bionic (5) firehol-services.5.gz

Provided by: firehol-doc_3.1.5+ds-1ubuntu1_all bug

NAME

       firehol-services - FireHOL services list

SYNOPSIS

       AH all amanda any anystateless apcupsd apcupsdnis aptproxy asterisk

       cups custom cvspserver

       darkstat daytime dcc dcpp dhcp dhcprelay dhcpv6 dict distcc dns

       echo emule eserver ESP

       finger ftp

       gift giftui gkrellmd GRE

       h323 heartbeat http httpalt https hylafax

       iax  iax2  ICMP  icmp ICMPV6 icmpv6 icp ident imap imaps ipsecnatt ipv6error ipv6mld ipv6neigh ipv6router
       irc isakmp

       jabber jabberd

       l2tp ldap ldaps lpd

       microsoft_ds mms msn msnp ms_ds multicast mysql

       netbackup netbios_dgm netbios_ns netbios_ssn nfs nis nntp nntps nrpe ntp nut nxserver

       openvpn oracle OSPF

       ping pop3 pop3s portmap postgres pptp privoxy

       radius radiusold radiusoldproxy radiusproxy rdp rndc rsync rtp

       samba sane sip smtp smtps snmp snmptrap socks squid ssh stun submission sunrpc swat syslog

       telnet tftp time timestamp tomcat

       upnp uucp

       vmware vmwareauth vmwareweb vnc

       webcache webmin whois

       xbox xdmcp

DESCRIPTION

   service: AH
       IPSec Authentication Header (AH)
              Example:

                       server AH accept

              Service Type:

              • simple

              Server Ports:

              • 51/any

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-AH]

              Notes

                     For   more   information   see   this    Archive    of    the    FreeS/WAN    documentation
                     (http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec)
                     and        RFC        2402        (http://www.ietf.org/rfc/rfc2402.txt).         [WIKI-AH]:
                     http://en.wikipedia.org/wiki/IPsec#Authentication_Header

   service: all
       Match all traffic
              Example:

                       server all accept

              Service Type:

              • simple

              Server Ports:

              • all

              Client Ports:

              • all

              Netfilter Modules

              • nf_conntrack_ftp              CONFIG_NF_CONNTRACK_FTP              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_FTP.html)

              • nf_conntrack_irc              CONFIG_NF_CONNTRACK_IRC              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_IRC.html)

              • nf_conntrack_sip              CONFIG_NF_CONNTRACK_SIP              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_SIP.html)

              • nf_conntrack_pptp             CONFIG_NF_CONNTRACK_PPTP             (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_PPTP.html)

              • nf_conntrack_proto_gre            CONFIG_NF_CT_PROTO_GRE           (http://cateee.net/lkddb/web-
                lkddb/NF_CT_PROTO_GRE.html)

              Netfilter NAT Modules

              • nf_nat_ftp CONFIG_NF_NAT_FTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html)

              • nf_nat_irc CONFIG_NF_NAT_IRC (http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html)

              • nf_nat_sip CONFIG_NF_NAT_SIP (http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html)

              • nf_nat_pptp CONFIG_NF_NAT_PPTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_PPTP.html)

              • nf_nat_proto_gre              CONFIG_NF_NAT_PROTO_GRE              (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PROTO_GRE.html)

              Notes

                     Matches all traffic (all protocols, ports, etc.).  Note that to provide "connections in one
                     direction with replies" semantics, the kernel connection tracker is still used:  this  will
                     therefore  still not match packets if they are not understood as part of a connection (e.g.
                     some ICMPv6 packets, requests and replies taking different routes, complex  protocols  with
                     no helper loaded).

                     This  service  may indirectly setup a set of other services, if they require kernel modules
                     to be loaded.  The following complex services are activated:

   service: amanda
       Advanced Maryland Automatic Network Disk Archiver
              Service Type:

              • simple

              Server Ports:

              • udp/10080

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_amanda           CONFIG_NF_CONNTRACK_AMANDA           (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_AMANDA.html)

              Netfilter NAT Modules

              • nf_nat_amanda CONFIG_NF_NAT_AMANDA (http://cateee.net/lkddb/web-lkddb/NF_NAT_AMANDA.html)

              Links

              • Homepage (http://www.amanda.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver)

   service: any
       Match all traffic (without modules or indirect)
              Example:

                       server any *myname* accept proto 47

              Service Type:

              • simple

              Server Ports:

              • all

              Client Ports:

              • all

              Netfilter Modules

              Netfilter NAT Modules

              Notes

                     Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and
                     does not activate any other service indirectly.  In combination with the  firehol-params(5)
                     this service can match unusual traffic (e.g.  GRE - protocol 47).

                     Note that you have to supply your own name in addition to "any".

   service: anystateless
       Match all traffic statelessly
              Example:

                       server anystateless *myname* accept proto 47

              Service Type:

              • complex

              Server Ports:

              • all

              Client Ports:

              • all

              Notes

                     Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and
                     does not activate any other service indirectly.  In combination with the  firehol-params(5)
                     this service can match unusual traffic (e.g.  GRE - protocol 47).

                     This service is identical to "any" but does not care about the state of traffic.

                     Note that you have to supply your own name in addition to "anystateless".

   service: apcupsd
       APC UPS Daemon
              Example:

                       server apcupsd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6544

              Client Ports:

              • default

              Links

              • [Homepage][HOME-apcupsd]

              • [Wikipedia][WIKI-apcupsd]

              Notes

                     This  service  must  be  defined  as  "server  apcupsd accept" on all machines not directly
                     connected to the UPS (i.e.  slaves).

                     Note that the port defined here is not the default port (6666) used  if  you  download  and
                     compile  APCUPSD, since the default conflicts with IRC and many distributions (like Debian)
                     have changed this to 6544.

                     You can define port 6544 in APCUPSD, by changing the value of NETPORT in its  configuration
                     file, or overwrite this FireHOL service definition using the procedures described in Adding
                     Services  in  firehol.conf(5).   [HOME-apcupsd]:   http://www.apcupsd.com   [WIKI-apcupsd]:
                     http://en.wikipedia.org/wiki/Apcupsd

   service: apcupsdnis
       APC UPS Daemon Network Information Server
              Example:

                       server apcupsdnis accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3551

              Client Ports:

              • default

              Links

              • [Homepage][HOME-apcupsdnis]

              • [Wikipedia][WIKI-apcupsdnis]

              Notes

                     This  service  allows  the  remote  WEB interfaces of APCUPSD (http://www.apcupsd.com/), to
                     connect and get  information  from  the  server  directly  connected  to  the  UPS  device.
                     [HOME-apcupsdnis]:                 http://www.apcupsd.com                [WIKI-apcupsdnis]:
                     http://en.wikipedia.org/wiki/Apcupsd

   service: aptproxy
       Advanced Packaging Tool Proxy
              Example:

                       server aptproxy accept

              Service Type:

              • simple

              Server Ports:

              • tcp/9999

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Apt-proxy)

   service: asterisk
       Asterisk PABX
              Example:

                       server asterisk accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5038

              Client Ports:

              • default

              Links

              • [Homepage][HOME-asterisk]

              • [Wikipedia][WIKI-asterisk]

              Notes

                     This service refers only to the manager interface of asterisk.  You should normally  enable
                     sip,  h323, rtp, etc.  at the firewall level, if you enable the relative channel drivers of
                     asterisk.         [HOME-asterisk]:         http://www.asterisk.org         [WIKI-asterisk]:
                     http://en.wikipedia.org/wiki/Asterisk_PBX

   service: cups
       Common UNIX Printing System
              Example:

                       server cups accept

              Service Type:

              • simple

              Server Ports:

              • tcp/631 udp/631

              Client Ports:

              • any

              Links

              • Homepage (http://www.cups.org)

              • Wikipedia (http://en.wikipedia.org/wiki/Common_Unix_Printing_System)

   service: custom
       Custom definitions
              Example:

                       server custom myimap tcp/143 default accept

              Service Type:

              • custom

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Notes

                     The full syntax is:

                     subcommand custom name svr-proto/ports cli-ports action params

                     This  service is used by FireHOL to allow you create rules for services which do not have a
                     definition.

                     subcommand, action and params have their usual meanings.

                     A name must be supplied along with server ports in the form proto/range  and  client  ports
                     which takes only a range.

                     To  define  services  with  the  built-in  extension mechanism to avoid the need for custom
                     services, see Adding Services in firehol.conf(5).

   service: cvspserver
       Concurrent Versions System
              Example:

                       server cvspserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/2401

              Client Ports:

              • default

              Links

              • Homepage (http://www.nongnu.org/cvs/)

              • Wikipedia (http://en.wikipedia.org/wiki/Concurrent_Versions_System)

   service: darkstat
       Darkstat network traffic analyser
              Example:

                       server darkstat accept

              Service Type:

              • simple

              Server Ports:

              • tcp/666

              Client Ports:

              • default

              Links

              • Homepage (https://unix4lyfe.org/darkstat/)

   service: daytime
       Daytime Protocol
              Example:

                       server daytime accept

              Service Type:

              • simple

              Server Ports:

              • tcp/13

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Daytime_Protocol)

   service: dcc
       Distributed Checksum Clearinghouse
              Example:

                       server dcc accept

              Service Type:

              • simple

              Server Ports:

              • udp/6277

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-dcc]

              Notes

                     See also this DCC FAQ  (http://www.rhyolite.com/dcc/FAQ.html#firewall-ports).   [WIKI-dcc]:
                     http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse

   service: dcpp
       Direct Connect++ P2P
              Example:

                       server dcpp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1412 udp/1412

              Client Ports:

              • default

              Links

              • Homepage (http://dcplusplus.sourceforge.net)

   service: dhcp
       Dynamic Host Configuration Protocol
              Example:

                       server dhcp accept

              Service Type:

              • complex

              Server Ports:

              • udp/67

              Client Ports:

              • 68

              Links

              • [Wikipedia][WIKI-dhcp]

              Notes

                     The dhcp service is implemented as stateless rules.

                     DHCP  clients  broadcast  to  the  network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP
                     server.  If the DHCP service was stateful the iptables connection tracker would  not  match
                     the packets and deny to send the reply.

                     Note that this change does not affect the security of either DHCP servers or clients, since
                     only the specific ports are allowed (there is no random port at either the  server  or  the
                     client side).

                     Note  also  that  the  "server  dhcp accept" or "client dhcp accept" commands should placed
                     within interfaces that do not have src and  /  or  dst  defined  (because  of  the  initial
                     broadcast).

                     You  can overcome this problem by placing the DHCP service on a separate interface, without
                     a src or dst but with a policy return.  Place this interface before the  one  that  defines
                     the rest of the services.

                     For example:

                     interface eth0 dhcp

                     policy return

                     server dhcp accept

                     interface eth0 lan src "$mylan" dst "$myip"

                     client all accept

                     For  example:  interface  eth0 dhcp policy return server dhcp accept interface eth0 lan src
                     "$mylan" dst "$myip" client all accept

                     This  service  implicitly  sets  its  client  or  server  to   ipv4   mode.    [WIKI-dhcp]:
                     http://en.wikipedia.org/wiki/Dhcp

   service: dhcprelay
       DHCP Relay
              Example:

                       server dhcprelay accept

              Service Type:

              • simple

              Server Ports:

              • udp/67

              Client Ports:

              • 67

              Links

              • [Wikipedia][WIKI-dhcprelay]

              Notes

                     From RFC 1812 section 9.1.2:

                     In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same
                     IP (sub)network.  In such cases, a third-party agent is required to transfer BOOTP messages
                     between  clients  and  servers.   Such  an  agent  was  originally  referred  to as a BOOTP
                     forwarding agent.  However, to avoid confusion with the IP forwarding function of a router,
                     the name BOOTP relay agent has been adopted instead.

                     For    more    information   about   DHCP   Relay   see   section   9.1.2   of   RFC   1812
                     (http://www.ietf.org/rfc/rfc1812.txt)     and     section      4      of      RFC      1542
                     (http://www.ietf.org/rfc/rfc1542.txt)                                     [WIKI-dhcprelay]:
                     http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying

   service: dhcpv6
       Dynamic Host Configuration Protocol for IPv6
              Example:

                       server dhcp accept
                       client dhcp accept

              Service Type:

              • complex

              Server Ports:

              • udp/547

              Client Ports:

              • udp/546

              Links

              • [Wikipedia][WIKI-dhcpv6]

              Notes

                     The dhcp service is  implemented  as  stateless  rules.   It  cannot  be  stateful  as  the
                     connection  tracker will not match a unicast reply to a broadcast request.  Further, if you
                     wish to add src/dst rule parameters, you must account for both the broadcast and link-local
                     network prefixes.

                     Clients  broadcast from a link-local address to the multicast address ff02::1:2 on UDP port
                     547 to find a server.  The server sends a unicast reply back to the client which listens on
                     UDP port 546.

                     For  a FireHOL interface, creating a client will allow sending to port 547 and receiving on
                     port 546.  Creating a server allows sending to port 546 and receiving on port 547.

                     Unlike DHCP for IPv4, the source ports to be used are not defined in DHCPv6 -  see  section
                     5.2  of  RFC3315 (http://www.ietf.org/rfc/rfc3315.txt).  Some servers are known to make use
                     of this to send from arbitrary ports, so FireHOL does not assume a source port.

                     This  service  implicitly  sets  its  client  or  server  to  ipv6  mode.    [WIKI-dhcpv6]:
                     https://en.wikipedia.org/wiki/DHCPv6

   service: dict
       Dictionary Server Protocol
              Example:

                       server dict accept

              Service Type:

              • simple

              Server Ports:

              • tcp/2628

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-dict]

              Notes

                     See          RFC2229          (http://www.ietf.org/rfc/rfc2229.txt).           [WIKI-dict]:
                     http://en.wikipedia.org/wiki/DICT

   service: distcc
       Distributed CC
              Example:

                       server distcc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3632

              Client Ports:

              • default

              Links

              • [Homepage][HOME-distcc]

              • [Wikipedia][WIKI-distcc]

              Notes

                     For    distcc     security,     please     check     the     distcc     security     design
                     (http://distcc.googlecode.com/svn/trunk/doc/web/security.html).              [HOME-distcc]:
                     https://code.google.com/p/distcc/ [WIKI-distcc]: http://en.wikipedia.org/wiki/Distcc

   service: dns
       Domain Name System
              Example:

                       server dns accept

              Service Type:

              • simple

              Server Ports:

              • udp/53 tcp/53

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-dns]

              Notes

                     On very busy DNS servers you may see a few dropped DNS  packets  in  your  logs.   This  is
                     normal.   The  iptables  connection tracker will timeout the session and lose unmatched DNS
                     packets     that     arrive     too     late      to      be      useful.       [WIKI-dns]:
                     http://en.wikipedia.org/wiki/Domain_Name_System

   service: echo
       Echo Protocol
              Example:

                       server echo accept

              Service Type:

              • simple

              Server Ports:

              • tcp/7

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Echo_Protocol)

   service: emule
       eMule (Donkey network client)
              Example:

                       client emule accept src 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • many

              Links

              • [Homepage][HOME-emule]

              Notes

                     According         to         eMule        Port        Definitions        (http://www.emule-
                     project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122), FireHOL defines:

                     • Accept from any client port to the server at tcp/4661

                     • Accept from any client port to the server at tcp/4662

                     • Accept from any client port to the server at udp/4665

                     • Accept from any client port to the server at udp/4672

                     • Accept from any server port to the client at tcp/4662

                     • Accept from any server port to the client at udp/4672

                     Use the FireHOL firehol-client(5) command to match the eMule client.

                     Please  note  that  the   eMule   client   is   an   HTTP   client   also.    [HOME-emule]:
                     http://www.emule-project.com

   service: eserver
       eDonkey network server
              Example:

                       server eserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/4661 udp/4661 udp/4665

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Eserver)

   service: ESP
       IPSec Encapsulated Security Payload (ESP)
              Example:

                       server ESP accept

              Service Type:

              • simple

              Server Ports:

              • 50/any

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-ESP]

              Notes

                     For    more    information    see    this    Archive   of   the   FreeS/WAN   documentation
                     (http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec)
                     RFC            2406           (http://www.ietf.org/rfc/rfc2406.txt).            [WIKI-ESP]:
                     http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload

   service: finger
       Finger Protocol
              Example:

                       server finger accept

              Service Type:

              • simple

              Server Ports:

              • tcp/79

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Finger_protocol)

   service: ftp
       File Transfer Protocol
              Example:

                       server ftp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/21

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_ftp              CONFIG_NF_CONNTRACK_FTP              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_FTP.html)

              Netfilter NAT Modules

              • nf_nat_ftp CONFIG_NF_NAT_FTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html)

              Links

              • [Wikipedia][WIKI-ftp]

              Notes

                     The   FTP   service   matches   both  active  and  passive  FTP  connections.   [WIKI-ftp]:
                     http://en.wikipedia.org/wiki/Ftp

   service: gift
       giFT Internet File Transfer
              Example:

                       server gift accept

              Service Type:

              • simple

              Server Ports:

              • tcp/4302 tcp/1214 tcp/2182 tcp/2472

              Client Ports:

              • any

              Links

              • [Homepage][HOME-gift]

              • [Wikipedia][WIKI-gift]

              Notes

                     The gift FireHOL service supports:

                     • Gnutella listening at tcp/4302

                     • FastTrack listening at tcp/1214

                     • OpenFT listening at tcp/2182 and tcp/2472

                     The above ports are the defaults given for the corresponding giFT modules.

                     To allow access to the  user  interface  ports  of  giFT,  use  the  giftui.   [HOME-gift]:
                     http://gift.sourceforge.net [WIKI-gift]: http://en.wikipedia.org/wiki/GiFT

   service: giftui
       giFT Internet File Transfer User Interface
              Example:

                       server giftui accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1213

              Client Ports:

              • default

              Links

              • [Homepage][HOME-giftui]

              • [Wikipedia][WIKI-giftui]

              Notes

                     This service refers only to the user interface ports offered by giFT.  To allow gift accept
                     P2P requests, use  the  gift.   [HOME-giftui]:  http://gift.sourceforge.net  [WIKI-giftui]:
                     http://en.wikipedia.org/wiki/GiFT

   service: gkrellmd
       GKrellM Daemon
              Example:

                       server gkrellmd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/19150

              Client Ports:

              • default

              Links

              • Homepage (http://gkrellm.net/)

              • Wikipedia (http://en.wikipedia.org/wiki/Gkrellm)

   service: GRE
       Generic Routing Encapsulation
              Example:

                       server GRE accept

              Service Type:

              • simple

              Server Ports:

              • 47/any

              Client Ports:

              • any

              Netfilter Modules

              • nf_conntrack_proto_gre            CONFIG_NF_CT_PROTO_GRE           (http://cateee.net/lkddb/web-
                lkddb/NF_CT_PROTO_GRE.html)

              Netfilter NAT Modules

              • nf_nat_proto_gre              CONFIG_NF_NAT_PROTO_GRE              (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PROTO_GRE.html)

              Links

              • [Wikipedia][WIKI-GRE]

              Notes

                     Protocol No 47.

                     For  more  information see RFC RFC 2784 (http://www.ietf.org/rfc/rfc2784.txt).  [WIKI-GRE]:
                     http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

   service: h323
       H.323 VoIP
              Example:

                       server h323 accept

              Service Type:

              • simple

              Server Ports:

              • udp/1720 tcp/1720

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_h323             CONFIG_NF_CONNTRACK_H323             (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_H323.html)

              Netfilter NAT Modules

              • nf_nat_h323 CONFIG_NF_NAT_H323 (http://cateee.net/lkddb/web-lkddb/NF_NAT_H323.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/H323)

   service: heartbeat
       HeartBeat
              Example:

                       server heartbeat accept

              Service Type:

              • simple

              Server Ports:

              • udp/690:699

              Client Ports:

              • default

              Links

              • [Homepage][HOME-heartbeat]

              Notes

                     This  FireHOL  service  has  been designed such a way that it will allow multiple heartbeat
                     clusters on the same LAN.  [HOME-heartbeat]: http://www.linux-ha.org/

   service: http
       Hypertext Transfer Protocol
              Example:

                       server http accept

              Service Type:

              • simple

              Server Ports:

              • tcp/80

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Http)

   service: httpalt
       HTTP alternate port
              Example:

                       server httpalt accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8080

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-httpalt]

              Notes

                     This port is commonly used by web servers, web proxies and caches where the  standard  http
                     port    is   not   available   or   can   or   should   not   be   used.    [WIKI-httpalt]:
                     http://en.wikipedia.org/wiki/Http

   service: https
       Secure Hypertext Transfer Protocol
              Example:

                       server https accept

              Service Type:

              • simple

              Server Ports:

              • tcp/443

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Https)

   service: hylafax
       HylaFAX
              Example:

                       server hylafax accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • many

              Links

              • [Homepage][HOME-hylafax]

              • [Wikipedia][WIKI-hylafax]

              Notes

                     This service allows incoming requests to server port tcp/4559 and outgoing from server port
                     tcp/4558.

                     The correct operation of this service has not been verified.

                     USE  THIS  WITH CARE.  A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from
                     port     tcp/4558).       [HOME-hylafax]:      http://www.hylafax.org/      [WIKI-hylafax]:
                     http://en.wikipedia.org/wiki/Hylafax

   service: iax
       Inter-Asterisk eXchange
              Example:

                       server iax accept

              Service Type:

              • simple

              Server Ports:

              • udp/5036

              Client Ports:

              • default

              Links

              • [Homepage][HOME-iax]

              • [Wikipedia][WIKI-iax]

              Notes

                     This   service   refers   to   IAX   version   1.    There   is   also  iax2.   [HOME-iax]:
                     http://www.asterisk.org [WIKI-iax]: http://en.wikipedia.org/wiki/Iax

   service: iax2
       Inter-Asterisk eXchange v2
              Example:

                       server iax2 accept

              Service Type:

              • simple

              Server Ports:

              • udp/5469 udp/4569

              Client Ports:

              • default

              Links

              • [Homepage][HOME-iax2]

              • [Wikipedia][WIKI-iax2]

              Notes

                     This  service  refers   to   IAX   version   2.    There   is   also   iax.    [HOME-iax2]:
                     http://www.asterisk.org [WIKI-iax2]: http://en.wikipedia.org/wiki/Iax

   service: ICMP
       Internet Control Message Protocol
              Example:

                       server ICMP accept

              Service Type:

              • simple

              Server Ports:

              • icmp/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol)

   service: icmp
       Internet Control Message Protocol
              Alias for ICMP

   service: ICMPV6
       Internet Control Message Protocol v6
              Example:

                       server ICMPV6 accept

              Service Type:

              • simple

              Server Ports:

              • icmpv6/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/ICMPv6)

   service: icmpv6
       Internet Control Message Protocol v6
              Alias for ICMPV6

   service: icp
       Internet Cache Protocol
              Example:

                       server icp accept

              Service Type:

              • simple

              Server Ports:

              • udp/3130

              Client Ports:

              • 3130

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Cache_Protocol)

   service: ident
       Identification Protocol
              Example:

                       server ident reject with tcp-reset

              Service Type:

              • simple

              Server Ports:

              • tcp/113

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ident_protocol)

   service: imap
       Internet Message Access Protocol
              Example:

                       server imap accept

              Service Type:

              • simple

              Server Ports:

              • tcp/143

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Imap)

   service: imaps
       Secure Internet Message Access Protocol
              Example:

                       server imaps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/993

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Imap)

   service: ipsecnatt
       NAT traversal and IPsec
              Service Type:

              • simple

              Server Ports:

              • udp/4500

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/NAT_traversal#IPsec_traversal_across_NAT)

   service: ipv6error
       ICMPv6 Error Handling
              Example:

                       server ipv6error accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Notes

                     This  service is not needed from 3.0.0.  It will do nothing but issue a warning from 3.1.0;
                     it will be removed in 4.0.0.

                     The linux connection tracker ensures that ICMPv6  errors  are  marked  as  RELATED.   Since
                     3.0.0, these are automatially accepted by FireHOL, making a separate command redundant.

   service: ipv6mld
       IPv6 Multicast Listener Discovery for IPv6
              Example:

                       client ipv6mld accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-ipv6mld]

              Notes

                     IPv6  uses  Multicast  Listener Discovery to discover multicast listeners and what they are
                     listening for.

                     In practice all IPv6 nodes are multicast listeners since multicast is used in the neighbour
                     discovery protocol which replaces ARP in IPv4.

                     These rules are stateless since reports can happen automatically as well as on query.

                     Unless  muticast  snooping  is  disabled  across the network, MLD should be enabled for any
                     clients:

                     client ipv6mld accept

                     MLD should also be enabled as a server on any hosts acting as a router:

                     server ipv6mld accept

                     The rules should generally not be used to pass packets across a firewall (e.g.  in a router
                     definition) unless the firewall is for a bridge.

                     This  service  implicitly  sets  its  client  or  server  to  ipv6  mode.   [WIKI-ipv6mld]:
                     https://en.wikipedia.org/wiki/Multicast_Listener_Discovery

   service: ipv6neigh
       IPv6 Neighbour discovery
              Example:

                       client ipv6neigh accept
                       server ipv6neigh accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-ipv6neigh]

              Notes

                     IPv6 uses the Neighbour Discovery Protocol to do automatic configuration of routes  and  to
                     replace   ARP.    To   allow   this   functionality   the   network  neighbour  and  router
                     solicitation/advertisement messages should be enabled on each interface.

                     These rules are stateless since advertisement  can  happen  automatically  as  well  as  on
                     solicitation.

                     Neighbour discovery (incoming) should always be enabled:

                     server ipv6neigh accept

                     Neighbour advertisement (outgoing) should always be enabled:

                     client ipv6neigh accept

                     The  rules  should  not  be  used  to  pass  packets  across  a firewall (e.g.  in a router
                     definition) unless the firewall is for a bridge.

                     This service implicitly  sets  its  client  or  server  to  ipv6  mode.   [WIKI-ipv6neigh]:
                     https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

   service: ipv6router
       IPv6 Router discovery
              Example:

                       client ipv6router accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-ipv6router]

              Notes

                     IPv6  uses  the Neighbour Discovery Protocol to do automatic configuration of routes and to
                     replace  ARP.   To  allow   this   functionality   the   network   neighbour   and   router
                     solicitation/advertisement messages should be enabled on each interface.

                     These  rules  are  stateless  since  advertisement  can  happen automatically as well as on
                     solicitation.

                     Router discovery (incoming) should always be enabled:

                     client ipv6router accept

                     Router advertisement (outgoing) should be enabled on a host that routes:

                     server ipv6router accept

                     The rules should not be used  to  pass  packets  across  a  firewall  (e.g.   in  a  router
                     definition) unless the firewall is for a bridge.

                     This  service  implicitly  sets  its  client  or  server  to ipv6 mode.  [WIKI-ipv6router]:
                     https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

   service: irc
       Internet Relay Chat
              Example:

                       server irc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6667

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_irc              CONFIG_NF_CONNTRACK_IRC              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_IRC.html)

              Netfilter NAT Modules

              • nf_nat_irc CONFIG_NF_NAT_IRC (http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Internet_Relay_Chat)

   service: isakmp
       Internet Security Association and Key Management Protocol (IKE)
              Example:

                       server isakmp accept

              Service Type:

              • simple

              Server Ports:

              • udp/500

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-isakmp]

              Notes

                     For    more    information    see    the    Archive    of   the   FreeS/WAN   documentation
                     (http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec)
                     [WIKI-isakmp]: http://en.wikipedia.org/wiki/ISAKMP

   service: jabber
       Extensible Messaging and Presence Protocol
              Example:

                       server jabber accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5222 tcp/5223

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-jabber]

              Notes

                     Allows      clear     and     SSL     client-to-server     connections.      [WIKI-jabber]:
                     http://en.wikipedia.org/wiki/Jabber

   service: jabberd
       Extensible Messaging and Presence Protocol (Server)
              Example:

                       server jabberd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5222 tcp/5223 tcp/5269

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-jabberd]

              Notes

                     Allows clear and SSL client-to-server and server-to-server connections.

                     Use  this  service  for  a  jabberd  server.   In  all  other  cases,   use   the   jabber.
                     [WIKI-jabberd]: http://en.wikipedia.org/wiki/Jabber

   service: l2tp
       Layer 2 Tunneling Protocol
              Service Type:

              • simple

              Server Ports:

              • udp/1701

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/L2tp)

   service: ldap
       Lightweight Directory Access Protocol
              Example:

                       server ldap accept

              Service Type:

              • simple

              Server Ports:

              • tcp/389

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ldap)

   service: ldaps
       Secure Lightweight Directory Access Protocol
              Example:

                       server ldaps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/636

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ldap)

   service: lpd
       Line Printer Daemon Protocol
              Example:

                       server lpd accept

              Service Type:

              • simple

              Server Ports:

              • tcp/515

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-lpd]

              Notes

                     LPD is documented in RFC 1179 (http://www.ietf.org/rfc/rfc1179.txt).

                     Since  many  operating systems incorrectly use the non-default client ports for LPD access,
                     this definition allows any client port to access  the  service  (in  addition  to  the  RFC
                     defined           721           to           731          inclusive).           [WIKI-lpd]:
                     http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol

   service: microsoft_ds
       Direct Hosted (NETBIOS-less) SMB
              Example:

                       server microsoft_ds accept

              Service Type:

              • simple

              Server Ports:

              • tcp/445

              Client Ports:

              • default

              Notes

                     Direct Hosted (i.e.  NETBIOS-less SMB)

                     This is another NETBIOS Session Service with minor differences  with  netbios_ssn.   It  is
                     supported  only  by  Windows  2000  and  Windows  XP  and  it offers the advantage of being
                     independent of WINS for name resolution.

                     It seems that samba supports transparently this protocol on the netbios_ssn ports, so  that
                     either direct hosted or traditional SMB can be served simultaneously.

                     Please refer to the netbios_ssn for more information.

   service: mms
       Microsoft Media Server
              Example:

                       server mms accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1755 udp/1755

              Client Ports:

              • default

              Netfilter Modules

              • See here (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).

              Netfilter NAT Modules

              • See here (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).

              Links

              • [Wikipedia][WIKI-mms]

              Notes

                     Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows
                     Media     Services     (previously     called     NetShow      Services).       [WIKI-mms]:
                     http://en.wikipedia.org/wiki/Microsoft_Media_Server

   service: msn
       Microsoft MSN Messenger Service
              Example:

                       server msn accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1863 udp/1863

              Client Ports:

              • default

   service: msnp
       msnp   Example:

                       server msnp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/6891

              Client Ports:

              • default

   service: ms_ds
       Direct Hosted (NETBIOS-less) SMB
              Alias for microsoft_ds

   service: multicast
       Multicast
              Example:

                       server multicast reject with proto-unreach

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-multicast]

              Notes

                     The  multicast  service matches all packets sent to the $MULTICAST_IPS addresses using IGMP
                     or UDP.  For IPv4  that  means  224.0.0.0/4  and  for  IPv6  FF00::/16.   [WIKI-multicast]:
                     http://en.wikipedia.org/wiki/Multicast

   service: mysql
       MySQL  Example:

                       server mysql accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3306

              Client Ports:

              • default

              Links

              • Homepage (http://www.mysql.com/)

              • Wikipedia (http://en.wikipedia.org/wiki/Mysql)

   service: netbackup
       Veritas NetBackup service
              Example:

                       server netbackup accept
                       client netbackup accept

              Service Type:

              • simple

              Server Ports:

              • tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-netbackup]

              Notes

                     To  use  this service you must define it as both client and server in NetBackup clients and
                     NetBackup servers.  [WIKI-netbackup]: http://en.wikipedia.org/wiki/Netbackup

   service: netbios_dgm
       NETBIOS Datagram Distribution Service
              Example:

                       server netbios_dgm accept

              Service Type:

              • simple

              Server Ports:

              • udp/138

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-netbios_dgm]

              Notes

                     See also the samba.

                     Keep in mind that this service broadcasts (to  the  broadcast  address  of  your  LAN)  UDP
                     packets.   If you place this service within an interface that has a dst parameter, remember
                     to  include  (in  the  dst  parameter)   the   broadcast   address   of   your   LAN   too.
                     [WIKI-netbios_dgm]: http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service

   service: netbios_ns
       NETBIOS Name Service
              Example:

                       server netbios_ns accept

              Service Type:

              • simple

              Server Ports:

              • udp/137

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-netbios_ns]

              Notes

                     See also the samba.  [WIKI-netbios_ns]: http://en.wikipedia.org/wiki/Netbios#Name_service

   service: netbios_ssn
       NETBIOS Session Service
              Example:

                       server netbios_ssn accept

              Service Type:

              • simple

              Server Ports:

              • tcp/139

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-netbios_ssn]

              Notes

                     See also the samba.

                     Please  keep  in  mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for
                     the NETBIOS session service, and when this is not available they  fall  back  to  port  139
                     (netbios_ssn).  Versions of samba above 3.x bind automatically to ports 139 and 445.

                     If  you  have  an  older  samba  version and your policy on an interface or router is DROP,
                     clients trying to access port 445 will have to timeout before falling  back  to  port  139.
                     This timeout can be up to several minutes.

                     To  overcome  this  problem  you  can  explicitly  REJECT the microsoft_ds with a tcp-reset
                     message:

                     server       microsoft_ds       reject       with       tcp-reset       [WIKI-netbios_ssn]:
                     http://en.wikipedia.org/wiki/Netbios#Session_service

   service: nfs
       Network File System
              Example:

                       client nfs accept dst 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • N/A

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29)

              Notes

                     The  NFS service queries the RPC service on the NFS server host to find out the ports nfsd,
                     mountd, lockd and rquotad are listening.  Then, according to these ports it sets  up  rules
                     on  all  the  supported  protocols  (as reported by RPC) in order the clients to be able to
                     reach the server.

                     For this reason, the NFS service requires that:

                     • the firewall is restarted if the NFS server is restarted

                     • the NFS server must be specified on all nfs statements (only if it is not the localhost)

                     Since NFS queries the remote RPC server, it is required to also be allowed  to  do  so,  by
                     allowing  the  portmap  too.   Take  care that this is allowed by the running firewall when
                     FireHOL tries to query the RPC server.  So you might have to setup NFS in two steps:  First
                     add the portmap service and activate the firewall, then add the NFS service and restart the
                     firewall.

                     To avoid this you can setup your NFS server to listen on pre-defined ports,  as  documented
                     in  NFS Howto (http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls).  If you do
                     this then you will have to define the the ports using the  procedure  described  in  Adding
                     Services in firehol.conf(5).

   service: nis
       Network Information Service
              Example:

                       client nis accept dst 192.0.2.1

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-nis]

              Notes

                     The nis service queries the RPC service on the nis server host to find out the ports ypserv
                     and yppasswdd are listening.  Then, according to these ports it sets up rules  on  all  the
                     supported  protocols  (as  reported  by  RPC)  in order the clients to be able to reach the
                     server.

                     For this reason, the nis service requires that:

                     • the firewall is restarted if the nis server is restarted

                     • the nis server must be specified on all nis statements (only if it is not the localhost)

                     Since nis queries the remote RPC server, it is required to also be allowed  to  do  so,  by
                     allowing  the  portmap  too.   Take  care that this is allowed by the running firewall when
                     FireHOL tries to query the RPC server.  So you might have to setup nis in two steps:  First
                     add the portmap service and activate the firewall, then add the nis service and restart the
                     firewall.

                     This     service     was      added      to      FireHOL      by      Carlos      Rodrigues
                     (http://sourceforge.net/p/firehol/feature-requests/20/).    His   comments  regarding  this
                     implementation, are:

                     These rules work for client access only!

                     Pushing changes to slave servers won't work if these rules are active somewhere between the
                     master  and  its slaves, because it is impossible to predict the ports where yppush will be
                     listening on each push.

                     Pulling changes directly on the slaves will work, and could be improved performance-wise if
                     these  rules  are  modified to open fypxfrd.  This wasn't done because it doesn't make that
                     much sense since pushing changes on the master server is the most common, and  recommended,
                     way               to               replicate               maps.                [WIKI-nis]:
                     http://en.wikipedia.org/wiki/Network_Information_Service

   service: nntp
       Network News Transfer Protocol
              Example:

                       server nntp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/119

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nntp)

   service: nntps
       Secure Network News Transfer Protocol
              Example:

                       server nntps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/563

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nntp)

   service: nrpe
       Nagios NRPE
              Service Type:

              • simple

              Server Ports:

              • tcp/5666

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Nagios#NRPE)

   service: ntp
       Network Time Protocol
              Example:

                       server ntp accept

              Service Type:

              • simple

              Server Ports:

              • udp/123 tcp/123

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Network_Time_Protocol)

   service: nut
       Network UPS Tools
              Example:

                       server nut accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3493 udp/3493

              Client Ports:

              • default

              Links

              • Homepage (http://www.networkupstools.org/)

   service: nxserver
       NoMachine NX Server
              Example:

                       server nxserver accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5000:5200

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-nxserver]

              Notes

                     Default ports used by NX server for connections without encryption.

                     Note that nxserver also needs the ssh to be enabled.

                     This information has been extracted from this The TCP ports used by  nxserver  are  4000  +
                     DISPLAY_BASE  to  4000  + DISPLAY_BASE + DISPLAY_LIMIT.  DISPLAY_BASE and DISPLAY_LIMIT are
                     set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.

                     For   encrypted   nxserver   sessions,    only    ssh    is    needed.     [WIKI-nxserver]:
                     http://en.wikipedia.org/wiki/NX_Server

   service: openvpn
       OpenVPN
              Service Type:

              • simple

              Server Ports:

              • tcp/1194 udp/1194

              Client Ports:

              • default

              Links

              • Homepage (http://openvpn.net/)

              • Wikipedia (http://en.wikipedia.org/wiki/OpenVPN)

   service: oracle
       Oracle Database
              Example:

                       server oracle accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1521

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Oracle_db)

   service: OSPF
       Open Shortest Path First
              Example:

                       server OSPF accept

              Service Type:

              • simple

              Server Ports:

              • 89/any

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Ospf)

   service: ping
       Ping (ICMP echo)
              Example:

                       server ping accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-ping]

              Notes

                     This  services  matches  requests of protocol ICMP and type echo-request (TYPE=8) and their
                     replies of type echo-reply (TYPE=0).

                     The ping service is stateful.  [WIKI-ping]: http://en.wikipedia.org/wiki/Ping

   service: pop3
       Post Office Protocol
              Example:

                       server pop3 accept

              Service Type:

              • simple

              Server Ports:

              • tcp/110

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pop3)

   service: pop3s
       Secure Post Office Protocol
              Example:

                       server pop3s accept

              Service Type:

              • simple

              Server Ports:

              • tcp/995

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pop3)

   service: portmap
       Open Network Computing Remote Procedure Call - Port Mapper
              Example:

                       server portmap accept

              Service Type:

              • simple

              Server Ports:

              • udp/111 tcp/111

              Client Ports:

              • any

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Portmap)

   service: postgres
       PostgreSQL
              Example:

                       server postgres accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5432

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Postgres)

   service: pptp
       Point-to-Point Tunneling Protocol
              Example:

                       server pptp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1723

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_pptp             CONFIG_NF_CONNTRACK_PPTP             (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_PPTP.html)

              • nf_conntrack_proto_gre            CONFIG_NF_CT_PROTO_GRE           (http://cateee.net/lkddb/web-
                lkddb/NF_CT_PROTO_GRE.html)

              Netfilter NAT Modules

              • nf_nat_pptp CONFIG_NF_NAT_PPTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_PPTP.html)

              • nf_nat_proto_gre              CONFIG_NF_NAT_PROTO_GRE              (http://cateee.net/lkddb/web-
                lkddb/NF_NAT_PROTO_GRE.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Pptp)

   service: privoxy
       Privacy Proxy
              Example:

                       server privoxy accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8118

              Client Ports:

              • default

              Links

              • Homepage (http://www.privoxy.org/)

   service: radius
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radius accept

              Service Type:

              • simple

              Server Ports:

              • udp/1812 udp/1813

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusold
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusold accept

              Service Type:

              • simple

              Server Ports:

              • udp/1645 udp/1646

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusoldproxy
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusoldproxy accept

              Service Type:

              • simple

              Server Ports:

              • udp/1647

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: radiusproxy
       Remote Authentication Dial In User Service (RADIUS)
              Example:

                       server radiusproxy accept

              Service Type:

              • simple

              Server Ports:

              • udp/1814

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

   service: rdp
       Remote Desktop Protocol
              Example:

                       server rdp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3389

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-rdp]

              Notes

                     Remote   Desktop   Protocol   is   also  known  also  as  Terminal  Services.   [WIKI-rdp]:
                     http://en.wikipedia.org/wiki/Remote_Desktop_Protocol

   service: rndc
       Remote Name Daemon Control
              Example:

                       server rndc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/953

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Rndc)

   service: rsync
       rsync protocol
              Example:

                       server rsync accept

              Service Type:

              • simple

              Server Ports:

              • tcp/873 udp/873

              Client Ports:

              • default

              Links

              • Homepage (http://rsync.samba.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Rsync)

   service: rtp
       Real-time Transport Protocol
              Example:

                       server rtp accept

              Service Type:

              • simple

              Server Ports:

              • udp/10000:20000

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-rtp]

              Notes

                     RTP ports are generally all the UDP ports.  This definition narrows down RTP ports  to  UDP
                     10000 to 20000.  [WIKI-rtp]: http://en.wikipedia.org/wiki/Real-time_Transport_Protocol

   service: samba
       Samba  Example:

                       server samba accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • default

              Links

              • [Homepage][HOME-samba]

              • [Wikipedia][WIKI-samba]

              Notes

                     The samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn
                     and microsoft_ds.

                     Please refer to the notes of the above services for more information.

                     NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast
                     address)  but  the  server  responds from its own IP address.  This makes the "server samba
                     accept" statement drop the server reply, because of the way the iptables connection tracker
                     works.

                     This  service  definition  includes  a  hack,  that  allows a Linux samba server to respond
                     correctly in such situations, by allowing new outgoing  connections  from  the  well  known
                     netbios_ns port to the clients high ports.

                     However,  for  clients  and  routers  this  hack  is  not applied because it would open all
                     unprivileged ports to the samba server.  The only solution to overcome the problem in  such
                     cases  (routers  or clients) is to build a trust relationship between the samba servers and
                     clients.            [HOME-samba]:            http://www.samba.org/            [WIKI-samba]:
                     http://en.wikipedia.org/wiki/Samba_(software)

   service: sane
       SANE Scanner service
              Service Type:

              • simple

              Server Ports:

              • tcp/6566

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_sane             CONFIG_NF_CONNTRACK_SANE             (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_SANE.html)

              Netfilter NAT Modules

              • N/A

              Links

              • Homepage (http://www.sane-project.org/)

   service: sip
       Session Initiation Protocol
              Example:

                       server sip accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5060 udp/5060

              Client Ports:

              • 5060 default

              Netfilter Modules

              • nf_conntrack_sip              CONFIG_NF_CONNTRACK_SIP              (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_SIP.html)

              Netfilter NAT Modules

              • nf_nat_sip CONFIG_NF_NAT_SIP (http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html)

              Links

              • [Wikipedia][WIKI-sip]

              Notes

                     SIP  (http://www.voip-info.org/wiki/view/SIP)  is  an IETF standard protocol (RFC 2543) for
                     initiating interactive user sessions involving multimedia elements such  as  video,  voice,
                     chat,  gaming,  etc.   SIP  works in the application layer of the OSI communications model.
                     [WIKI-sip]: http://en.wikipedia.org/wiki/Session_Initiation_Protocol

   service: smtp
       Simple Mail Transport Protocol
              Example:

                       server smtp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/25

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)

   service: smtps
       Secure Simple Mail Transport Protocol
              Example:

                       server smtps accept

              Service Type:

              • simple

              Server Ports:

              • tcp/465

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/SMTPS)

   service: snmp
       Simple Network Management Protocol
              Example:

                       server snmp accept

              Service Type:

              • simple

              Server Ports:

              • udp/161

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)

   service: snmptrap
       SNMP Trap
              Example:

                       server snmptrap accept

              Service Type:

              • simple

              Server Ports:

              • udp/162

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-snmptrap]

              Notes

                     An  SNMP  trap  is  a  notification  from  an  agent  to   a   manager.    [WIKI-snmptrap]:
                     http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap

   service: socks
       SOCKet Secure
              Example:

                       server socks accept

              Service Type:

              • simple

              Server Ports:

              • tcp/1080 udp/1080

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-socks]

              Notes

                     See     also     RFC     1928     (http://www.ietf.org/rfc/rfc1928.txt).      [WIKI-socks]:
                     http://en.wikipedia.org/wiki/SOCKS

   service: squid
       Squid Web Cache
              Example:

                       server squid accept

              Service Type:

              • simple

              Server Ports:

              • tcp/3128

              Client Ports:

              • default

              Links

              • Homepage (http://www.squid-cache.org/)

              • Wikipedia (http://en.wikipedia.org/wiki/Squid_(software))

   service: ssh
       Secure Shell Protocol
              Example:

                       server ssh accept

              Service Type:

              • simple

              Server Ports:

              • tcp/22

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Secure_Shell)

   service: stun
       Session Traversal Utilities for NAT
              Example:

                       server stun accept

              Service Type:

              • simple

              Server Ports:

              • udp/3478 udp/3479

              Client Ports:

              • any

              Links

              • [Wikipedia][WIKI-stun]

              Notes

                     STUN (http://www.voip-info.org/wiki/view/STUN) is a protocol for assisting devices behind a
                     NAT     firewall     or     router     with    their    packet    routing.     [WIKI-stun]:
                     http://en.wikipedia.org/wiki/STUN

   service: submission
       SMTP over SSL/TLS submission
              Example:

                       server submission accept

              Service Type:

              • simple

              Server Ports:

              • tcp/587

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-submission]

              Notes

                     Submission is essentially normal SMTP  with  an  SSL/TLS  negotiation.   [WIKI-submission]:
                     http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol

   service: sunrpc
       Open Network Computing Remote Procedure Call - Port Mapper
              Alias for portmap

   service: swat
       Samba Web Administration Tool
              Example:

                       server swat accept

              Service Type:

              • simple

              Server Ports:

              • tcp/901

              Client Ports:

              • default

              Links

              • Homepage (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html)

   service: syslog
       Syslog Remote Logging Protocol
              Example:

                       server syslog accept

              Service Type:

              • simple

              Server Ports:

              • udp/514

              Client Ports:

              • 514 default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Syslog)

   service: telnet
       Telnet Example:

                       server telnet accept

              Service Type:

              • simple

              Server Ports:

              • tcp/23

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Telnet)

   service: tftp
       Trivial File Transfer Protocol
              Example:

                       server tftp accept

              Service Type:

              • simple

              Server Ports:

              • udp/69

              Client Ports:

              • default

              Netfilter Modules

              • nf_conntrack_tftp             CONFIG_NF_CONNTRACK_TFTP             (http://cateee.net/lkddb/web-
                lkddb/NF_CONNTRACK_TFTP.html)

              Netfilter NAT Modules

              • nf_nat_tftp CONFIG_NF_NAT_TFTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_TFTP.html)

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol)

   service: time
       Time Protocol
              Example:

                       server time accept

              Service Type:

              • simple

              Server Ports:

              • tcp/37 udp/37

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Time_Protocol)

   service: timestamp
       ICMP Timestamp
              Example:

                       server timestamp accept

              Service Type:

              • complex

              Server Ports:

              • N/A

              Client Ports:

              • N/A

              Links

              • [Wikipedia][WIKI-timestamp]

              Notes

                     This services matches requests of protocol ICMP and type  timestamp-request  (TYPE=13)  and
                     their replies of type timestamp-reply (TYPE=14).

                     The         timestamp         service         is        stateful.         [WIKI-timestamp]:
                     http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp

   service: tomcat
       HTTP alternate port
              Alias for httpalt

   service: upnp
       Universal Plug and Play
              Example:

                       server upnp accept

              Service Type:

              • simple

              Server Ports:

              • udp/1900 tcp/2869

              Client Ports:

              • default

              Links

              • [Homepage][HOME-upnp]

              • [Wikipedia][WIKI-upnp]

              Notes

                     For  a   Linux   implementation   see:   Linux   IGD   (http://linux-igd.sourceforge.net/).
                     [HOME-upnp]:                    http://upnp.sourceforge.net/                   [WIKI-upnp]:
                     http://en.wikipedia.org/wiki/Universal_Plug_and_Play

   service: uucp
       Unix-to-Unix Copy
              Example:

                       server uucp accept

              Service Type:

              • simple

              Server Ports:

              • tcp/540

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/UUCP)

   service: vmware
       vmware Example:

                       server vmware accept

              Service Type:

              • simple

              Server Ports:

              • tcp/902

              Client Ports:

              • default

              Notes

                     Used    from     VMWare     1     and     up.      See     the     VMWare     KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vmwareauth
       vmwareauth
              Example:

                       server vmwareauth accept

              Service Type:

              • simple

              Server Ports:

              • tcp/903

              Client Ports:

              • default

              Notes

                     Used    from     VMWare     1     and     up.      See     the     VMWare     KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vmwareweb
       vmwareweb
              Example:

                       server vmwareweb accept

              Service Type:

              • simple

              Server Ports:

              • tcp/8222 tcp/8333

              Client Ports:

              • default

              Notes

                     Used   from   VMWare   2   and   up.     See    VMWare    Server    2.0    release    notes
                     (http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html)   and   the  VMWare
                     KnowledgeBase
                     (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).

   service: vnc
       Virtual Network Computing
              Example:

                       server vnc accept

              Service Type:

              • simple

              Server Ports:

              • tcp/5900:5903

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-vnc]

              Notes

                     VNC     is      a      graphical      desktop      sharing      protocol.       [WIKI-vnc]:
                     http://en.wikipedia.org/wiki/Virtual_Network_Computing

   service: webcache
       HTTP alternate port
              Alias for httpalt

   service: webmin
       Webmin Administration System
              Example:

                       server webmin accept

              Service Type:

              • simple

              Server Ports:

              • tcp/10000

              Client Ports:

              • default

              Links

              • Homepage (http://www.webmin.com/)

   service: whois
       WHOIS Protocol
              Example:

                       server whois accept

              Service Type:

              • simple

              Server Ports:

              • tcp/43

              Client Ports:

              • default

              Links

              • Wikipedia (http://en.wikipedia.org/wiki/Whois)

   service: xbox
       Xbox Live
              Example:

                       client xbox accept

              Service Type:

              • complex

              Server Ports:

              • many

              Client Ports:

              • default

              Notes

                     Definition for the Xbox live service.

                     See program source for contributor details.

   service: xdmcp
       X Display Manager Control Protocol
              Example:

                       server xdmcp accept

              Service Type:

              • simple

              Server Ports:

              • udp/177

              Client Ports:

              • default

              Links

              • [Wikipedia][WIKI-xdmcp]

              Notes

                     See   Gnome   Display   Manager   (http://www.jirka.org/gdm-documentation/x70.html)  for  a
                     discussion about XDMCP and firewalls (Gnome Display Manager  is  a  replacement  for  XDM).
                     [WIKI-xdmcp]:
                     http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol

AUTHORS

       FireHOL Team.