information is valid only for Shorewall 3.2 or later.

#ACTION          SOURCE           DESTINATION      PROTO      DPORT
LDAP(ACCEPT)     <source>       <destination>      #Insecure LDAP
LDAPS(ACCEPT)    <source>       <destination>   # LDAP over SSL

My\SQL

Caution

This information is valid only for Shorewall 3.2 or later.

Caution

Allowing access from untrusted hosts to your MySQL™ server represents a severe security risk.

DO NOT USE THIS if you don't know how to deal with the consequences, you have been warned.

#ACTION          SOURCE           DESTINATION      PROTO      DPORT
MySQL(ACCEPT)     <source>       <destination>     

NFS

#ACTION    SOURCE                         DESTINATION      PROTO      DPORT
ACCEPT     <z1>:<list of client IPs>      <z2>:a.b.c.d     tcp        111
ACCEPT     <z1>:<list of client IPs>      <z2>:a.b.c.d     udp

For more NFS information, see http://lists.shorewall.net/~kb/.

NTP (Network Time Protocol)

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
NTP(ACCEPT)    <source>  <destination>

PCAnywhere

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
PCA(ACCEPT)    <source>  <destination>

POP3

Caution

If Possible , Avoid this protocol , use IMAP instead.

Caution

This information is valid only for Shorewall 3.2 or later

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
POP3(ACCEPT)    <source>  <destination>   # Secure
POP3S(ACCEPT)   <source>  <destination>  #Unsecure Pop3

PPTP

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     <source>  <destination>    47    
ACCEPT     <source>  <destination>    tcp        1723

Lots more information here and here.

rdate

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Rdate(ACCEPT)    <source>  <destination>

rsync

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Rsync(ACCEPT)    <source>  <destination>

Siproxd

Caution

This assumes siproxd is running on the firewall and is using the default ports.

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
REDIRECT          loc           5060         udp        5060
ACCEPT            net           fw           udp        5060
ACCEPT            net           fw           udp        7070:7089

SSH/SFTP

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
SSH(ACCEPT)<source>  <destination> 

SMB/NMB (Samba/Windows™ Browsing/File Sharing)

#ACTION        SOURCE         DESTINATION      PROTO      DPORT
SMB(ACCEPT)    <source>       <destination>
SMB(ACCEPT)    <destination>  <source>

Also, see this page.

SMTP

Caution

This information is valid only for Shorewall 3.2 or later.

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SMTP(ACCEPT)     <source>  <destination>                      #Insecure SMTP
SMTPS(ACCEPT)    <source>  <destination>                      #SMTP over SSL (TLS)

SNMP

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SNMP(ACCEPT)    <source>  <destination>

SVN

Caution

This information is valid only for Shorewall 3.2 or later.

Caution

This rule is for Subversion running in svnserve mode only.

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
SVN(ACCEPT)    <source>  <destination>

Telnet

Caution

The telnet protocol is very insecure, don't use it.

#ACTION           SOURCE    DESTINATION      PROTO      DPORT
Telnet(ACCEPT)    <source>  <destination>

TFTP

You must have TFTP connection tracking support in your kernel. If modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These modules may be loaded using entries in /etc/shorewall/modules. The ip_conntrack_tftp module must be loaded first. Note that the /etc/shorewall/modules file released with recent Shorewall versions contains entries for these modules.

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     <source>  <destination>    udp        69

Traceroute

#ACTION          SOURCE    DESTINATION      PROTO      DPORT
Trcrt(ACCEPT)    <source>  <destination>  #Good for 10 hops

UDP traceroute uses ports 33434 through 33434+<max number of hops>-1. Note that for the firewall to respond with a TTL expired ICMP reply, you will need to allow ICMP 11 outbound from the firewall. The standard Shorewall sample configurations all set this up for you automatically since those sample configurations enable all ICMP packet types originating on the firewall itself.

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     fw        net              icmp
ACCEPT     fw        loc              icmp
ACCEPT     fw        ...

Usenet (NNTP)

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
NNTP(ACCEPT)    <source>  <destination>
NNTPS(ACCEPT)   <source>  <destination>  # secure NNTP

TCP Port 119

VNC

Caution

This information is valid only for Shorewall 3.2 or later.

Vncviewer to Vncserver -- TCP port 5900 + <display number>.

the following rule handles VNC traffic for VNC displays 0 - 9.

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
VNC(ACCEPT)    <source>  <destination>      

Vncserver to Vncviewer in listen mode -- TCP port 5500.

#ACTION         SOURCE    DESTINATION      PROTO      DPORT
VNCL(ACCEPT)    <source>  <destination>

Vonage

The standard Shorewall loc->net ACCEPT policy is all that is required for Vonage™ IP phone service to work, provided that you have loaded the tftp helper modules (add the following entries to /etc/shorewall/modules if they are not there already):

Web Access

Caution

This information is valid for Shorewall 3.2 or later.

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
HTTP(ACCEPT)    <source>  <destination> #Insecure HTTP 
HTTPS(ACCEPT)   <source>  <destination> #Secure   HTTP

Webmin

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
Webmin(ACCEPT)    <source>  <destination>  

Webmin use TCP port 10000.

Whois

#ACTION        SOURCE    DESTINATION      PROTO      DPORT
Whois(ACCEPT)    <source>  <destination>  

X/XDMCP

Assume that the Chooser and/or X Server are running at <chooser> and the Display Manager/X applications are running at <apps>.

#ACTION    SOURCE    DESTINATION      PROTO      DPORT
ACCEPT     <chooser> <apps>           udp        177         #XDMCP
ACCEPT     <apps>    <chooser>        tcp        6000:6009   #X Displays 0-9

Other Source of Port Information

Didn't find what you are looking for -- have you looked in your own /etc/services file?

Still looking? Try http://www.networkice.com/advice/Exploits/Ports

Documentation


Frequently Used Articles

- FAQs - IPv4 Manpages - IPv6 Manpages - Configuration File Basics - Beginner Documentation - Troubleshooting

Shorewall 4.4/4.5/4.6 Documentation

Shorewall 4.0/4.2 Documentation


Shorewall 5.0 HOWTOs and Other Articles

- 6to4 and 6in4 Tunnels - Accounting - Actions - Aliased (virtual) Interfaces (e.g., eth0:0) - Anatomy of Shorewall - Anti-Spoofing Measures - AUDIT Target support - Bandwidth Control - Blacklisting/Whitelisting - Bridge/Firewall - Building Shorewall from GIT - Commands - Compiled Programs - Configuration File Basics - DHCP - DNAT - Dynamic Zones - ECN Disabling by host or subnet - Events - Extension Scripts - Fallback/Uninstall - FAQs - Features - Fool's Firewall - Forwarding Traffic on the Same Interface - FTP and Shorewall - Helpers/Helper Modules - Installation/Upgrade - IPP2P - IPSEC - Ipsets - IPv6 Support - ISO 3661 Country Codes - Kazaa Filtering - Kernel Configuration - KVM (Kernel-mode Virtual Machine) - Limiting Connection Rates - Linux Containers (LXC) - Linux-vserver - Logging - Macros - MAC Verification - Manpages (IPv4) (IPv6) - Manual Chains - Masquerading - Multiple Internet Connections from a Single Firewall - Multiple Zones Through One Interface - My Shorewall Configuration - Netfilter Overview - Network Mapping - No firewalling of traffic between bridge port - One-to-one NAT - Operating Shorewall - OpenVPN - OpenVZ - Packet Marking - Packet Processing in a Shorewall-based Firewall - 'Ping' Management - Port Forwarding - Port Information - Port Knocking (deprecated) - Port Knocking, Auto Blacklisting and Other Uses of the 'Recent Match' - PPTP - Proxy ARP - QuickStart Guides - Release Model - Requirements - Routing and Shorewall - Routing on One Interface - Samba - Shorewall Events - Shorewall Init - Shorewall Lite - Shorewall on a Laptop - Shorewall Perl - Shorewall Setup Guide - SMB - SNAT - Split DNS the Easy Way - Squid with Shorewall - Starting/stopping the Firewall - Static (one-to-one) NAT - Support - Tips and Hints - Traffic Shaping/QOS - Simple - Traffic Shaping/QOS - Complex - Transparent Proxy - UPnP - Upgrade Issues - Upgrading to Shorewall 4.4 (Upgrading Debian Lenny to Squeeze) - VPN - VPN Passthrough - White List Creation - Xen - Shorewall in a Bridged Xen DomU - Xen - Shorewall in Routed Xen Dom0

Top of Page