Provided by: firehol-doc_2.0.3+ds-1_all bug

NAME

       firehol-services - FireHOL services list

SYNOPSIS

       AH all amanda any anystateless apcupsd apcupsdnis aptproxy asterisk

       cups custom cvspserver

       darkstat daytime dcc dcpp dhcp dhcprelay dhcpv6 dict distcc dns

       echo emule eserver ESP

       finger ftp

       gift giftui gkrellmd GRE

       h323 heartbeat http httpalt https hylafax

       iax  iax2  ICMP  icmp  ICMPV6  icmpv6  icp  ident imap imaps ipsecnatt ipv6error ipv6neigh
       ipv6router irc isakmp

       jabber jabberd

       l2tp ldap ldaps lpd

       microsoft_ds mms msn msnp ms_ds multicast mysql

       netbackup netbios_dgm netbios_ns netbios_ssn nfs nis nntp nntps nrpe ntp nut nxserver

       openvpn oracle OSPF

       ping pop3 pop3s portmap postgres pptp privoxy

       radius radiusold radiusoldproxy radiusproxy rdp rndc rsync rtp

       samba sane sip smtp smtps snmp snmptrap socks squid ssh stun submission sunrpc swat syslog

       telnet tftp time timestamp tomcat

       upnp uucp

       vmware vmwareauth vmwareweb vnc

       webcache webmin whois

       xbox xdmcp

DESCRIPTION

   service: AH
       IPSec Authentication Header (AH)
              Example:

                       server AH accept

              Service Type:

              • simple

              Server Ports:

              • 51/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/IPsec#Authentication_Header)

              Notes

              > For more information see this
              > [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec)
              > and [RFC 2402](http://www.ietf.org/rfc/rfc2402.txt).

   service: all
       Match all traffic
              Example:

                       server all accept

              Service Type:

              • complex

              Server Ports:

              • all

              Client Ports:

              • all

              Notes

                     Matches all traffic (all protocols, ports, etc) while ensuring that required
                     kernel modules are loaded.

                     This  service  may indirectly setup a set of other services, if they require
                     kernel modules to be loaded.  The following complex services are activated:

                     ftp irc

   service: amanda
       Advanced Maryland Automatic Network Disk Archiver
              Service Type:

              • simple

              Server Ports:

              • udp/10080

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_amanda   CONFIG_NF_CONNTRACK_AMANDA    (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_AMANDA.html)

              Netfilter NAT Modules

              • nf_nat_amanda          CONFIG_NF_NAT_AMANDA         (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_AMANDA.html)

              Links

              • Homepage (http://www.amanda.org/)

              • Wikipedia
                (http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver)

   service: any
       Match all traffic (without modules or indirect)
              Example:

                       server any *myname* accept proto 47

              Service Type:

              • complex

              Server Ports:

              • all

              Client Ports:

              • all

              Notes

                     Matches  all  traffic  (all  protocols, ports, etc), but does not care about
                     kernel modules and does not  activate  any  other  service  indirectly.   In
                     combination  with  the  firehol-params(5)  this  service  can  match unusual
                     traffic (e.g.  GRE - protocol 47).

                     Note that you have to supply your own name in addition to "any".

   service: anystateless
       Match all traffic statelessly
              Example:

                       server anystateless *myname* accept proto 47

              Service Type:

              • complex

              Server Ports:

              • all

              Client Ports:

              • all

              Notes

                     Matches all traffic (all protocols, ports, etc), but  does  not  care  about
                     kernel  modules  and  does  not  activate  any other service indirectly.  In
                     combination with  the  firehol-params(5)  this  service  can  match  unusual
                     traffic (e.g.  GRE - protocol 47).

                     This  service  is  identical  to  "any" but does not care about the state of
                     traffic.

                     Note that you have to supply your own name in addition to "anystateless".

   service: apcupsd
       APC UPS Daemon
              Example:

                       server apcupsd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6544

              Client Ports:

              • default

              Links

              • Homepage (http://www.apcupsd.com)

              • Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)

              Notes

              > This service must be defined as "server apcupsd accept" on
              > all machines not directly connected to the UPS (i.e. slaves).
              >
              > Note that the port defined here is not the default port (6666)
              > used if you download and compile APCUPSD, since the default
              > conflicts with IRC and many distributions (like Debian) have
              > changed this to 6544.
              >
              > You can define port 6544 in APCUPSD, by changing the value
              > of NETPORT in its configuration file, or overwrite this
              > FireHOL service definition using the procedures described
              > in [Adding Services](#adding-services)
              > in [firehol.conf(5)](#firehol.conf5).

   service: apcupsdnis
       APC UPS Daemon Network Information Server
              Example:

                       server apcupsdnis accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3551

              Client Ports:

              • default

              Links

              • Homepage (http://www.apcupsd.com)

              • Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)

              Notes

              > This service allows the remote WEB interfaces of
              > [APCUPSD](http://www.apcupsd.com/), to connect
              > and get information from the server directly connected to
              > the UPS device.

   service: aptproxy
       Advanced Packaging Tool Proxy
              Example:

                       server aptproxy accept

              Service Type:

              • simple

              Server Ports:

              • tcp/9999

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Apt-proxy)

   service: asterisk
       Asterisk PABX
              Example:

                       server asterisk accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5038

              Client Ports:

              • default

              Links

              • Homepage (http://www.asterisk.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Asterisk_PBX)

              Notes

              > This service refers only to the manager interface of asterisk.
              > You should normally enable
              > [sip][keyword-service-sip],
              > [h323][keyword-service-h323],
              > [rtp][keyword-service-rtp], etc. at the
              > firewall level, if you enable the relative channel drivers
              > of asterisk.

   service: cups
       Common UNIX Printing System
              Example:

                       server cups accept

              Service Type:

              • simple

              Server Ports:

              • tcp/631 udp/631

              Client Ports:

              • any

              Links

              • Homepage (http://www.cups.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Common_Unix_Printing_System)

   service: custom
       Custom definitions
              Example:

                       server custom myimap tcp/143 default accept

              Service Type:

              • custom

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Notes

                     The full syntax is:

                     subcommand custom name svr-proto/ports cli-ports action params

                     This service is used by FireHOL to allow you create rules for services which
                     do not have a definition.

                     subcommand, action and params have their usual meanings.

                     A  name must be supplied along with server ports in the form proto/range and
                     client ports which takes only a range.

                     To define services with the built-in extension mechanism to avoid  the  need
                     for custom services, see Adding Services in firehol.conf(5).

   service: cvspserver
       Concurrent Versions System
              Example:

                       server cvspserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/2401

              Client Ports:

              • default

              Links

              • Homepage (http://www.nongnu.org/cvs/)

              • Wikipedia (http://en.wikipedia.org/wiki/Concurrent_Versions_System)

   service: darkstat
       Darkstat network traffic analyser
              Example:

                       server darkstat accept

              Service Type:

              • simple

              Server Ports:

              • tcp/666

              Client Ports:

              • default

              Links

              • Homepage (http://unix4lyfe.org/darkstat/)

   service: daytime
       Daytime Protocol
              Example:

                       server daytime accept

              Service Type:

              • simple

              Server Ports:

              • tcp/13

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Daytime_Protocol)

   service: dcc
       Distributed Checksum Clearinghouse
              Example:

                       server dcc accept

              Service Type:

              • simple

              Server Ports:

              • udp/6277

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse)

              Notes

              > See also this
              > [DCC FAQ](http://www.rhyolite.com/dcc/FAQ.html#firewall-ports).

   service: dcpp
       Direct Connect++ P2P
              Example:

                       server dcpp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1412 udp/1412

              Client Ports:

              • default

              Links

              • Homepage (http://dcplusplus.sourceforge.net)

   service: dhcp
       Dynamic Host Configuration Protocol
              Example:

                       server dhcp accept

              Service Type:

              • complex

              Server Ports:

              • udp/67

              Client Ports:

              • 68

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Dhcp)

              Notes

              > The dhcp service is implemented as stateless rules.
              >
              > DHCP clients broadcast to the network (src 0.0.0.0
              > dst 255.255.255.255) to find a DHCP server. If the DHCP
              > service was stateful the iptables connection tracker would
              > not match the packets and deny to send the reply.
              >
              > Note that this change does not affect the security of either
              > DHCP servers or clients, since only the specific ports are
              > allowed (there is no random port at either the server or the
              > client side).
              >
              > Note also that the "server dhcp accept" or "client dhcp accept"
              > commands should placed within interfaces that do not
              > have src and / or dst defined (because of the initial
              > broadcast).
              >
              > You can overcome this problem by placing the DHCP service on
              > a separate interface, without a src or dst but with a policy
              > return. Place this interface before the one that defines the
              > rest of the services.
              >
              > For example:
              >
              > `interface eth0 dhcp`
              >
              > `    policy return`
              >
              > `    server dhcp accept`
              >
              >
              > `interface eth0 lan src "$mylan" dst "$myip"`
              >
              > `    client all accept`
              >
              > For example:
              > interface eth0 dhcp
              > policy return
              > server dhcp accept
              > interface eth0 lan src "$mylan" dst "$myip"
              > client all accept
              >
              > This service implicitly sets its client or server to ipv4 mode.

   service: dhcprelay
       DHCP Relay
              Example:

                       server dhcprelay accept

              Service Type:

              • simple

              Server Ports:

              • udp/67

              Client Ports:

              • 67

              Links

              • Wikipedia
                (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying)

              Notes

              > From RFC 1812 section 9.1.2:
              >
              > In many cases, BOOTP clients and their associated BOOTP
              > server(s) do not reside on the same IP (sub)network. In
              > such cases, a third-party agent is required to transfer
              > BOOTP messages between clients and servers. Such an agent
              > was originally referred to as a BOOTP forwarding agent.
              > However, to avoid confusion with the IP forwarding function
              > of a router, the name BOOTP relay agent has been adopted
              > instead.
              >
              > For more information about DHCP Relay see section 9.1.2 of
              > [RFC 1812](http://www.ietf.org/rfc/rfc1812.txt)
              > and section 4 of
              > [RFC 1542](http://www.ietf.org/rfc/rfc1542.txt)

   service: dhcpv6
       Dynamic Host Configuration Protocol for IPv6
              Example:

                       server dhcp accept
                       client dhcp accept

              Service Type:

              • complex

              Server Ports:

              • udp/547

              Client Ports:

              • udp/546

              Links

              • Wikipedia (https://en.wikipedia.org/wiki/DHCPv6)

              Notes

              > The dhcp service is implemented as stateless rules.
              > It cannot be stateful as the connection tracker will not
              > match a unicast reply to a broadcast request. Further,
              > if you wish to add src/dst rule parameters, you must
              > account for both the broadcast and link-local network prefixes.
              >
              > Clients broadcast from a link-local address to the
              > multicast address ff02::1:2 on UDP port 547 to find a
              > server. The server sends a unicast reply back to the
              > client which listens on UDP port 546.
              >
              > For a FireHOL interface, creating a client will allow
              > sending to port 547 and receiving on port 546. Creating
              > a server allows sending to port 546 and receiving on port 547.
              >
              > Unlike DHCP for IPv4, the source ports to be used are not
              > defined in DHCPv6 - see section 5.2 of
              > [RFC3315](http://www.ietf.org/rfc/rfc3315.txt).
              > Some servers are known to make use of this to send from
              > arbitrary ports, so FireHOL does not assume a source port.
              >
              > This service implicitly sets its client or server to ipv6 mode.

   service: dict
       Dictionary Server Protocol
              Example:

                       server dict accept

              Service Type:

              • simple

              Server Ports:

              • tcp/2628

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/DICT)

              Notes

              > See
              > [RFC2229](http://www.ietf.org/rfc/rfc2229.txt).

   service: distcc
       Distributed CC
              Example:

                       server distcc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3632

              Client Ports:

              • default

              Links

              • Homepage (http://distcc.samba.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Distcc)

              Notes

              > For distcc security, please check the
              > [distcc security design](http://distcc.googlecode.com/svn/trunk/doc/web/security.html).

   service: dns
       Domain Name System
              Example:

                       server dns accept

              Service Type:

              • simple

              Server Ports:

              • udp/53 tcp/53

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Domain_Name_System)

              Notes

              > On very busy DNS servers you may see a few dropped DNS
              > packets in your logs. This is normal. The iptables
              > connection tracker will timeout the session and lose
              > unmatched DNS packets that arrive too late to be useful.

   service: echo
       Echo Protocol
              Example:

                       server echo accept

              Service Type:

              • simple

              Server Ports:

              • tcp/7

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Echo_Protocol)

   service: emule
       eMule (Donkey network client)
              Example:

                       client emule accept src 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • many

              Links

              • Homepage (http://www.emule-project.com)

              Notes

              > According to
              > [eMule Port Definitions](http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122),
              > FireHOL defines:
              >
              > * Accept from any client port to the server at tcp/4661
              > * Accept from any client port to the server at tcp/4662
              > * Accept from any client port to the server at udp/4665
              > * Accept from any client port to the server at udp/4672
              > * Accept from any server port to the client at tcp/4662
              > * Accept from any server port to the client at udp/4672
              >
              > Use the FireHOL [firehol-client(5)][keyword-firehol-client]
              > command to match the eMule client.
              >
              > Please note that the eMule client is an HTTP client also.

   service: eserver
       eDonkey network server
              Example:

                       server eserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/4661 udp/4661 udp/4665

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Eserver)

   service: ESP
       IPSec Encapsulated Security Payload (ESP)
              Example:

                       server ESP accept

              Service Type:

              • simple

              Server Ports:

              • 50/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload)

              Notes

              > For more information see this
              > [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec)
              > [RFC 2406](http://www.ietf.org/rfc/rfc2406.txt).

   service: finger
       Finger Protocol
              Example:

                       server finger accept

              Service Type:

              • simple

              Server Ports:

              • tcp/79

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Finger_protocol)

   service: ftp
       File Transfer Protocol
              Example:

                       server ftp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/21

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_ftp      CONFIG_NF_CONNTRACK_FTP       (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_FTP.html)

              Netfilter NAT Modules

              • nf_nat_ftp CONFIG_NF_NAT_FTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ftp)

              Notes

              > The FTP service matches both active and passive FTP
              > connections.

   service: gift
       giFT Internet File Transfer
              Example:

                       server gift accept

              Service Type:

              • simple

              Server Ports:

              • tcp/4302 tcp/1214 tcp/2182 tcp/2472

              Client Ports:

              • any

              Links

              • Homepage (http://gift.sourceforge.net)

              • Wikipedia (http://en.wikipedia.org/wiki/GiFT)

              Notes

              > The gift FireHOL service supports:
              >
              > * Gnutella listening at tcp/4302
              > * FastTrack listening at tcp/1214
              > * OpenFT listening at tcp/2182 and tcp/2472
              >
              > The above ports are the defaults given for the corresponding
              > giFT modules.
              >
              > To allow access to the user interface ports of giFT, use
              > the [giftui][keyword-service-giftui].

   service: giftui
       giFT Internet File Transfer User Interface
              Example:

                       server giftui accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1213

              Client Ports:

              • default

              Links

              • Homepage (http://gift.sourceforge.net)

              • Wikipedia (http://en.wikipedia.org/wiki/GiFT)

              Notes

              > This service refers only to the user interface ports offered
              > by giFT. To allow gift accept P2P requests, use the
              > [gift][keyword-service-gift].

   service: gkrellmd
       GKrellM Daemon
              Example:

                       server gkrellmd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/19150

              Client Ports:

              • default

              Links

              • Homepage (http://gkrellm.net/)

              • Wikipedia (http://en.wikipedia.org/wiki/Gkrellm)

   service: GRE
       Generic Routing Encapsulation
              Example:

                       server GRE accept

              Service Type:

              • simple

              Server Ports:

              • 47/any

              Client Ports:

              • any

              Netfilter Modules

              • nf_conntrack_proto_gre    CONFIG_NF_CT_PROTO_GRE    (http://cateee.net/lkddb/web-
                lkddb/NF_CT_PROTO_GRE.html)

              Netfilter NAT Modules

              • nf_nat_proto_gre      CONFIG_NF_NAT_PROTO_GRE       (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PROTO_GRE.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation)

              Notes

              > Protocol No 47.
              >
              > For more information see RFC [RFC 2784](http://www.ietf.org/rfc/rfc2784.txt).

   service: h323
       H.323 VoIP
              Example:

                       server h323 accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1720

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_h323      CONFIG_NF_CONNTRACK_H323     (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_H323.html)

              Netfilter NAT Modules

              • nf_nat_h323           CONFIG_NF_NAT_H323            (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_H323.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/H323)

   service: heartbeat
       HeartBeat
              Example:

                       server heartbeat accept

              Service Type:

              • simple

              Server Ports:

              • udp/690:699

              Client Ports:

              • default

              Links

              • Homepage (http://www.linux-ha.org/)

              Notes

              > This FireHOL service has been designed such a way that it
              > will allow multiple heartbeat clusters on the same LAN.

   service: http
       Hypertext Transfer Protocol
              Example:

                       server http accept

              Service Type:

              • simple

              Server Ports:

              • tcp/80

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Http)

   service: httpalt
       HTTP alternate port
              Example:

                       server httpalt accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8080

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Http)

              Notes

              > This port is commonly used by web servers, web proxies
              > and caches where the standard [http][keyword-service-http]
              > port is not available or can or should not be used.

   service: https
       Secure Hypertext Transfer Protocol
              Example:

                       server https accept

              Service Type:

              • simple

              Server Ports:

              • tcp/443

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Https)

   service: hylafax
       HylaFAX
              Example:

                       server hylafax accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • many

              Links

              • Homepage (http://www.hylafax.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Hylafax)

              Notes

              > This service allows incoming requests to server port
              > tcp/4559 and outgoing from server port tcp/4558.
              >
              > The correct operation of this service has not been verified.
              >
              > USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP
              > UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).

   service: iax
       Inter-Asterisk eXchange
              Example:

                       server iax accept

              Service Type:

              • simple

              Server Ports:

              • udp/5036

              Client Ports:

              • default

              Links

              • Homepage (http://www.asterisk.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Iax)

              Notes

              > This service refers to IAX version 1.
              > There is also [iax2][keyword-service-iax2].

   service: iax2
       Inter-Asterisk eXchange v2
              Example:

                       server iax2 accept

              Service Type:

              • simple

              Server Ports:

              • udp/5469 udp/4569

              Client Ports:

              • default

              Links

              • Homepage (http://www.asterisk.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Iax)

              Notes

              > This service refers to IAX version 2.
              > There is also [iax][keyword-service-iax].

   service: ICMP
       Internet Control Message Protocol
              Example:

                       server ICMP accept

              Service Type:

              • simple

              Server Ports:

              • icmp/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol)

   service: icmp
       Internet Control Message Protocol
              Alias for ICMP

   service: ICMPV6
       Internet Control Message Protocol v6
              Example:

                       server ICMPV6 accept

              Service Type:

              • simple

              Server Ports:

              • icmpv6/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/ICMPv6)

   service: icmpv6
       Internet Control Message Protocol v6
              Alias for ICMPV6

   service: icp
       Internet Cache Protocol
              Example:

                       server icp accept

              Service Type:

              • simple

              Server Ports:

              • udp/3130

              Client Ports:

              • 3130

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Cache_Protocol)

   service: ident
       Identification Protocol
              Example:

                       server ident reject with tcp-reset

              Service Type:

              • simple

              Server Ports:

              • tcp/113

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ident_protocol)

   service: imap
       Internet Message Access Protocol
              Example:

                       server imap accept

              Service Type:

              • simple

              Server Ports:

              • tcp/143

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Imap)

   service: imaps
       Secure Internet Message Access Protocol
              Example:

                       server imaps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/993

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Imap)

   service: ipsecnatt
       NAT traversal and IPsec
              Service Type:

              • simple

              Server Ports:

              • udp/4500

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec)

   service: ipv6error
       ICMPv6 Error Handling
              Example:

                       server ipv6error accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Notes

                     Not all icmpv6 error types should be treated equally inbound and outbound.

                     The  ipv6error rule wraps all of them in the following way: * allow incoming
                     messages only for existing sessions * allow outgoing messages always

                     The following ICMPv6 messages are handled:

                     • destination-unreachable

                     • packet-too-big

                     • ttl-zero-during-transit

                     • ttl-zero-during-reassembly

                     • unknown-header-type

                     • unknown-option

                     Interfaces should always have this set:

                     server ipv6error accept

                     In a router with inface  being  internal  and  outface  being  external  the
                     following     will     meet     the     recommendations    of    RFC    4890
                     (http://tools.ietf.org/html/rfc4890):

                     server ipv6error accept

                     Do not use: client ipv6error accept unless you are controlling traffic on  a
                     router interface where outface is the internal destination.

                     This service implicitly sets its client or server to ipv6 mode.

   service: ipv6neigh
       IPv6 Neighbour discovery
              Example:

                       client ipv6neigh accept
                       server ipv6neigh accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • Wikipedia (https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol)

              Notes

              > IPv6 uses the Neighbour Discovery Protocol to do automatic
              > configuration of routes and to replace ARP. To allow this
              > functionality the network neighbour and router
              > solicitation/advertisement messages should be enabled on
              > each interface.
              >
              > These rules are stateless since advertisement can happen
              > automatically as well as on solicitation.
              >
              > Neighbour discovery (incoming) should always be enabled:
              >
              > `server ipv6neigh accept`
              >
              > Neighbour advertisement (outgoing) should always be enabled:
              >
              > `client ipv6neigh accept`
              >
              > The rules should not be used to pass packets across a
              > firewall (e.g. in a router definition) unless the firewall
              > is for a bridge.
              >
              > This service implicitly sets its client or server to ipv6 mode.

   service: ipv6router
       IPv6 Router discovery
              Example:

                       client ipv6router accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • Wikipedia (https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol)

              Notes

              > IPv6 uses the Neighbour Discovery Protocol to do automatic
              > configuration of routes and to replace ARP. To allow this
              > functionality the network neighbour and router
              > solicitation/advertisement messages should be enabled on
              > each interface.
              >
              > These rules are stateless since advertisement can happen
              > automatically as well as on solicitation.
              >
              > Router discovery (incoming) should always be enabled:
              >
              > `client ipv6router accept`
              >
              > Router advertisement (outgoing) should be enabled on
              > a host that routes:
              >
              > `server ipv6router accept`
              >
              > The rules should not be used to pass packets across a
              > firewall (e.g. in a router definition) unless the firewall
              > is for a bridge.
              >
              > This service implicitly sets its client or server to ipv6 mode.

   service: irc
       Internet Relay Chat
              Example:

                       server irc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6667

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_irc       CONFIG_NF_CONNTRACK_IRC      (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_IRC.html)

              Netfilter NAT Modules

              • nf_nat_irc CONFIG_NF_NAT_IRC (http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Relay_Chat)

   service: isakmp
       Internet Security Association and Key Management Protocol (IKE)
              Example:

                       server isakmp accept

              Service Type:

              • simple

              Server Ports:

              • udp/500

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/ISAKMP)

              Notes

              > For more information see the
              > [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec)

   service: jabber
       Extensible Messaging and Presence Protocol
              Example:

                       server jabber accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5222 tcp/5223

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Jabber)

              Notes

              > Allows clear and SSL client-to-server connections.

   service: jabberd
       Extensible Messaging and Presence Protocol (Server)
              Example:

                       server jabberd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5222 tcp/5223 tcp/5269

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Jabber)

              Notes

              > Allows clear and SSL client-to-server and server-to-server
              > connections.
              >
              > Use this service for a jabberd server. In all other cases,
              > use the [jabber][keyword-service-jabber].

   service: l2tp
       Layer 2 Tunneling Protocol
              Service Type:

              • simple

              Server Ports:

              • udp/1701

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/L2tp)

   service: ldap
       Lightweight Directory Access Protocol
              Example:

                       server ldap accept

              Service Type:

              • simple

              Server Ports:

              • tcp/389

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ldap)

   service: ldaps
       Secure Lightweight Directory Access Protocol
              Example:

                       server ldaps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/636

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ldap)

   service: lpd
       Line Printer Daemon Protocol
              Example:

                       server lpd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/515

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol)

              Notes

              > LPD is documented in
              > [RFC 1179](http://www.ietf.org/rfc/rfc1179.txt).
              >
              > Since many operating systems incorrectly use the non-default
              > client ports for LPD access, this definition allows any
              > client port to access the service (in addition to
              > the RFC defined 721 to 731 inclusive).

   service: microsoft_ds
       Direct Hosted (NETBIOS-less) SMB
              Example:

                       server microsoft_ds accept

              Service Type:

              • simple

              Server Ports:

              • tcp/445

              Client Ports:

              • default

              Notes

                     Direct Hosted (i.e.  NETBIOS-less SMB)

                     This  is  another  NETBIOS  Session  Service  with  minor  differences  with
                     netbios_ssn.   It  is  supported  only by Windows 2000 and Windows XP and it
                     offers the advantage of being independent of WINS for name resolution.

                     It seems that samba supports transparently this protocol on the  netbios_ssn
                     ports,  so  that  either  direct  hosted  or  traditional  SMB can be served
                     simultaneously.

                     Please refer to the netbios_ssn for more information.

   service: mms
       Microsoft Media Server
              Example:

                       server mms accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1755 udp/1755

              Client Ports:

              • default

              Netfilter Modules

              • See   here    (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-
                HOWTO-5.html#ss5.5).

              Netfilter NAT Modules

              • See    here   (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-
                HOWTO-5.html#ss5.5).

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Microsoft_Media_Server)

              Notes

              > Microsoft's proprietary network streaming protocol used
              > to transfer unicast data in Windows Media Services
              > (previously called NetShow Services).

   service: msn
       Microsoft MSN Messenger Service
              Example:

                       server msn accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1863 udp/1863

              Client Ports:

              • default

   service: msnp
       msnp   Example:

                       server msnp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6891

              Client Ports:

              • default

   service: ms_ds
       Direct Hosted (NETBIOS-less) SMB
              Alias for microsoft_ds

   service: multicast
       Multicast
              Example:

                       server multicast reject with proto-unreach

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Multicast)

              Notes

              > The multicast service matches all packets sent to
              > the $MULTICAST_IPS addresses using IGMP or UDP.
              > For IPv4 that means 224.0.0.0/4 and for IPv6 FF00::/16.

   service: mysql
       MySQL  Example:

                       server mysql accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3306

              Client Ports:

              • default

              Links

              • Homepage (http://www.mysql.com/)

              • Wikipedia (http://en.wikipedia.org/wiki/Mysql)

   service: netbackup
       Veritas NetBackup service
              Example:

                       server netbackup accept
                       client netbackup accept

              Service Type:

              • simple

              Server Ports:

              • tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Netbackup)

              Notes

              > To use this service you must define it as both client and
              > server in NetBackup clients and NetBackup servers.

   service: netbios_dgm
       NETBIOS Datagram Distribution Service
              Example:

                       server netbios_dgm accept

              Service Type:

              • simple

              Server Ports:

              • udp/138

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service)

              Notes

              > See also the [samba][keyword-service-samba].
              >
              > Keep in mind that this service broadcasts (to the broadcast
              > address of your LAN) UDP packets. If you place this service
              > within an interface that has a dst parameter, remember to
              > include (in the dst parameter) the broadcast address of your
              > LAN too.

   service: netbios_ns
       NETBIOS Name Service
              Example:

                       server netbios_ns accept

              Service Type:

              • simple

              Server Ports:

              • udp/137

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Netbios#Name_service)

              Notes

              > See also the [samba][keyword-service-samba].

   service: netbios_ssn
       NETBIOS Session Service
              Example:

                       server netbios_ssn accept

              Service Type:

              • simple

              Server Ports:

              • tcp/139

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Netbios#Session_service)

              Notes

              > See also the [samba][keyword-service-samba].
              >
              > Please keep in mind that newer NETBIOS clients prefer to use
              > port 445 ([microsoft_ds][keyword-service-microsoft_ds]) for the
              > NETBIOS session service, and when this is not available they
              > fall back to port 139 (netbios_ssn). Versions of samba above
              > 3.x bind automatically to ports 139 and 445.
              >
              > If you have an older samba version and your policy on an
              > interface or router is DROP, clients trying to access port
              > 445 will have to timeout before falling back to port 139.
              > This timeout can be up to several minutes.
              >
              > To overcome this problem you can explicitly REJECT the
              > [microsoft_ds][keyword-service-microsoft_ds] with a
              > tcp-reset message:
              >
              > server microsoft_ds reject with tcp-reset

   service: nfs
       Network File System
              Example:

                       client nfs accept dst 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • N/A

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29)

              Notes

              > The NFS service queries the RPC service on the NFS server
              > host to find out the ports nfsd, mountd, lockd and rquotad
              > are listening. Then, according to these ports it sets up
              > rules on all the supported protocols (as reported by RPC)
              > in order the clients to be able to reach the server.
              >
              > For this reason, the NFS service requires that:
              >
              > * the firewall is restarted if the NFS server is restarted
              > * the NFS server must be specified on all nfs statements (only if it is not the localhost)
              >
              > Since NFS queries the remote RPC server, it is required to
              > also be allowed to do so, by allowing the
              > [portmap][keyword-service-portmap] too. Take care that
              > this is allowed by the running firewall when FireHOL tries
              > to query the RPC server. So you might have to setup NFS in
              > two steps: First add the portmap service and activate the
              > firewall, then add the NFS service and restart the firewall.
              >
              > To avoid this you can setup your NFS server to listen on
              > pre-defined ports, as documented in
              > [NFS Howto][NFS Howto].
              > If you do this then you will have to define the the ports
              > using the procedure described
              > in [Adding Services](#adding-services)
              > in [firehol.conf(5)](#firehol.conf5).
              >
              > [NFS Howto]: http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls

   service: nis
       Network Information Service
              Example:

                       client nis accept dst 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • N/A

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Network_Information_Service)

              Notes

              > The nis service queries the RPC service on the nis server
              > host to find out the ports ypserv and yppasswdd are listening.
              > Then, according to these ports it sets up rules on all the
              > supported protocols (as reported by RPC) in order the clients
              > to be able to reach the server.
              >
              > For this reason, the nis service requires that:
              >
              > * the firewall is restarted if the nis server is restarted
              > * the nis server must be specified on all nis statements (only if it is not the localhost)
              >
              > Since nis queries the remote RPC server, it is required to
              > also be allowed to do so, by allowing the
              > [portmap][keyword-service-portmap] too. Take care that
              > this is allowed by the running firewall when FireHOL tries
              > to query the RPC server. So you might have to setup nis in
              > two steps: First add the portmap service and activate the
              > firewall, then add the nis service and restart the firewall.
              >
              > This service was added to FireHOL by
              > [Carlos Rodrigues](http://sourceforge.net/p/firehol/feature-requests/20).
              > His comments regarding this implementation, are:
              >
              > These rules work for client access only!
              >
              > Pushing changes to slave servers won't work if these rules
              > are active somewhere between the master and its slaves,
              > because it is impossible to predict the ports where yppush
              > will be listening on each push.
              >
              > Pulling changes directly on the slaves will work, and could
              > be improved performance-wise if these rules are modified to
              > open fypxfrd. This wasn't done because it doesn't make that
              > much sense since pushing changes on the master server is
              > the most common, and recommended, way to replicate maps.

   service: nntp
       Network News Transfer Protocol
              Example:

                       server nntp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/119

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nntp)

   service: nntps
       Secure Network News Transfer Protocol
              Example:

                       server nntps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/563

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nntp)

   service: nrpe
       Nagios NRPE
              Service Type:

              • simple

              Server Ports:

              • tcp/5666

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nagios#NRPE)

   service: ntp
       Network Time Protocol
              Example:

                       server ntp accept

              Service Type:

              • simple

              Server Ports:

              • udp/123 tcp/123

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Network_Time_Protocol)

   service: nut
       Network UPS Tools
              Example:

                       server nut accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3493 udp/3493

              Client Ports:

              • default

              Links

              • Homepage (http://www.networkupstools.org/)

   service: nxserver
       NoMachine NX Server
              Example:

                       server nxserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5000:5200

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/NX_Server)

              Notes

              > Default ports used by NX server for connections without
              > encryption.
              >
              > Note that nxserver also needs the [ssh][keyword-service-ssh]
              > to be enabled.
              >
              > This information has been extracted from this
              > The TCP ports used by nxserver are
              > 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT.
              > DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf
              > and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.
              >
              > For encrypted nxserver sessions, only
              > [ssh][keyword-service-ssh] is needed.

   service: openvpn
       OpenVPN
              Service Type:

              • simple

              Server Ports:

              • tcp/1194 udp/1194

              Client Ports:

              • default

              Links

              • Homepage (http://openvpn.net/)

              • Wikipedia (http://en.wikipedia.org/wiki/OpenVPN)

   service: oracle
       Oracle Database
              Example:

                       server oracle accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1521

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Oracle_db)

   service: OSPF
       Open Shortest Path First
              Example:

                       server OSPF accept

              Service Type:

              • simple

              Server Ports:

              • 89/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ospf)

   service: ping
       Ping (ICMP echo)
              Example:

                       server ping accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ping)

              Notes

              > This services matches requests of protocol ICMP and type
              > echo-request (TYPE=8) and their replies of type echo-reply
              > (TYPE=0).
              >
              > The ping service is stateful.

   service: pop3
       Post Office Protocol
              Example:

                       server pop3 accept

              Service Type:

              • simple

              Server Ports:

              • tcp/110

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pop3)

   service: pop3s
       Secure Post Office Protocol
              Example:

                       server pop3s accept

              Service Type:

              • simple

              Server Ports:

              • tcp/995

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pop3)

   service: portmap
       Open Network Computing Remote Procedure Call - Port Mapper
              Example:

                       server portmap accept

              Service Type:

              • simple

              Server Ports:

              • udp/111 tcp/111

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Portmap)

   service: postgres
       PostgreSQL
              Example:

                       server postgres accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5432

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Postgres)

   service: pptp
       Point-to-Point Tunneling Protocol
              Example:

                       server pptp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1723

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_pptp     CONFIG_NF_CONNTRACK_PPTP      (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_PPTP.html)

              • nf_conntrack_proto_gre    CONFIG_NF_CT_PROTO_GRE    (http://cateee.net/lkddb/web-
                lkddb/NF_CT_PROTO_GRE.html)

              Netfilter NAT Modules

              • nf_nat_pptp           CONFIG_NF_NAT_PPTP            (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PPTP.html)

              • nf_nat_proto_gre       CONFIG_NF_NAT_PROTO_GRE      (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PROTO_GRE.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pptp)

   service: privoxy
       Privacy Proxy
              Example:

                       server privoxy accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8118

              Client Ports:

              • default

              Links

              • Homepage (http://www.privoxy.org/)

   service: radius
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radius accept

              Service Type:

              • simple

              Server Ports:

              • udp/1812 udp/1813

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusold
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusold accept

              Service Type:

              • simple

              Server Ports:

              • udp/1645 udp/1646

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusoldproxy
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusoldproxy accept

              Service Type:

              • simple

              Server Ports:

              • udp/1647

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusproxy
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusproxy accept

              Service Type:

              • simple

              Server Ports:

              • udp/1814

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: rdp
       Remote Desktop Protocol
              Example:

                       server rdp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3389

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Remote_Desktop_Protocol)

              Notes

              > Remote Desktop Protocol is also known also as
              > Terminal Services.

   service: rndc
       Remote Name Daemon Control
              Example:

                       server rndc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/953

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Rndc)

   service: rsync
       rsync protocol
              Example:

                       server rsync accept

              Service Type:

              • simple

              Server Ports:

              • tcp/873 udp/873

              Client Ports:

              • default

              Links

              • Homepage (http://rsync.samba.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Rsync)

   service: rtp
       Real-time Transport Protocol
              Example:

                       server rtp accept

              Service Type:

              • simple

              Server Ports:

              • udp/10000:20000

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol)

              Notes

              > RTP ports are generally all the UDP ports.
              > This definition narrows down RTP ports to UDP 10000 to 20000.

   service: samba
       Samba  Example:

                       server samba accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • default

              Links

              • Homepage (http://www.samba.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Samba_(software))

              Notes

              > The samba service automatically sets all the rules for
              > [netbios_ns][keyword-service-netbios_ns],
              > [netbios_dgm][keyword-service-netbios_dgm],
              > [netbios_ssn][keyword-service-netbios_ssn] and
              > [microsoft_ds][keyword-service-microsoft_ds].
              >
              > Please refer to the notes of the above services for more
              > information.
              >
              > NETBIOS initiates based on the broadcast address of an
              > interface (request goes to broadcast address) but the server
              > responds from its own IP address. This makes the
              > "server samba accept" statement drop the server reply,
              > because of the way the iptables connection tracker works.
              >
              > This service definition includes a hack, that allows a
              > Linux samba server to respond correctly in such situations,
              > by allowing new outgoing connections from the well known
              > [netbios_ns][keyword-service-netbios_ns] port to the clients
              > high ports.
              >
              > However, for clients and routers this hack is not applied
              > because it would open all unprivileged ports to the samba
              > server. The only solution to overcome the problem in such
              > cases (routers or clients) is to build a trust relationship
              > between the samba servers and clients.

   service: sane
       SANE Scanner service
              Service Type:

              • simple

              Server Ports:

              • tcp/6566

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_sane     CONFIG_NF_CONNTRACK_SANE      (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_SANE.html)

              Netfilter NAT Modules

              • N/A

              Links

              • Homepage (http://www.sane-project.org/)

   service: sip
       Session Initiation Protocol
              Example:

                       server sip accept

              Service Type:

              • simple

              Server Ports:

              • udp/5060

              Client Ports:

              • 5060 default

              Netfilter Modules

              • nf_conntrack_sip       CONFIG_NF_CONNTRACK_SIP      (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_SIP.html)

              Netfilter NAT Modules

              • nf_nat_sip CONFIG_NF_NAT_SIP (http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Session_Initiation_Protocol)

              Notes

              > [SIP](http://www.voip-info.org/wiki/view/SIP) is an IETF
              > standard protocol (RFC 2543) for initiating interactive user
              > sessions involving multimedia elements such as video, voice,
              > chat, gaming, etc. SIP works in the application layer of
              > the OSI communications model.

   service: smtp
       Simple Mail Transport Protocol
              Example:

                       server smtp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/25

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)

   service: smtps
       Secure Simple Mail Transport Protocol
              Example:

                       server smtps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/465

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/SMTPS)

   service: snmp
       Simple Network Management Protocol
              Example:

                       server snmp accept

              Service Type:

              • simple

              Server Ports:

              • udp/161

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)

   service: snmptrap
       SNMP Trap
              Example:

                       server snmptrap accept

              Service Type:

              • simple

              Server Ports:

              • udp/162

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap)

              Notes

              > An SNMP trap is a notification from an agent to a manager.

   service: socks
       SOCKet Secure
              Example:

                       server socks accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1080 udp/1080

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/SOCKS)

              Notes

              > See also [RFC 1928](http://www.ietf.org/rfc/rfc1928.txt).

   service: squid
       Squid Web Cache
              Example:

                       server squid accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3128

              Client Ports:

              • default

              Links

              • Homepage (http://www.squid-cache.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Squid_(software))

   service: ssh
       Secure Shell Protocol
              Example:

                       server ssh accept

              Service Type:

              • simple

              Server Ports:

              • tcp/22

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Secure_Shell)

   service: stun
       Session Traversal Utilities for NAT
              Example:

                       server stun accept

              Service Type:

              • simple

              Server Ports:

              • udp/3478 udp/3479

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/STUN)

              Notes

              > [STUN](http://www.voip-info.org/wiki/view/STUN)
              > is a protocol for assisting devices behind a NAT firewall or
              > router with their packet routing.

   service: submission
       SMTP over SSL/TLS submission
              Example:

                       server submission accept

              Service Type:

              • simple

              Server Ports:

              • tcp/587

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)

              Notes

              > Submission is essentially normal SMTP with an SSL/TLS
              > negotiation.

   service: sunrpc
       Open Network Computing Remote Procedure Call - Port Mapper
              Alias for portmap

   service: swat
       Samba Web Administration Tool
              Example:

                       server swat accept

              Service Type:

              • simple

              Server Ports:

              • tcp/901

              Client Ports:

              • default

              Links

              • Homepage (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html)

   service: syslog
       Syslog Remote Logging Protocol
              Example:

                       server syslog accept

              Service Type:

              • simple

              Server Ports:

              • udp/514

              Client Ports:

              • syslog default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Syslog)

   service: telnet
       Telnet Example:

                       server telnet accept

              Service Type:

              • simple

              Server Ports:

              • tcp/23

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Telnet)

   service: tftp
       Trivial File Transfer Protocol
              Example:

                       server tftp accept

              Service Type:

              • simple

              Server Ports:

              • udp/69

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_tftp     CONFIG_NF_CONNTRACK_TFTP      (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_TFTP.html)

              Netfilter NAT Modules

              • nf_nat_tftp            CONFIG_NF_NAT_TFTP           (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_TFTP.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol)

   service: time
       Time Protocol
              Example:

                       server time accept

              Service Type:

              • simple

              Server Ports:

              • tcp/37 udp/37

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Time_Protocol)

   service: timestamp
       ICMP Timestamp
              Example:

                       server timestamp accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • Wikipedia
                (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp)

              Notes

              > This services matches requests of protocol ICMP and type
              > timestamp-request (TYPE=13) and their replies of type
              > timestamp-reply (TYPE=14).
              >
              > The timestamp service is stateful.

   service: tomcat
       HTTP alternate port
              Alias for httpalt

   service: upnp
       Universal Plug and Play
              Example:

                       server upnp accept

              Service Type:

              • simple

              Server Ports:

              • udp/1900 tcp/2869

              Client Ports:

              • default

              Links

              • Homepage (http://upnp.sourceforge.net/)

              • Wikipedia (http://en.wikipedia.org/wiki/Universal_Plug_and_Play)

              Notes

              > For a Linux implementation see:
              > [Linux IGD](http://linux-igd.sourceforge.net/).

   service: uucp
       Unix-to-Unix Copy
              Example:

                       server uucp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/540

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/UUCP)

   service: vmware
       vmware Example:

                       server vmware accept

              Service Type:

              • simple

              Server Ports:

              • tcp/902

              Client Ports:

              • default

              Notes

                     Used    from    VMWare   1   and   up.    See   the   VMWare   KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vmwareauth
       vmwareauth
              Example:

                       server vmwareauth accept

              Service Type:

              • simple

              Server Ports:

              • tcp/903

              Client Ports:

              • default

              Notes

                     Used    from    VMWare   1   and   up.    See   the   VMWare   KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vmwareweb
       vmwareweb
              Example:

                       server vmwareweb accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8222 tcp/8333

              Client Ports:

              • default

              Notes

                     Used   from   VMWare  2  and  up.   See  VMWare  Server  2.0  release  notes
                     (http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html)  and
                     the                           VMWare                           KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vnc
       Virtual Network Computing
              Example:

                       server vnc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5900:5903

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Virtual_Network_Computing)

              Notes

              > VNC is a graphical desktop sharing protocol.

   service: webcache
       HTTP alternate port
              Alias for httpalt

   service: webmin
       Webmin Administration System
              Example:

                       server webmin accept

              Service Type:

              • simple

              Server Ports:

              • tcp/10000

              Client Ports:

              • default

              Links

              • Homepage (http://www.webmin.com/)

   service: whois
       WHOIS Protocol
              Example:

                       server whois accept

              Service Type:

              • simple

              Server Ports:

              • tcp/43

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Whois)

   service: xbox
       Xbox Live
              Example:

                       client xbox accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • default

              Notes

                     Definition for the Xbox live service.

                     See program source for contributor details.

   service: xdmcp
       X Display Manager Control Protocol
              Example:

                       server xdmcp accept

              Service Type:

              • simple

              Server Ports:

              • udp/177

              Client Ports:

              • default

              Links

              • Wikipedia
                (http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol)

              Notes

              > See [Gnome Display Manager](http://www.jirka.org/gdm-documentation/x70.html)
              > for a discussion about XDMCP and firewalls (Gnome Display
              > Manager is a replacement for XDM).

AUTHORS

       FireHOL Team.