Provided by: sanewall-doc_1.0.2+ds-2_all 
NAME
sanewall-services - Sanewall service list
SERVICES
This Wikipedia list of ports[1] may be helpful if you need to define a new service.
AH - IPSec Authentication Header (AH)
.
Example
Configuration sample:
server AH accept
Server Ports
51/any
Client Ports
any
Links
Wikipedia[2]
Notes
For more information see this Archive of the FreeS/WAN documentation[3] and RFC 2402[4].
all - Match all traffic
.
Example
Configuration sample:
server all accept
Server Ports
all
Client Ports
all
Notes
Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are
loaded.
This service may indirectly setup a set of other services, if they require kernel modules to be
loaded. The following complex services are activated:
ftp - File Transfer Protocol
irc - Internet Relay Chat
amanda - Advanced Maryland Automatic Network Disk Archiver
.
Server Ports
udp/10080
Client Ports
default
Netfilter Modules
nf_conntrack_amanda (CONFIG_NF_CONNTRACK_AMANDA[5])
Netfilter NAT Modules
nf_nat_amanda (CONFIG_NF_NAT_AMANDA[6])
Links
Homepage[7], Wikipedia[8]
any - Match all traffic (without modules or indirect)
.
Example
Configuration sample:
server any myname accept proto 47
Server Ports
all
Client Ports
all
Notes
Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not
activate any other service indirectly. In combination with the optional rule parameters:
sanewall-rule-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).
anystateless - Match all traffic statelessly
.
Example
Configuration sample:
server anystateless myname accept proto 47
Server Ports
all
Client Ports
all
Notes
Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not
activate any other service indirectly. In combination with the optional rule parameters:
sanewall-rule-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).
This service is identical to "any" but does not care about the state of traffic.
apcupsd - APC UPS Daemon
.
Example
Configuration sample:
server apcupsd accept
Server Ports
tcp/6544
Client Ports
default
Links
Homepage[9], Wikipedia[10]
Notes
This service must be defined as "server apcupsd accept" on all machines not directly connected to the
UPS (i.e. slaves).
Note that the port defined here is not the default port (6666) used if you download and compile
APCUPSD, since the default conflicts with IRC and many distributions (like Debian) have changed this
to 6544.
You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or
overwrite this Sanewall service definition using the procedures described in the section called
“ADDING SERVICES” of Sanewall configuration: sanewall.conf(5).
apcupsdnis - APC UPS Daemon Network Information Server
.
Example
Configuration sample:
server apcupsdnis accept
Server Ports
tcp/3551
Client Ports
default
Links
Homepage[9], Wikipedia[10]
Notes
This service allows the remote WEB interfaces of APCUPSD[11], to connect and get information from the
server directly connected to the UPS device.
aptproxy - Advanced Packaging Tool Proxy
.
Example
Configuration sample:
server aptproxy accept
Server Ports
tcp/9999
Client Ports
default
Links
Wikipedia[12]
asterisk - Asterisk PABX
.
Example
Configuration sample:
server asterisk accept
Server Ports
tcp/5038
Client Ports
default
Links
Homepage[13], Wikipedia[14]
Notes
This service refers only to the manager interface of asterisk. You should normally enable sip -
Session Initiation Protocol, h323 - H.323 VoIP, rtp - Real-time Transport Protocol, etc. at the
firewall level, if you enable the relative channel drivers of asterisk.
cups - Common UNIX Printing System
.
Example
Configuration sample:
server cups accept
Server Ports
tcp/631 udp/631
Client Ports
any
Links
Homepage[15], Wikipedia[16]
custom - Custom definitions
.
Example
Configuration sample:
server custom myimap tcp/143 default accept
Server Ports
N/A
Client Ports
N/A
Notes
The full syntax is:
subcommand custom namesvr-proto/portscli-portsactionparams
This service is used by Sanewall to allow you create rules for services which do not have a
definition.
subcommand, action and params have their usual meanings.
A name must be supplied along with server ports in the form proto/range and client ports which takes
only a range.
To define services with the built-in extension mechanism to avoid the need for custom services, see
the section called “ADDING SERVICES” of Sanewall configuration: sanewall.conf(5).
cvspserver - Concurrent Versions System
.
Example
Configuration sample:
server cvspserver accept
Server Ports
tcp/2401
Client Ports
default
Links
Homepage[17], Wikipedia[18]
darkstat - Darkstat network traffic analyser
.
Example
Configuration sample:
server darkstat accept
Server Ports
tcp/666
Client Ports
default
Links
Homepage[19]
daytime - Daytime Protocol
.
Example
Configuration sample:
server daytime accept
Server Ports
tcp/13
Client Ports
default
Links
Wikipedia[20]
dcc - Distributed Checksum Clearinghouse
.
Example
Configuration sample:
server dcc accept
Server Ports
udp/6277
Client Ports
default
Links
Wikipedia[21]
Notes
See also this DCC FAQ[22].
dcpp - Direct Connect++ P2P
.
Example
Configuration sample:
server dcpp accept
Server Ports
tcp/1412 udp/1412
Client Ports
default
Links
Homepage[23]
dhcp - Dynamic Host Configuration Protocol
.
Example
Configuration sample:
server dhcp accept
Server Ports
udp/67
Client Ports
68
Links
Wikipedia[24]
Notes
The dhcp service is implemented as stateless rules.
DHCP clients broadcast to the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the
DHCP service was stateful the iptables connection tracker would not match the packets and deny to
send the reply.
Note that this change does not affect the security of either DHCP servers or clients, since only the
specific ports are allowed (there is no random port at either the server or the client side).
Note also that the "server dhcp accept" or "client dhcp accept" commands should placed within
interfaces that do not have src and / or dst defined (because of the initial broadcast).
You can overcome this problem by placing the DHCP service on a separate interface, without a src or
dst but with a policy return. Place this interface before the one that defines the rest of the
services.
For example:
interface eth0 dhcp
policy return
server dhcp accept
interface eth0 lan src "$mylan" dst "$myip"
client all accept
dhcprelay - DHCP Relay
.
Example
Configuration sample:
server dhcprelay accept
Server Ports
udp/67
Client Ports
67
Links
Wikipedia[25]
Notes
From RFC 1812 section 9.1.2:
In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP
(sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between
clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However,
to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been
adopted instead.
For more information about DHCP Relay see section 9.1.2 of RFC 1812[26] and section 4 of RFC 1542[27]
dict - Dictionary Server Protocol
.
Example
Configuration sample:
server dict accept
Server Ports
tcp/2628
Client Ports
default
Links
Wikipedia[28]
Notes
See RFC2229[29].
distcc - Distributed CC
.
Example
Configuration sample:
server distcc accept
Server Ports
tcp/3632
Client Ports
default
Links
Homepage[30], Wikipedia[31]
Notes
For distcc security, please check the distcc security design[32].
dns - Domain Name System
.
Example
Configuration sample:
server dns accept
Server Ports
udp/53 tcp/53
Client Ports
any
Links
Wikipedia[33]
Notes
On very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The
iptables connection tracker will timeout the session and lose unmatched DNS packets that arrive too
late to be useful.
echo - Echo Protocol
.
Example
Configuration sample:
server echo accept
Server Ports
tcp/7
Client Ports
default
Links
Wikipedia[34]
emule - eMule (Donkey network client)
.
Example
Configuration sample:
client emule accept src 192.0.2.1
Server Ports
many
Client Ports
many
Links
Homepage[35]
Notes
According to eMule Port Definitions[36], Sanewall defines:
Accept from any client port to the server at tcp/4661
Accept from any client port to the server at tcp/4662
Accept from any client port to the server at udp/4665
Accept from any client port to the server at udp/4672
Accept from any server port to the client at tcp/4662
Accept from any server port to the client at udp/4672
Use the Sanewall client command: sanewall-client(5) command to match the eMule client.
Please note that the eMule client is an HTTP client also.
eserver - eDonkey network server
.
Example
Configuration sample:
server eserver accept
Server Ports
tcp/4661 udp/4661 udp/4665
Client Ports
any
Links
Wikipedia[37]
ESP - IPSec Encapsulated Security Payload (ESP)
.
Example
Configuration sample:
server ESP accept
Server Ports
50/any
Client Ports
any
Links
Wikipedia[38]
Notes
For more information see this Archive of the FreeS/WAN documentation[39]RFC 2406[40].
finger - Finger Protocol
.
Example
Configuration sample:
server finger accept
Server Ports
tcp/79
Client Ports
default
Links
Wikipedia[41]
ftp - File Transfer Protocol
.
Example
Configuration sample:
server ftp accept
Server Ports
tcp/21
Client Ports
default
Netfilter Modules
nf_conntrack_ftp (CONFIG_NF_CONNTRACK_FTP[42])
Netfilter NAT Modules
nf_nat_ftp (CONFIG_NF_NAT_FTP[43])
Links
Wikipedia[44]
Notes
The FTP service matches both active and passive FTP connections.
gift - giFT Internet File Transfer
.
Example
Configuration sample:
server gift accept
Server Ports
tcp/4302 tcp/1214 tcp/2182 tcp/2472
Client Ports
any
Links
Homepage[45], Wikipedia[46]
Notes
The gift Sanewall service supports:
Gnutella listening at tcp/4302
FastTrack listening at tcp/1214
OpenFT listening at tcp/2182 and tcp/2472
The above ports are the defaults given for the corresponding giFT modules.
To allow access to the user interface ports of giFT, use the giftui - giFT Internet File Transfer
User Interface Sanewall service.
giftui - giFT Internet File Transfer User Interface
.
Example
Configuration sample:
server giftui accept
Server Ports
tcp/1213
Client Ports
default
Links
Homepage[45], Wikipedia[46]
Notes
This service refers only to the user interface ports offered by giFT. To allow gift accept P2P
requests, use the gift - giFT Internet File Transfer Sanewall service.
gkrellmd - GKrellM Daemon
.
Example
Configuration sample:
server gkrellmd accept
Server Ports
tcp/19150
Client Ports
default
Links
Homepage[47], Wikipedia[48]
GRE - Generic Routing Encapsulation
.
Example
Configuration sample:
server GRE accept
Server Ports
47/any
Client Ports
any
Netfilter Modules
nf_conntrack_proto_gre (CONFIG_NF_CT_PROTO_GRE[49])
Netfilter NAT Modules
nf_nat_proto_gre (CONFIG_NF_NAT_PROTO_GRE[50])
Links
Wikipedia[51]
Notes
Protocol No 47.
For more information see RFC RFC 2784[52].
h323 - H.323 VoIP
.
Example
Configuration sample:
server h323 accept
Server Ports
tcp/1720
Client Ports
default
Netfilter Modules
nf_conntrack_h323 (CONFIG_NF_CONNTRACK_H323[53])
Netfilter NAT Modules
nf_nat_h323 (CONFIG_NF_NAT_H323[54])
Links
Wikipedia[55]
heartbeat - HeartBeat
.
Example
Configuration sample:
server heartbeat accept
Server Ports
udp/690:699
Client Ports
default
Links
Homepage[56]
Notes
This Sanewall service has been designed such a way that it will allow multiple heartbeat clusters on
the same LAN.
http - Hypertext Transfer Protocol
.
Example
Configuration sample:
server http accept
Server Ports
tcp/80
Client Ports
default
Links
Wikipedia[57]
httpalt - HTTP alternate port
.
Example
Configuration sample:
server httpalt accept
Server Ports
tcp/8080
Client Ports
default
Links
Wikipedia[57]
Notes
This port is commonly used by web servers, web proxies and caches where the standard http - Hypertext
Transfer Protocol port is not available or can or should not be used.
https - Secure Hypertext Transfer Protocol
.
Example
Configuration sample:
server https accept
Server Ports
tcp/443
Client Ports
default
Links
Wikipedia[58]
hylafax - HylaFAX
.
Example
Configuration sample:
server hylafax accept
Server Ports
many
Client Ports
many
Links
Homepage[59], Wikipedia[60]
Notes
This complex service allows incoming requests to server port tcp/4559 and outgoing from server port
tcp/4558.
The correct operation of this service has not been verified.
USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port
tcp/4558).
iax - Inter-Asterisk eXchange
.
Example
Configuration sample:
server iax accept
Server Ports
udp/5036
Client Ports
default
Links
Homepage[13], Wikipedia[61]
Notes
This service refers to IAX version 1. There is also iax2 - Inter-Asterisk eXchange v2.
iax2 - Inter-Asterisk eXchange v2
.
Example
Configuration sample:
server iax2 accept
Server Ports
udp/5469 udp/4569
Client Ports
default
Links
Homepage[13], Wikipedia[61]
Notes
This service refers to IAX version 2. There is also iax - Inter-Asterisk eXchange.
icmp - Internet Control Message Protocol
.
Example
Configuration sample:
server icmp accept
Server Ports
icmp/any
Client Ports
any
Links
Wikipedia[62]
ICMP - Internet Control Message Protocol
.
Alias
See icmp - Internet Control Message Protocol
icp - Internet Cache Protocol
.
Example
Configuration sample:
server icp accept
Server Ports
udp/3130
Client Ports
3130
Links
Wikipedia[63]
ident - Identification Protocol
.
Example
Configuration sample:
server ident reject with tcp-reset
Server Ports
tcp/113
Client Ports
default
Links
Wikipedia[64]
imap - Internet Message Access Protocol
.
Example
Configuration sample:
server imap accept
Server Ports
tcp/143
Client Ports
default
Links
Wikipedia[65]
imaps - Secure Internet Message Access Protocol
.
Example
Configuration sample:
server imaps accept
Server Ports
tcp/993
Client Ports
default
Links
Wikipedia[65]
ipsecnatt - NAT traversal and IPsec
.
Server Ports
udp/4500
Client Ports
any
Links
Wikipedia[66]
irc - Internet Relay Chat
.
Example
Configuration sample:
server irc accept
Server Ports
tcp/6667
Client Ports
default
Netfilter Modules
nf_conntrack_irc (CONFIG_NF_CONNTRACK_IRC[67])
Netfilter NAT Modules
nf_nat_irc (CONFIG_NF_NAT_IRC[68])
Links
Wikipedia[69]
isakmp - Internet Security Association and Key Management Protocol (IKE)
.
Example
Configuration sample:
server isakmp accept
Server Ports
udp/500
Client Ports
any
Links
Wikipedia[70]
Notes
For more information see the Archive of the FreeS/WAN documentation[71]
jabber - Extensible Messaging and Presence Protocol
.
Example
Configuration sample:
server jabber accept
Server Ports
tcp/5222 tcp/5223
Client Ports
default
Links
Wikipedia[72]
Notes
Allows clear and SSL client-to-server connections.
jabberd - Extensible Messaging and Presence Protocol (Server)
.
Example
Configuration sample:
server jabberd accept
Server Ports
tcp/5222 tcp/5223 tcp/5269
Client Ports
default
Links
Wikipedia[72]
Notes
Allows clear and SSL client-to-server and server-to-server connections.
Use this service for a jabberd server. In all other cases, use the jabber - Extensible Messaging and
Presence Protocol service.
l2tp - Layer 2 Tunneling Protocol
.
Server Ports
udp/1701
Client Ports
any
Links
Wikipedia[73]
ldap - Lightweight Directory Access Protocol
.
Example
Configuration sample:
server ldap accept
Server Ports
tcp/389
Client Ports
default
Links
Wikipedia[74]
ldaps - Secure Lightweight Directory Access Protocol
.
Example
Configuration sample:
server ldaps accept
Server Ports
tcp/636
Client Ports
default
Links
Wikipedia[74]
lpd - Line Printer Daemon Protocol
.
Example
Configuration sample:
server lpd accept
Server Ports
tcp/515
Client Ports
any
Links
Wikipedia[75]
Notes
LPD is documented in RFC 1179[76].
Since many operating systems incorrectly use the non-default client ports for LPD access, this
definition allows any client port to access the service (in addition to the RFC defined 721 to 731
inclusive).
microsoft_ds - Direct Hosted (NETBIOS-less) SMB
.
Example
Configuration sample:
server microsoft_ds accept
Server Ports
tcp/445
Client Ports
default
Notes
Direct Hosted (i.e. NETBIOS-less SMB)
This is another NETBIOS Session Service with minor differences with netbios_ssn - NETBIOS Session
Service. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being
independent of WINS for name resolution.
It seems that samba supports transparently this protocol on the netbios_ssn - NETBIOS Session Service
ports, so that either direct hosted or traditional SMB can be served simultaneously.
Please refer to the netbios_ssn - NETBIOS Session Service service for more information.
mms - Microsoft Media Server
.
Example
Configuration sample:
server mms accept
Server Ports
tcp/1755 udp/1755
Client Ports
default
Netfilter Modules
See here[77].
Netfilter NAT Modules
See here[77].
Links
Wikipedia[78]
Notes
Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows Media
Services (previously called NetShow Services).
msn - Microsoft MSN Messenger Service
.
Example
Configuration sample:
server msn accept
Server Ports
tcp/1863 udp/1863
Client Ports
default
msnp - msnp
.
Example
Configuration sample:
server msnp accept
Server Ports
tcp/6891
Client Ports
default
ms_ds - Direct Hosted (NETBIOS-less) SMB
.
Alias
See microsoft_ds - Direct Hosted (NETBIOS-less) SMB
multicast - Multicast
.
Example
Configuration sample:
server multicast reject with proto-unreach
Server Ports
N/A
Client Ports
N/A
Links
Wikipedia[79]
Notes
The multicast service matches all packets sent to 224.0.0.0/4 using IGMP or UDP.
mysql - MySQL
.
Example
Configuration sample:
server mysql accept
Server Ports
tcp/3306
Client Ports
default
Links
Homepage[80], Wikipedia[81]
netbackup - Veritas NetBackup service
.
Example
Configuration sample:
server netbackup accept
client netbackup accept
Server Ports
tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783
Client Ports
any
Links
Wikipedia[82]
Notes
To use this service you must define it as both client and server in NetBackup clients and NetBackup
servers.
netbios_dgm - NETBIOS Datagram Distribution Service
.
Example
Configuration sample:
server netbios_dgm accept
Server Ports
udp/138
Client Ports
any
Links
Wikipedia[83]
Notes
See also the samba - Samba service.
Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you
place this service within an interface that has a dst parameter, remember to include (in the dst
parameter) the broadcast address of your LAN too.
netbios_ns - NETBIOS Name Service
.
Example
Configuration sample:
server netbios_ns accept
Server Ports
udp/137
Client Ports
any
Links
Wikipedia[84]
Notes
See also the samba - Samba service.
netbios_ssn - NETBIOS Session Service
.
Example
Configuration sample:
server netbios_ssn accept
Server Ports
tcp/139
Client Ports
default
Links
Wikipedia[85]
Notes
See also the samba - Samba service.
Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds - Direct Hosted
(NETBIOS-less) SMB) for the NETBIOS session service, and when this is not available they fall back to
port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445.
If you have an older samba version and your policy on an interface or router is DROP, clients trying
to access port 445 will have to timeout before falling back to port 139. This timeout can be up to
several minutes.
To overcome this problem you can explicitly REJECT the microsoft_ds - Direct Hosted (NETBIOS-less)
SMB service with a tcp-reset message:
server microsoft_ds reject with tcp-reset
nfs - Network File System
.
Example
Configuration sample:
client nfs accept dst 192.0.2.1
Server Ports
many
Client Ports
N/A
Links
Wikipedia[86]
Notes
The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd,
lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported
protocols (as reported by RPC) in order the clients to be able to reach the server.
For this reason, the NFS service requires that:
the firewall is restarted if the NFS server is restarted
the NFS server must be specified on all nfs statements (only if it is not the localhost)
Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the
portmap - Open Network Computing Remote Procedure Call - Port Mapper service too. Take care that this
is allowed by the running firewall when Sanewall tries to query the RPC server. So you might have to
setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS
service and restart the firewall.
To avoid this you can setup your NFS server to listen on pre-defined ports, as documented in NFS
Howto[87]. If you do this then you will have to define the the ports using the procedure described in
the section called “ADDING SERVICES” of Sanewall configuration: sanewall.conf(5).
nis - Network Information Service
.
Example
Configuration sample:
client nis accept dst 192.0.2.1
Server Ports
many
Client Ports
N/A
Links
Wikipedia[88]
Notes
The nis service queries the RPC service on the nis server host to find out the ports ypserv and
yppasswdd are listening. Then, according to these ports it sets up rules on all the supported
protocols (as reported by RPC) in order the clients to be able to reach the server.
For this reason, the nis service requires that:
the firewall is restarted if the nis server is restarted
the nis server must be specified on all nis statements (only if it is not the localhost)
Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the
portmap - Open Network Computing Remote Procedure Call - Port Mapper service too. Take care that this
is allowed by the running firewall when Sanewall tries to query the RPC server. So you might have to
setup nis in two steps: First add the portmap service and activate the firewall, then add the nis
service and restart the firewall.
This service was added to FireHOL by Carlos Rodrigues[89]. His comments regarding this
implementation, are:
These rules work for client access only!
Pushing changes to slave servers won't work if these rules are active somewhere between the master
and its slaves, because it is impossible to predict the ports where yppush will be listening on each
push.
Pulling changes directly on the slaves will work, and could be improved performance-wise if these
rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since
pushing changes on the master server is the most common, and recommended, way to replicate maps.
nntp - Network News Transfer Protocol
.
Example
Configuration sample:
server nntp accept
Server Ports
tcp/119
Client Ports
default
Links
Wikipedia[90]
nntps - Secure Network News Transfer Protocol
.
Example
Configuration sample:
server nntps accept
Server Ports
tcp/563
Client Ports
default
Links
Wikipedia[90]
nrpe - Nagios NRPE
.
Server Ports
tcp/5666
Client Ports
default
Links
Wikipedia[91]
ntp - Network Time Protocol
.
Example
Configuration sample:
server ntp accept
Server Ports
udp/123 tcp/123
Client Ports
any
Links
Wikipedia[92]
nut - Network UPS Tools
.
Example
Configuration sample:
server nut accept
Server Ports
tcp/3493 udp/3493
Client Ports
default
Links
Homepage[93]
nxserver - NoMachine NX Server
.
Example
Configuration sample:
server nxserver accept
Server Ports
tcp/5000:5200
Client Ports
default
Links
Wikipedia[94]
Notes
Default ports used by NX server for connections without encryption.
Note that nxserver also needs the ssh - Secure Shell Protocol service to be enabled.
This information has been extracted from this The TCP ports used by nxserver are 4000 + DISPLAY_BASE
to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in
/usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.
For encrypted nxserver sessions, only ssh - Secure Shell Protocol is needed.
openvpn - OpenVPN
.
Server Ports
tcp/1194 udp/1194
Client Ports
default
Links
Homepage[95], Wikipedia[96]
oracle - Oracle Database
.
Example
Configuration sample:
server oracle accept
Server Ports
tcp/1521
Client Ports
default
Links
Wikipedia[97]
OSPF - Open Shortest Path First
.
Example
Configuration sample:
server OSPF accept
Server Ports
89/any
Client Ports
any
Links
Wikipedia[98]
ping - Ping (ICMP echo)
.
Example
Configuration sample:
server ping accept
Server Ports
N/A
Client Ports
N/A
Links
Wikipedia[99]
Notes
This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of
type echo-reply (TYPE=0).
The ping service is stateful.
pop3 - Post Office Protocol
.
Example
Configuration sample:
server pop3 accept
Server Ports
tcp/110
Client Ports
default
Links
Wikipedia[100]
pop3s - Secure Post Office Protocol
.
Example
Configuration sample:
server pop3s accept
Server Ports
tcp/995
Client Ports
default
Links
Wikipedia[100]
portmap - Open Network Computing Remote Procedure Call - Port Mapper
.
Example
Configuration sample:
server portmap accept
Server Ports
udp/111 tcp/111
Client Ports
any
Links
Wikipedia[101]
postgres - PostgreSQL
.
Example
Configuration sample:
server postgres accept
Server Ports
tcp/5432
Client Ports
default
Links
Wikipedia[102]
pptp - Point-to-Point Tunneling Protocol
.
Example
Configuration sample:
server pptp accept
Server Ports
tcp/1723
Client Ports
default
Netfilter Modules
nf_conntrack_pptp (CONFIG_NF_CONNTRACK_PPTP[103]), nf_conntrack_proto_gre
(CONFIG_NF_CT_PROTO_GRE[49])
Netfilter NAT Modules
nf_nat_pptp (CONFIG_NF_NAT_PPTP[104]), nf_nat_proto_gre (CONFIG_NF_NAT_PROTO_GRE[50])
Links
Wikipedia[105]
privoxy - Privacy Proxy
.
Example
Configuration sample:
server privoxy accept
Server Ports
tcp/8118
Client Ports
default
Links
Homepage[106]
radius - Remote Authentication Dial In User Service (RADIUS)
.
Example
Configuration sample:
server radius accept
Server Ports
udp/1812 udp/1813
Client Ports
default
Links
Wikipedia[107]
radiusold - Remote Authentication Dial In User Service (RADIUS)
.
Example
Configuration sample:
server radiusold accept
Server Ports
udp/1645 udp/1646
Client Ports
default
Links
Wikipedia[107]
radiusoldproxy - Remote Authentication Dial In User Service (RADIUS)
.
Example
Configuration sample:
server radiusoldproxy accept
Server Ports
udp/1647
Client Ports
default
Links
Wikipedia[107]
radiusproxy - Remote Authentication Dial In User Service (RADIUS)
.
Example
Configuration sample:
server radiusproxy accept
Server Ports
udp/1814
Client Ports
default
Links
Wikipedia[107]
rdp - Remote Desktop Protocol
.
Example
Configuration sample:
server rdp accept
Server Ports
tcp/3389
Client Ports
default
Links
Wikipedia[108]
Notes
Remote Desktop Protocol is also known also as Terminal Services.
rndc - Remote Name Daemon Control
.
Example
Configuration sample:
server rndc accept
Server Ports
tcp/953
Client Ports
default
Links
Wikipedia[109]
rsync - rsync protocol
.
Example
Configuration sample:
server rsync accept
Server Ports
tcp/873 udp/873
Client Ports
default
Links
Homepage[110], Wikipedia[111]
rtp - Real-time Transport Protocol
.
Example
Configuration sample:
server rtp accept
Server Ports
udp/10000:20000
Client Ports
any
Links
Wikipedia[112]
Notes
RTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to
20000.
samba - Samba
.
Example
Configuration sample:
server samba accept
Server Ports
many
Client Ports
default
Links
Homepage[113], Wikipedia[114]
Notes
The samba service automatically sets all the rules for netbios_ns - NETBIOS Name Service, netbios_dgm
- NETBIOS Datagram Distribution Service, netbios_ssn - NETBIOS Session Service and microsoft_ds -
Direct Hosted (NETBIOS-less) SMB.
Please refer to the notes of the above services for more information.
NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address)
but the server responds from its own IP address. This makes the "server samba accept" statement drop
the server reply, because of the way the iptables connection tracker works.
This service definition includes a hack, that allows a Linux samba server to respond correctly in
such situations, by allowing new outgoing connections from the well known netbios_ns - NETBIOS Name
Service port to the clients high ports.
However, for clients and routers this hack is not applied because it would open all unprivileged
ports to the samba server. The only solution to overcome the problem in such cases (routers or
clients) is to build a trust relationship between the samba servers and clients.
sane - SANE Scanner service
.
Server Ports
tcp/6566
Client Ports
default
Netfilter Modules
nf_conntrack_sane (CONFIG_NF_CONNTRACK_SANE[115])
Netfilter NAT Modules
N/A
Links
Homepage[116]
sip - Session Initiation Protocol
.
Example
Configuration sample:
server sip accept
Server Ports
udp/5060
Client Ports
5060 default
Netfilter Modules
nf_conntrack_sip (CONFIG_NF_CONNTRACK_SIP[117])
Netfilter NAT Modules
nf_nat_sip (CONFIG_NF_NAT_SIP[118])
Links
Wikipedia[119]
Notes
SIP[120] is an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving
multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of
the OSI communications model.
smtp - Simple Mail Transport Protocol
.
Example
Configuration sample:
server smtp accept
Server Ports
tcp/25
Client Ports
default
Links
Wikipedia[121]
smtps - Secure Simple Mail Transport Protocol
.
Example
Configuration sample:
server smtps accept
Server Ports
tcp/465
Client Ports
default
Links
Wikipedia[122]
snmp - Simple Network Management Protocol
.
Example
Configuration sample:
server snmp accept
Server Ports
udp/161
Client Ports
default
Links
Wikipedia[123]
snmptrap - SNMP Trap
.
Example
Configuration sample:
server snmptrap accept
Server Ports
udp/162
Client Ports
any
Links
Wikipedia[124]
Notes
An SNMP trap is a notification from an agent to a manager.
socks - SOCKet Secure
.
Example
Configuration sample:
server socks accept
Server Ports
tcp/1080 udp/1080
Client Ports
default
Links
Wikipedia[125]
Notes
See also RFC 1928[126].
squid - Squid Web Cache
.
Example
Configuration sample:
server squid accept
Server Ports
tcp/3128
Client Ports
default
Links
Homepage[127], Wikipedia[128]
ssh - Secure Shell Protocol
.
Example
Configuration sample:
server ssh accept
Server Ports
tcp/22
Client Ports
default
Links
Wikipedia[129]
stun - Session Traversal Utilities for NAT
.
Example
Configuration sample:
server stun accept
Server Ports
udp/3478 udp/3479
Client Ports
any
Links
Wikipedia[130]
Notes
STUN[131] is a protocol for assisting devices behind a NAT firewall or router with their packet
routing.
submission - SMTP over SSL/TLS submission
.
Example
Configuration sample:
server submission accept
Server Ports
tcp/587
Client Ports
default
Links
Wikipedia[121]
Notes
Submission is essentially normal SMTP with an SSL/TLS negotation.
sunrpc - Open Network Computing Remote Procedure Call - Port Mapper
.
Alias
See portmap - Open Network Computing Remote Procedure Call - Port Mapper
swat - Samba Web Administration Tool
.
Example
Configuration sample:
server swat accept
Server Ports
tcp/901
Client Ports
default
Links
Homepage[132]
syslog - Syslog Remote Logging Protocol
.
Example
Configuration sample:
server syslog accept
Server Ports
udp/514
Client Ports
syslog default
Links
Wikipedia[133]
telnet - Telnet
.
Example
Configuration sample:
server telnet accept
Server Ports
tcp/23
Client Ports
default
Links
Wikipedia[134]
tftp - Trivial File Transfer Protocol
.
Example
Configuration sample:
server tftp accept
Server Ports
udp/69
Client Ports
default
Netfilter Modules
nf_conntrack_tftp (CONFIG_NF_CONNTRACK_TFTP[135])
Netfilter NAT Modules
nf_nat_tftp (CONFIG_NF_NAT_TFTP[136])
Links
Wikipedia[137]
time - Time Protocol
.
Example
Configuration sample:
server time accept
Server Ports
tcp/37 udp/37
Client Ports
default
Links
Wikipedia[138]
timestamp - ICMP Timestamp
.
Example
Configuration sample:
server timestamp accept
Server Ports
N/A
Client Ports
N/A
Links
Wikipedia[139]
Notes
This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their
replies of type timestamp-reply (TYPE=14).
The timestamp service is stateful.
tomcat - HTTP alternate port
.
Alias
See httpalt - HTTP alternate port
upnp - Universal Plug and Play
.
Example
Configuration sample:
server upnp accept
Server Ports
udp/1900 tcp/2869
Client Ports
default
Links
Homepage[140], Wikipedia[141]
Notes
For a Linux implementation see: Linux IGD[142].
uucp - Unix-to-Unix Copy
.
Example
Configuration sample:
server uucp accept
Server Ports
tcp/540
Client Ports
default
Links
Wikipedia[143]
vmware - vmware
.
Example
Configuration sample:
server vmware accept
Server Ports
tcp/902
Client Ports
default
Notes
Used from VMWare 1 and up. See the VMWare KnowledgeBase[144].
vmwareauth - vmwareauth
.
Example
Configuration sample:
server vmwareauth accept
Server Ports
tcp/903
Client Ports
default
Notes
Used from VMWare 1 and up. See the VMWare KnowledgeBase[144].
vmwareweb - vmwareweb
.
Example
Configuration sample:
server vmwareweb accept
Server Ports
tcp/8222 tcp/8333
Client Ports
default
Notes
Used from VMWare 2 and up. See VMWare Server 2.0 release notes[145] and the VMWare
KnowledgeBase[144].
vnc - Virtual Network Computing
.
Example
Configuration sample:
server vnc accept
Server Ports
tcp/5900:5903
Client Ports
default
Links
Wikipedia[146]
Notes
VNC is a graphical desktop sharing protocol.
webcache - HTTP alternate port
.
Alias
See httpalt - HTTP alternate port
webmin - Webmin Administration System
.
Example
Configuration sample:
server webmin accept
Server Ports
tcp/10000
Client Ports
default
Links
Homepage[147]
whois - WHOIS Protocol
.
Example
Configuration sample:
server whois accept
Server Ports
tcp/43
Client Ports
default
Links
Wikipedia[148]
xbox - Xbox Live
.
Example
Configuration sample:
client xbox accept
Server Ports
many
Client Ports
default
Notes
Complex service definition for the Xbox live service.
See program source for contributor details.
xdmcp - X Display Manager Control Protocol
.
Example
Configuration sample:
server xdmcp accept
Server Ports
udp/177
Client Ports
default
Links
Wikipedia[149]
Notes
See Gnome Display Manager[150] for a discussion about XDMCP and firewalls (Gnome Display Manager is a
replacement for XDM).
SEE ALSO
Sanewall program: sanewall(1)
Sanewall configuration: sanewall.conf(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>
NOTES
1. Wikipedia list of ports
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
2. Wikipedia
http://en.wikipedia.org/wiki/IPsec#Authentication_Header
3. Archive of the FreeS/WAN documentation
http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec
4. RFC 2402
http://www.ietf.org/rfc/rfc2402.txt
5. CONFIG_NF_CONNTRACK_AMANDA
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_AMANDA.html
6. CONFIG_NF_NAT_AMANDA
http://cateee.net/lkddb/web-lkddb/NF_NAT_AMANDA.html
7. Homepage
http://www.amanda.org/
8. Wikipedia
http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver
9. Homepage
http://www.apcupsd.com
10. Wikipedia
http://en.wikipedia.org/wiki/Apcupsd
11. APCUPSD
http://www.apcupsd.com/
12. Wikipedia
http://en.wikipedia.org/wiki/Apt-proxy
13. Homepage
http://www.asterisk.org
14. Wikipedia
http://en.wikipedia.org/wiki/Asterisk_PBX
15. Homepage
http://www.cups.org
16. Wikipedia
http://en.wikipedia.org/wiki/Common_Unix_Printing_System
17. Homepage
http://www.nongnu.org/cvs/
18. Wikipedia
http://en.wikipedia.org/wiki/Concurrent_Versions_System
19. Homepage
http://dmr.ath.cx/net/darkstat/
20. Wikipedia
http://en.wikipedia.org/wiki/Daytime_Protocol
21. Wikipedia
http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse
22. DCC FAQ
http://www.rhyolite.com/anti-spam/dcc/FAQ.html#firewall-ports
23. Homepage
http://dcplusplus.sourceforge.net
24. Wikipedia
http://en.wikipedia.org/wiki/Dhcp
25. Wikipedia
http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying
26. RFC 1812
http://www.ietf.org/rfc/rfc1812.txt
27. RFC 1542
http://www.ietf.org/rfc/rfc1542.txt
28. Wikipedia
http://en.wikipedia.org/wiki/DICT
29. RFC2229
http://www.ietf.org/rfc/rfc2229.txt
30. Homepage
http://distcc.samba.org/
31. Wikipedia
http://en.wikipedia.org/wiki/Distcc
32. distcc security design
http://distcc.googlecode.com/svn/trunk/doc/web/security.html
33. Wikipedia
http://en.wikipedia.org/wiki/Domain_Name_System
34. Wikipedia
http://en.wikipedia.org/wiki/Echo_Protocol
35. Homepage
http://www.emule-project.com
36. eMule Port Definitions
http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122
37. Wikipedia
http://en.wikipedia.org/wiki/Eserver
38. Wikipedia
http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload
39. Archive of the FreeS/WAN documentation
http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec
40. RFC 2406
http://www.ietf.org/rfc/rfc2406.txt
41. Wikipedia
http://en.wikipedia.org/wiki/Finger_protocol
42. CONFIG_NF_CONNTRACK_FTP
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_FTP.html
43. CONFIG_NF_NAT_FTP
http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html
44. Wikipedia
http://en.wikipedia.org/wiki/Ftp
45. Homepage
http://gift.sourceforge.net
46. Wikipedia
http://en.wikipedia.org/wiki/GiFT
47. Homepage
http://gkrellm.net/
48. Wikipedia
http://en.wikipedia.org/wiki/Gkrellm
49. CONFIG_NF_CT_PROTO_GRE
http://cateee.net/lkddb/web-lkddb/NF_CT_PROTO_GRE.html
50. CONFIG_NF_NAT_PROTO_GRE
http://cateee.net/lkddb/web-lkddb/NF_NAT_PROTO_GRE.html
51. Wikipedia
http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
52. RFC 2784
http://www.ietf.org/rfc/rfc2784.txt
53. CONFIG_NF_CONNTRACK_H323
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_H323.html
54. CONFIG_NF_NAT_H323
http://cateee.net/lkddb/web-lkddb/NF_NAT_H323.html
55. Wikipedia
http://en.wikipedia.org/wiki/H323
56. Homepage
http://www.linux-ha.org/
57. Wikipedia
http://en.wikipedia.org/wiki/Http
58. Wikipedia
http://en.wikipedia.org/wiki/Https
59. Homepage
http://www.hylafax.org
60. Wikipedia
http://en.wikipedia.org/wiki/Hylafax
61. Wikipedia
http://en.wikipedia.org/wiki/Iax
62. Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
63. Wikipedia
http://en.wikipedia.org/wiki/Internet_Cache_Protocol
64. Wikipedia
http://en.wikipedia.org/wiki/Ident_protocol
65. Wikipedia
http://en.wikipedia.org/wiki/Imap
66. Wikipedia
http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec
67. CONFIG_NF_CONNTRACK_IRC
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_IRC.html
68. CONFIG_NF_NAT_IRC
http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html
69. Wikipedia
http://en.wikipedia.org/wiki/Internet_Relay_Chat
70. Wikipedia
http://en.wikipedia.org/wiki/ISAKMP
71. Archive of the FreeS/WAN documentation
http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec
72. Wikipedia
http://en.wikipedia.org/wiki/Jabber
73. Wikipedia
http://en.wikipedia.org/wiki/L2tp
74. Wikipedia
http://en.wikipedia.org/wiki/Ldap
75. Wikipedia
http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol
76. RFC 1179
http://www.ietf.org/rfc/rfc1179.txt
77. here
http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5
78. Wikipedia
http://en.wikipedia.org/wiki/Microsoft_Media_Server
79. Wikipedia
http://en.wikipedia.org/wiki/Multicast
80. Homepage
http://www.mysql.com/
81. Wikipedia
http://en.wikipedia.org/wiki/Mysql
82. Wikipedia
http://en.wikipedia.org/wiki/Netbackup
83. Wikipedia
http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service
84. Wikipedia
http://en.wikipedia.org/wiki/Netbios#Name_service
85. Wikipedia
http://en.wikipedia.org/wiki/Netbios#Session_service
86. Wikipedia
http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29
87. NFS Howto
http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls
88. Wikipedia
http://en.wikipedia.org/wiki/Network_Information_Service
89. Carlos Rodrigues
https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425
90. Wikipedia
http://en.wikipedia.org/wiki/Nntp
91. Wikipedia
http://en.wikipedia.org/wiki/Nagios#NRPE
92. Wikipedia
http://en.wikipedia.org/wiki/Network_Time_Protocol
93. Homepage
http://networkupstools.org/
94. Wikipedia
http://en.wikipedia.org/wiki/NX_Server
95. Homepage
http://openvpn.net/
96. Wikipedia
http://en.wikipedia.org/wiki/OpenVPN
97. Wikipedia
http://en.wikipedia.org/wiki/Oracle_db
98. Wikipedia
http://en.wikipedia.org/wiki/Ospf
99. Wikipedia
http://en.wikipedia.org/wiki/Ping
00. Wikipedia
http://en.wikipedia.org/wiki/Pop3
01. Wikipedia
http://en.wikipedia.org/wiki/Portmap
02. Wikipedia
http://en.wikipedia.org/wiki/Postgres
03. CONFIG_NF_CONNTRACK_PPTP
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_PPTP.html
04. CONFIG_NF_NAT_PPTP
http://cateee.net/lkddb/web-lkddb/NF_NAT_PPTP.html
05. Wikipedia
http://en.wikipedia.org/wiki/Pptp
06. Homepage
http://www.privoxy.org/
07. Wikipedia
http://en.wikipedia.org/wiki/RADIUS
08. Wikipedia
http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
09. Wikipedia
http://en.wikipedia.org/wiki/Rndc
10. Homepage
http://rsync.samba.org/
11. Wikipedia
http://en.wikipedia.org/wiki/Rsync
12. Wikipedia
http://en.wikipedia.org/wiki/Real-time_Transport_Protocol
13. Homepage
http://www.samba.org/
14. Wikipedia
http://en.wikipedia.org/wiki/Samba_(software)
15. CONFIG_NF_CONNTRACK_SANE
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SANE.html
16. Homepage
http://www.sane-project.org/
17. CONFIG_NF_CONNTRACK_SIP
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SIP.html
18. CONFIG_NF_NAT_SIP
http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html
19. Wikipedia
http://en.wikipedia.org/wiki/Session_Initiation_Protocol
20. SIP
http://www.voip-info.org/wiki-SIP
21. Wikipedia
http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
22. Wikipedia
http://en.wikipedia.org/wiki/SMTPS
23. Wikipedia
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
24. Wikipedia
http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap
25. Wikipedia
http://en.wikipedia.org/wiki/SOCKS
26. RFC 1928
http://www.ietf.org/rfc/rfc1928.txt
27. Homepage
http://www.squid-cache.org/
28. Wikipedia
http://en.wikipedia.org/wiki/Squid_(software)
29. Wikipedia
http://en.wikipedia.org/wiki/Secure_Shell
30. Wikipedia
http://en.wikipedia.org/wiki/STUN
31. STUN
http://www.voip-info.org/wiki-STUN
32. Homepage
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html
33. Wikipedia
http://en.wikipedia.org/wiki/Syslog
34. Wikipedia
http://en.wikipedia.org/wiki/Telnet
35. CONFIG_NF_CONNTRACK_TFTP
http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_TFTP.html
36. CONFIG_NF_NAT_TFTP
http://cateee.net/lkddb/web-lkddb/NF_NAT_TFTP.html
37. Wikipedia
http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
38. Wikipedia
http://en.wikipedia.org/wiki/Time_Protocol
39. Wikipedia
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp
40. Homepage
http://upnp.sourceforge.net/
41. Wikipedia
http://en.wikipedia.org/wiki/Universal_Plug_and_Play
42. Linux IGD
http://linux-igd.sourceforge.net/
43. Wikipedia
http://en.wikipedia.org/wiki/UUCP
44. VMWare KnowledgeBase
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382
45. VMWare Server 2.0 release notes
http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html
46. Wikipedia
http://en.wikipedia.org/wiki/Virtual_Network_Computing
47. Homepage
http://www.webmin.com/
48. Wikipedia
http://en.wikipedia.org/wiki/Whois
49. Wikipedia
http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol
50. Gnome Display Manager
http://www.jirka.org/gdm-documentation/x70.html
Sanewall 1.0.2 Built 01 Jun 2013 SERVICES LIST: SANEW(5)