| Service | Type | Description |
|---|
| AH |
simple |
| Server Ports |
51/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | IPSec Authentication Header (AH). For more information see the FreeS/WAN documentation and RFC RFC 2402.
|
| Example | server AH accept |
|
| all |
complex |
| Server Ports |
all
| | Client Ports |
all
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are loaded.
This service may indirectly setup a set of other services, if they are required by the kernel modules to be loaded. Currently it activates also ftp, irc and icmp.
|
| Example | server all accept |
|
| amanda |
complex |
| Server Ports |
see notes
| | Client Ports |
see notes
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This implementation of AMANDA, the Advanced Maryland Automatic Network Disk Archiver is based on the notes posted at Amanda's Faq-O-Matic. Based on this, FireHOL allows:
- a connection from the server to the client at udp 10080
- connections from the client to the server at tcp & udp ports controlled by the variable FIREHOL_AMANDA_PORTS.
Default: FIREHOL_AMANDA_PORTS="850:859" It has been written in amanda mailing lists that by default amanda chooses ports in the range of 600 to 950. If you don't compile amanda yourself you may have to change the variable FIREHOL_AMANDA_PORTS to accept a wider match (but consider the trust relationship you are building with this). I strongly suggest to use this service in your firewall like: server amanda accept src 1.2.3.4, or
client amanda accept dst 5.6.7.8 in order to limit the hosts that have access to the ports controlled by the variable FIREHOL_AMANDA_PORTS. This complex service handles correctly the multi-socket bi-directional environment required. Use the FireHOL server directive on the Amanda server, and FireHOL's client on the Amanda client. The amanda service will break if it is NATed (to work it would require a bi-directional NAT and a modification in the amanda code to allow connections from/to high ports). USE THIS WITH CARE. MISUSE OF THIS SERVICE MAY LEAD TO OPENING PRIVILEGED PORTS TO ANYONE.
|
| Example | server amanda accept src 1.2.3.4 |
|
| any |
complex |
| Server Ports |
all
| | Client Ports |
all
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47).
|
| Example | server any myname accept proto 47 |
|
| anystateless |
complex |
| Server Ports |
all
| | Client Ports |
all
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47). Also, this service is exactly the same with service any, but does not care about the state of traffic.
|
| Example | server anystateless myname accept proto 47 |
|
| apcupsd |
simple |
| Server Ports |
tcp/6544
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | APC UPS Deamon ports. This service must be defined as server apcupsd accept on all machines not directly connected to the UPS (i.e. slaves). Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default is conflicting with IRC and many distributions (like Debian) have changed this to 6544. You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this FireHOL service definition using the procedures described in Adding Services.
|
| Example | server apcupsd accept |
|
| apcupsdnis |
simple |
| Server Ports |
tcp/3551
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | APC UPS Network Information Server. This service allows the remote WEB interfaces APCUPSD has, to connect and get information from the server directly connected to the UPS device.
|
| Example | server apcupsdnis accept |
|
| aptproxy |
simple |
| Server Ports |
tcp/9999
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Debian package proxy.
|
| Example | server aptproxy accept |
|
| asterisk |
simple |
| Server Ports |
tcp/5038
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Asterisk is an open source PABX and the Swiss knife of VoIP. This service refers only to the manager interface of asterisk. You should normally need to enable sip, h323, rtp, etc at the firewall level, if you enable the relative channel drivers of asterisk.
|
| Example | server asterisk accept |
|
| cups |
simple |
| Server Ports |
tcp/631
,
udp/631
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Common UNIX Printing System
|
| Example | server cups accept |
|
| custom |
complex |
| Server Ports |
defined in the command
| | Client Ports |
defined in the command
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This service is used by FireHOL to allow you define services it currently does not support.
To find more about this service please check the Adding Services section.
|
| Example | server custom myimap tcp/143 default accept |
|
| cvspserver |
simple |
| Server Ports |
tcp/2401
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server cvspserver accept |
|
| darkstat |
simple |
| Server Ports |
tcp/666
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router and gathers all sorts of useless but interesting statistics.
|
| Example | server darkstat accept |
|
| daytime |
simple |
| Server Ports |
tcp/13
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server daytime accept |
|
| dcc |
simple |
|
| dcpp |
simple |
| Server Ports |
tcp/1412
,
udp/1412
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Direct Connect++ P2P, can be found here.
|
| Example | server dcpp accept |
|
| dhcp |
simple |
| Server Ports |
udp/67
| | Client Ports |
68
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The DHCP service has been changed in v1.211 of FireHOL and now it is implemented as stateless. This has been done because DHCP clients broadcast the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply. Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side). Also, keep in mind that the server dhcp accept or client dhcp accept commands should placed within interfaces that either do not have src and / or dst defined (because of the initial broadcast). You can overcome this problem by placing the DHCP service on a separate interface, without an src or dst but with a policy return. Place this interface before the one that defines the rest of the services. For example:
interface eth0 dhcp
policy return
server dhcp accept
interface eth0 lan src "$mylan" dst "$myip"
...
client all accept |
|
| Example | server dhcp accept |
|
| dhcprelay |
simple |
| Server Ports |
udp/67
| | Client Ports |
67
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | DHCP Relay. From RFC 1812 section 9.1.2
In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead. For more information about DHCP Relay see section 9.1.2 of RFC 1812 and section 4 of RFC 1542
|
| Example | server dhcprelay accept |
|
| dict |
simple |
| Server Ports |
tcp/2628
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The Dictionary Server Protocol (DICT) is a TCP transaction based query/response protocol that allows a client to access dictionary definitions from a set of natural language dictionary databases. See RFC2229.
|
| Example | server dict accept |
|
| distcc |
simple |
| Server Ports |
tcp/3632
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | distcc is a program to distribute builds of C, C++, Objective C or Objective C++ code across several machines on a network. For distcc security, please check the distcc security design.
|
| Example | server distcc accept |
|
| dns |
simple |
| Server Ports |
udp/53
,
tcp/53
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server dns accept |
|
| echo |
simple |
| Server Ports |
tcp/7
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server echo accept |
|
| emule |
complex |
| Server Ports |
many
| | Client Ports |
many
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | eMule (Donkey network client). According to eMule Port Definitions, FireHOL defines: - Connection from any client port to the server at tcp/4661
- Connection from any client port to the server at tcp/4662
- Connection from any client port to the server at udp/4665
- Connection from any client port to the server at udp/4672
- Connection from any server port to the client at tcp/4662
- Connection from any server port to the client at udp/4672
Use the FireHOL client command to match the eMule client. Please note that the eMule client is an HTTP client also.
|
| Example | client emule accept src 1.1.1.1 |
|
| eserver |
simple |
| Server Ports |
tcp/4661
,
udp/4661
,
udp/4665
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | eserver is the emule/edonkey server.
|
| Example | server eserver accept |
|
| ESP |
simple |
| Server Ports |
50/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | IPSec Encapsulated Security Payload (ESP). For more information see the FreeS/WAN documentation and RFC RFC 2406.
|
| Example | server ESP accept |
|
| finger |
simple |
|
| ftp |
complex |
| Server Ports |
many
| | Client Ports |
many
| | Netfilter Modules |
ip_conntrack_ftp (CONFIG_IP_NF_FTP)
| | Netfilter NAT Modules |
ip_nat_ftp (CONFIG_IP_NF_NAT_FTP)
|
| Notes | The FTP service matches both active and passive FTP connections by utilizing the FTP connection tracker kernel module.
|
| Example | server ftp accept |
|
| gift |
simple |
| Server Ports |
tcp/4302
,
tcp/1214
,
tcp/2182
,
tcp/2472
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | GiFT is a collection of various software components geared towards improving the overall usability of a multitude of peer-to-peer file-sharing networks. The gift FireHOL service supports:
- Gnutella listening at tcp/4302
- FastTrack listening at tcp/1214
- OpenFT listening at tcp/2182 and tcp/2472
The above ports are the defaults given for the coresponding GiFT modules. To allow access to the user interface ports of GiFT, use the giftui FireHOL service.
|
| Example | server gift accept |
|
| giftui |
simple |
| Server Ports |
tcp/1213
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | GiFT is a collection of various software components geared towards improving the overall usability of a multitude of peer-to-peer file-sharing networks. This service refers only to the user interface ports offered by GiFT. To allow gift accept P2P requests, use the gift FireHOL service.
|
| Example | server giftui accept |
|
| gkrellmd |
simple |
| Server Ports |
tcp/19150
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server gkrellmd accept |
|
| GRE |
simple |
| Server Ports |
47/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Generic Routing Encapsulation (protocol No 47). For more information see RFC RFC 2784.
|
| Example | server GRE accept |
|
| h323 |
simple |
| Server Ports |
tcp/1720
,
tcp/1731
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | H.323 is much more complicated than this firewall implementation. Check this document for an explanation.
|
| Example | server h323 accept |
|
| heartbeat |
simple |
| Server Ports |
udp/690:699
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | HeartBeat is the Linux clustering solution available http://www.linux-ha.org/. This FireHOL service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN.
|
| Example | server heartbeat accept |
|
| http |
simple |
| Server Ports |
tcp/80
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server http accept |
|
| https |
simple |
| Server Ports |
tcp/443
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server https accept |
|
| hylafax |
complex |
| Server Ports |
many
| | Client Ports |
many
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This complex service allows incomming requests to server port tcp/4559 and outgoing from server port tcp/4558. The correct operation of this service has not been verified. USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).
|
| Example | server hylafax accept |
|
| iax |
simple |
| Server Ports |
udp/5036
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server iax accept |
|
| iax2 |
simple |
| Server Ports |
udp/5469
,
udp/4569
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server iax2 accept |
|
| icmp |
simple |
| Server Ports |
icmp/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server icmp accept |
|
| ICMP |
simple |
| Server Ports |
icmp/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ICMP accept |
|
| icp |
simple |
| Server Ports |
udp/3130
| | Client Ports |
3130
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server icp accept |
|
| ident |
simple |
| Server Ports |
tcp/113
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ident reject with tcp-reset |
|
| imap |
simple |
| Server Ports |
tcp/143
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server imap accept |
|
| imaps |
simple |
| Server Ports |
tcp/993
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server imaps accept |
|
| irc |
simple |
| Server Ports |
tcp/6667
| | Client Ports |
default
| | Netfilter Modules |
ip_conntrack_irc (CONFIG_IP_NF_IRC)
| | Netfilter NAT Modules |
ip_nat_irc (CONFIG_IP_NF_NAT_IRC)
|
| Notes |
|
| Example | server irc accept |
|
| isakmp |
simple |
| Server Ports |
udp/500
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | IPSec key negotiation (IKE on UDP port 500). For more information see the FreeS/WAN documentation.
|
| Example | server isakmp accept |
|
| jabber |
simple |
| Server Ports |
tcp/5222
,
tcp/5223
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Jabber Instant Messenger This definition allows both clear and SSL jabber client - to - jabber server connections, as given in this Jabber FAQ.
|
| Example | server jabber accept |
|
| jabberd |
simple |
| Server Ports |
tcp/5222
,
tcp/5223
,
tcp/5269
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Jabberd Instant Messenger Server This definition allows both clear and SSL jabber client - to - jabber server and jabber server - to - server connections, as given in this Jabberd FAQ. Use this service for a jabberd server. In all other cases, use the jabber service.
|
| Example | server jabberd accept |
|
| ldap |
simple |
| Server Ports |
tcp/389
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ldap accept |
|
| ldaps |
simple |
| Server Ports |
tcp/636
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ldaps accept |
|
| lpd |
simple |
| Server Ports |
tcp/515
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Line Printer Deamon Protocol (LPD) LPD is documented in RFC 1179. Since many operating systems are incorrectly using the default client ports for LPD access, this definition allows the default client ports to access the service (additionally to the RFC defined 721 to 731 inclusive).
|
| Example | server lpd accept |
|
| microsoft_ds |
simple |
| Server Ports |
tcp/445
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Direct Hosted (i.e. NETBIOS-less SMB) This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution. It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously. Please refer to the netbios_ssn service for more information.
|
| Example | server microsoft_ds accept |
|
| mms |
simple |
| Server Ports |
tcp/1755
,
udp/1755
| | Client Ports |
default
| | Netfilter Modules |
ip_conntrack_mms (CONFIG_IP_NF_MMS)
| | Netfilter NAT Modules |
ip_nat_mms (CONFIG_IP_NF_NAT_MMS)
|
| Notes |
|
| Example | server mms accept |
|
| ms_ds |
simple |
| Server Ports |
tcp/445
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Direct Hosted (i.e. NETBIOS-less SMB) This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution. It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously. Please refer to the netbios_ssn service for more information.
|
| Example | server ms_ds accept |
|
| msn |
simple |
| Server Ports |
tcp/6891
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Microsoft MSN Messenger Service For a discussion about what works and what is not, please take a look at this technet note.
|
| Example | server msn accept |
|
| multicast |
complex |
| Server Ports |
N/A
| | Client Ports |
N/A
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The multicast service matches all packets send to 224.0.0.0/4 using IGMP or UDP.
|
| Example | server multicast reject with proto-unreach |
|
| mysql |
simple |
| Server Ports |
tcp/3306
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server mysql accept |
|
| netbackup |
simple |
| Server Ports |
tcp/13701
,
tcp/13711
,
tcp/13720
,
tcp/13721
,
tcp/13724
,
tcp/13782
,
tcp/13783
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This is the Veritas NetBackup service. To use this service you must define it as both client and server in NetBackup clients and NetBackup servers.
|
| Example | server netbackup accept
client netbackup accept |
|
| netbios_dgm |
simple |
| Server Ports |
udp/138
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | NETBIOS Datagram Service See also the samba service. Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too.
|
| Example | server netbios_dgm accept |
|
| netbios_ns |
simple |
| Server Ports |
udp/137
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | NETBIOS Name Service See also the samba service.
|
| Example | server netbios_ns accept |
|
| netbios_ssn |
simple |
| Server Ports |
tcp/139
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | NETBIOS Session Service See also the samba service. Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445. If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes. To overcome this problem either explicitly REJECT the microsoft_ds service with a tcp-reset message (server microsoft_ds reject with tcp-reset), or redirect port 445 to port 139 using the following rule (put it all-in-one-line at the top of your FireHOL config): iptables -t nat -A PREROUTING -i eth0 -p tcp -s 1.1.1.1/24 --dport 445 -d 2.2.2.2 -j REDIRECT --to-port 139 or redirect to 139 inface eth0 src 1.1.1.1/24 proto tcp dst 2.2.2.2 dport 445 where: - eth0 is the network interface your NETBIOS server uses
- 1.1.1.1/24 is the subnet matching all the clients IP addresses
- 2.2.2.2 is the IP of your linux server on eth0 (or whatever you set the first one above)
|
| Example | server netbios_ssn accept |
|
| nfs |
complex |
| Server Ports |
many
| | Client Ports |
500:65535
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the NFS service requires that: - the firewall is restarted if the NFS server is restarted
- the NFS server must be specified on all nfs statements (only if it is not the localhost)
Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall. To avoid this you can setup your NFS server to listen on pre-defined ports, as it is well documented in http://nfs.sourceforge.net/nfs-howto/security.html#FIREWALLS. If you do this then you will have to define the the ports using the procedure described in Adding Services.
|
| Example | client nfs accept dst 1.2.3.4 |
|
| nis |
complex |
| Server Ports |
many
| | Client Ports |
500:65535
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the nis service requires that: - the firewall is restarted if the nis server is restarted
- the nis server must be specified on all nis statements (only if it is not the localhost)
Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall. This service has been created by Carlos Rodrigues. His comments regarding this implementation, are: These rules work for client access only! Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push. Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps.
|
| Example | client nis accept dst 1.2.3.4 |
|
| nntp |
simple |
| Server Ports |
tcp/119
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server nntp accept |
|
| nntps |
simple |
| Server Ports |
tcp/563
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server nntps accept |
|
| ntp |
simple |
| Server Ports |
udp/123
,
tcp/123
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ntp accept |
|
| nut |
simple |
| Server Ports |
tcp/3493
,
udp/3493
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server nut accept |
|
| nxserver |
simple |
| Server Ports |
tcp/5000:5200
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Default ports used by NX server for connections without encryption.
Note that nxserver also needs the ssh service to be enabled. This information has been extracted from this document. As stated there, the TCP ports used by nxserver is 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200. For encrypted nxserver sessions, only ssh is needed.
|
| Example | server nxserver accept |
|
| oracle |
simple |
| Server Ports |
tcp/1521
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server oracle accept |
|
| OSPF |
simple |
| Server Ports |
89/any
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server OSPF accept |
|
| p2p |
simple |
| Server Ports |
| | Client Ports |
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server p2p accept |
|
| ping |
complex |
| Server Ports |
N/A
| | Client Ports |
N/A
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0). The ping service is stateful.
|
| Example | server ping accept |
|
| pop3 |
simple |
| Server Ports |
tcp/110
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server pop3 accept |
|
| pop3s |
simple |
| Server Ports |
tcp/995
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server pop3s accept |
|
| portmap |
simple |
| Server Ports |
udp/111
,
tcp/111
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server portmap accept |
|
| postgres |
simple |
| Server Ports |
tcp/5432
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server postgres accept |
|
| pptp |
complex |
| Server Ports |
tcp/1723
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Additionally to the above the PPTP service allows stateful GRE traffic (protocol 47) to flow between the PPTP server and the client.
|
| Example | server pptp accept |
|
| privoxy |
simple |
| Server Ports |
tcp/8118
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server privoxy accept |
|
| radius |
simple |
| Server Ports |
udp/1812
,
udp/1813
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server radius accept |
|
| radiusold |
simple |
| Server Ports |
udp/1645
,
udp/1646
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server radiusold accept |
|
| radiusoldproxy |
simple |
| Server Ports |
udp/1647
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server radiusoldproxy accept |
|
| radiusproxy |
simple |
| Server Ports |
udp/1814
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server radiusproxy accept |
|
| rdp |
simple |
| Server Ports |
tcp/3389
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Remote Desktop Protocol is the protocol used for Windows Remote Desktop Connections (known also as Terminal Services). For more information see this FAQ.
|
| Example | server rdp accept |
|
| rndc |
simple |
| Server Ports |
tcp/953
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server rndc accept |
|
| rsync |
simple |
| Server Ports |
tcp/873
,
udp/873
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server rsync accept |
|
| rtp |
simple |
| Server Ports |
udp/10000:20000
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | RTP is the internet standard protocol for the transport of real-time data, including audio and video. RTP is used in virtually all voice-over-IP architectures, for videoconferencing, media-on-demand, and other applications. RTP ports are generally all the UDP ports.
|
| Example | server rtp accept |
|
| samba |
complex |
| Server Ports |
many
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | The samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn and microsoft_ds. Please refer to the notes of the above services for more information. NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the server samba accept statement drop the server reply, because of the way the iptables connection tracker works. This service definition includes a hack, that allows a linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns port to the clients high ports. However, for clients and routers this hack is not applied because it would open all unpriviliged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients.
|
| Example | server samba accept |
|
| sip |
simple |
| Server Ports |
udp/5060
| | Client Ports |
5060
,
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | SIP is the Session Initiation Protocol, an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model.
|
| Example | server sip accept |
|
| smtp |
simple |
| Server Ports |
tcp/25
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server smtp accept |
|
| smtps |
simple |
| Server Ports |
tcp/465
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server smtps accept |
|
| snmp |
simple |
| Server Ports |
udp/161
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server snmp accept |
|
| snmptrap |
simple |
| Server Ports |
udp/162
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server snmptrap accept |
|
| socks |
simple |
| Server Ports |
tcp/1080
,
udp/1080
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server socks accept |
|
| squid |
simple |
| Server Ports |
tcp/3128
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server squid accept |
|
| ssh |
simple |
| Server Ports |
tcp/22
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server ssh accept |
|
| stun |
simple |
| Server Ports |
udp/3478
,
udp/3479
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | STUN is a protocol for assisting devices behind a NAT firewall or router with their packet routing.
|
| Example | server stun accept |
|
| submission |
simple |
| Server Ports |
tcp/587
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server submission accept |
|
| sunrpc |
simple |
| Server Ports |
udp/111
,
tcp/111
| | Client Ports |
any
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server sunrpc accept |
|
| swat |
simple |
| Server Ports |
tcp/901
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server swat accept |
|
| syslog |
simple |
| Server Ports |
udp/514
| | Client Ports |
syslog
,
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server syslog accept |
|
| telnet |
simple |
| Server Ports |
tcp/23
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server telnet accept |
|
| tftp |
complex |
| Server Ports |
many
| | Client Ports |
many
| | Netfilter Modules |
ip_conntrack_tftp (CONFIG_IP_NF_TFTP)
| | Netfilter NAT Modules |
ip_nat_tftp (CONFIG_IP_NF_NAT_TFTP)
|
| Notes | The TFTP service matches UDP TFTP connections by utilizing the TFTP connection tracker kernel module.
|
| Example | server tftp accept |
|
| time |
simple |
| Server Ports |
tcp/37
,
udp/37
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server time accept |
|
| timestamp |
complex |
| Server Ports |
N/A
| | Client Ports |
N/A
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14). The timestamp service is stateful.
|
| Example | server timestamp accept |
|
| upnp |
simple |
| Server Ports |
udp/1900
,
tcp/2869
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | UPNP is Univeral Plug and Play. For a linux implementation check: Linux IGD.
|
| Example | server upnp accept |
|
| uucp |
simple |
| Server Ports |
tcp/540
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server uucp accept |
|
| vmware |
simple |
| Server Ports |
tcp/902
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server vmware accept |
|
| vmwareauth |
simple |
| Server Ports |
tcp/903
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server vmwareauth accept |
|
| vmwareweb |
simple |
| Server Ports |
tcp/8222
,
tcp/8333
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server vmwareweb accept |
|
| vnc |
simple |
| Server Ports |
tcp/5900:5903
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server vnc accept |
|
| webcache |
simple |
| Server Ports |
tcp/8080
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server webcache accept |
|
| webmin |
simple |
| Server Ports |
tcp/10000
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | Webmin is a web-based interface for system administration for Unix.
|
| Example | server webmin accept |
|
| whois |
simple |
|
| xbox |
simple |
| Server Ports |
| | Client Ports |
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes |
|
| Example | server xbox accept |
|
| xdmcp |
simple |
| Server Ports |
udp/177
| | Client Ports |
default
| | Netfilter Modules |
| | Netfilter NAT Modules |
|
| Notes | X Display Manager Control Protocol
See http://www.jirka.org/gdm-documentation/x70.html for a discussion about XDMCP and firewalls (this is about Gnome Display Manager, a replacement of XDM).
|
| Example | server xdmcp accept |
|