Provided by: sanewall-doc_1.0.2+ds-2_all
NAME
sanewall-services - Sanewall service list
SERVICES
This Wikipedia list of ports[1] may be helpful if you need to define a new service. AH - IPSec Authentication Header (AH) . Example Configuration sample: server AH accept Server Ports 51/any Client Ports any Links Wikipedia[2] Notes For more information see this Archive of the FreeS/WAN documentation[3] and RFC 2402[4]. all - Match all traffic . Example Configuration sample: server all accept Server Ports all Client Ports all Notes Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are loaded. This service may indirectly setup a set of other services, if they require kernel modules to be loaded. The following complex services are activated: ftp - File Transfer Protocol irc - Internet Relay Chat amanda - Advanced Maryland Automatic Network Disk Archiver . Server Ports udp/10080 Client Ports default Netfilter Modules nf_conntrack_amanda (CONFIG_NF_CONNTRACK_AMANDA[5]) Netfilter NAT Modules nf_nat_amanda (CONFIG_NF_NAT_AMANDA[6]) Links Homepage[7], Wikipedia[8] any - Match all traffic (without modules or indirect) . Example Configuration sample: server any myname accept proto 47 Server Ports all Client Ports all Notes Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the optional rule parameters: sanewall-rule-params(5) this service can match unusual traffic (e.g. GRE - protocol 47). anystateless - Match all traffic statelessly . Example Configuration sample: server anystateless myname accept proto 47 Server Ports all Client Ports all Notes Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the optional rule parameters: sanewall-rule-params(5) this service can match unusual traffic (e.g. GRE - protocol 47). This service is identical to "any" but does not care about the state of traffic. apcupsd - APC UPS Daemon . Example Configuration sample: server apcupsd accept Server Ports tcp/6544 Client Ports default Links Homepage[9], Wikipedia[10] Notes This service must be defined as "server apcupsd accept" on all machines not directly connected to the UPS (i.e. slaves). Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default conflicts with IRC and many distributions (like Debian) have changed this to 6544. You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this Sanewall service definition using the procedures described in the section called “ADDING SERVICES” of Sanewall configuration: sanewall.conf(5). apcupsdnis - APC UPS Daemon Network Information Server . Example Configuration sample: server apcupsdnis accept Server Ports tcp/3551 Client Ports default Links Homepage[9], Wikipedia[10] Notes This service allows the remote WEB interfaces of APCUPSD[11], to connect and get information from the server directly connected to the UPS device. aptproxy - Advanced Packaging Tool Proxy . Example Configuration sample: server aptproxy accept Server Ports tcp/9999 Client Ports default Links Wikipedia[12] asterisk - Asterisk PABX . Example Configuration sample: server asterisk accept Server Ports tcp/5038 Client Ports default Links Homepage[13], Wikipedia[14] Notes This service refers only to the manager interface of asterisk. You should normally enable sip - Session Initiation Protocol, h323 - H.323 VoIP, rtp - Real-time Transport Protocol, etc. at the firewall level, if you enable the relative channel drivers of asterisk. cups - Common UNIX Printing System . Example Configuration sample: server cups accept Server Ports tcp/631 udp/631 Client Ports any Links Homepage[15], Wikipedia[16] custom - Custom definitions . Example Configuration sample: server custom myimap tcp/143 default accept Server Ports N/A Client Ports N/A Notes The full syntax is: subcommand custom namesvr-proto/portscli-portsactionparams This service is used by Sanewall to allow you create rules for services which do not have a definition. subcommand, action and params have their usual meanings. A name must be supplied along with server ports in the form proto/range and client ports which takes only a range. To define services with the built-in extension mechanism to avoid the need for custom services, see the section called “ADDING SERVICES” of Sanewall configuration: sanewall.conf(5). cvspserver - Concurrent Versions System . Example Configuration sample: server cvspserver accept Server Ports tcp/2401 Client Ports default Links Homepage[17], Wikipedia[18] darkstat - Darkstat network traffic analyser . Example Configuration sample: server darkstat accept Server Ports tcp/666 Client Ports default Links Homepage[19] daytime - Daytime Protocol . Example Configuration sample: server daytime accept Server Ports tcp/13 Client Ports default Links Wikipedia[20] dcc - Distributed Checksum Clearinghouse . Example Configuration sample: server dcc accept Server Ports udp/6277 Client Ports default Links Wikipedia[21] Notes See also this DCC FAQ[22]. dcpp - Direct Connect++ P2P . Example Configuration sample: server dcpp accept Server Ports tcp/1412 udp/1412 Client Ports default Links Homepage[23] dhcp - Dynamic Host Configuration Protocol . Example Configuration sample: server dhcp accept Server Ports udp/67 Client Ports 68 Links Wikipedia[24] Notes The dhcp service is implemented as stateless rules. DHCP clients broadcast to the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply. Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side). Note also that the "server dhcp accept" or "client dhcp accept" commands should placed within interfaces that do not have src and / or dst defined (because of the initial broadcast). You can overcome this problem by placing the DHCP service on a separate interface, without a src or dst but with a policy return. Place this interface before the one that defines the rest of the services. For example: interface eth0 dhcp policy return server dhcp accept interface eth0 lan src "$mylan" dst "$myip" client all accept dhcprelay - DHCP Relay . Example Configuration sample: server dhcprelay accept Server Ports udp/67 Client Ports 67 Links Wikipedia[25] Notes From RFC 1812 section 9.1.2: In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead. For more information about DHCP Relay see section 9.1.2 of RFC 1812[26] and section 4 of RFC 1542[27] dict - Dictionary Server Protocol . Example Configuration sample: server dict accept Server Ports tcp/2628 Client Ports default Links Wikipedia[28] Notes See RFC2229[29]. distcc - Distributed CC . Example Configuration sample: server distcc accept Server Ports tcp/3632 Client Ports default Links Homepage[30], Wikipedia[31] Notes For distcc security, please check the distcc security design[32]. dns - Domain Name System . Example Configuration sample: server dns accept Server Ports udp/53 tcp/53 Client Ports any Links Wikipedia[33] Notes On very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The iptables connection tracker will timeout the session and lose unmatched DNS packets that arrive too late to be useful. echo - Echo Protocol . Example Configuration sample: server echo accept Server Ports tcp/7 Client Ports default Links Wikipedia[34] emule - eMule (Donkey network client) . Example Configuration sample: client emule accept src 192.0.2.1 Server Ports many Client Ports many Links Homepage[35] Notes According to eMule Port Definitions[36], Sanewall defines: Accept from any client port to the server at tcp/4661 Accept from any client port to the server at tcp/4662 Accept from any client port to the server at udp/4665 Accept from any client port to the server at udp/4672 Accept from any server port to the client at tcp/4662 Accept from any server port to the client at udp/4672 Use the Sanewall client command: sanewall-client(5) command to match the eMule client. Please note that the eMule client is an HTTP client also. eserver - eDonkey network server . Example Configuration sample: server eserver accept Server Ports tcp/4661 udp/4661 udp/4665 Client Ports any Links Wikipedia[37] ESP - IPSec Encapsulated Security Payload (ESP) . Example Configuration sample: server ESP accept Server Ports 50/any Client Ports any Links Wikipedia[38] Notes For more information see this Archive of the FreeS/WAN documentation[39]RFC 2406[40]. finger - Finger Protocol . Example Configuration sample: server finger accept Server Ports tcp/79 Client Ports default Links Wikipedia[41] ftp - File Transfer Protocol . Example Configuration sample: server ftp accept Server Ports tcp/21 Client Ports default Netfilter Modules nf_conntrack_ftp (CONFIG_NF_CONNTRACK_FTP[42]) Netfilter NAT Modules nf_nat_ftp (CONFIG_NF_NAT_FTP[43]) Links Wikipedia[44] Notes The FTP service matches both active and passive FTP connections. gift - giFT Internet File Transfer . Example Configuration sample: server gift accept Server Ports tcp/4302 tcp/1214 tcp/2182 tcp/2472 Client Ports any Links Homepage[45], Wikipedia[46] Notes The gift Sanewall service supports: Gnutella listening at tcp/4302 FastTrack listening at tcp/1214 OpenFT listening at tcp/2182 and tcp/2472 The above ports are the defaults given for the corresponding giFT modules. To allow access to the user interface ports of giFT, use the giftui - giFT Internet File Transfer User Interface Sanewall service. giftui - giFT Internet File Transfer User Interface . Example Configuration sample: server giftui accept Server Ports tcp/1213 Client Ports default Links Homepage[45], Wikipedia[46] Notes This service refers only to the user interface ports offered by giFT. To allow gift accept P2P requests, use the gift - giFT Internet File Transfer Sanewall service. gkrellmd - GKrellM Daemon . Example Configuration sample: server gkrellmd accept Server Ports tcp/19150 Client Ports default Links Homepage[47], Wikipedia[48] GRE - Generic Routing Encapsulation . Example Configuration sample: server GRE accept Server Ports 47/any Client Ports any Netfilter Modules nf_conntrack_proto_gre (CONFIG_NF_CT_PROTO_GRE[49]) Netfilter NAT Modules nf_nat_proto_gre (CONFIG_NF_NAT_PROTO_GRE[50]) Links Wikipedia[51] Notes Protocol No 47. For more information see RFC RFC 2784[52]. h323 - H.323 VoIP . Example Configuration sample: server h323 accept Server Ports tcp/1720 Client Ports default Netfilter Modules nf_conntrack_h323 (CONFIG_NF_CONNTRACK_H323[53]) Netfilter NAT Modules nf_nat_h323 (CONFIG_NF_NAT_H323[54]) Links Wikipedia[55] heartbeat - HeartBeat . Example Configuration sample: server heartbeat accept Server Ports udp/690:699 Client Ports default Links Homepage[56] Notes This Sanewall service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN. http - Hypertext Transfer Protocol . Example Configuration sample: server http accept Server Ports tcp/80 Client Ports default Links Wikipedia[57] httpalt - HTTP alternate port . Example Configuration sample: server httpalt accept Server Ports tcp/8080 Client Ports default Links Wikipedia[57] Notes This port is commonly used by web servers, web proxies and caches where the standard http - Hypertext Transfer Protocol port is not available or can or should not be used. https - Secure Hypertext Transfer Protocol . Example Configuration sample: server https accept Server Ports tcp/443 Client Ports default Links Wikipedia[58] hylafax - HylaFAX . Example Configuration sample: server hylafax accept Server Ports many Client Ports many Links Homepage[59], Wikipedia[60] Notes This complex service allows incoming requests to server port tcp/4559 and outgoing from server port tcp/4558. The correct operation of this service has not been verified. USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558). iax - Inter-Asterisk eXchange . Example Configuration sample: server iax accept Server Ports udp/5036 Client Ports default Links Homepage[13], Wikipedia[61] Notes This service refers to IAX version 1. There is also iax2 - Inter-Asterisk eXchange v2. iax2 - Inter-Asterisk eXchange v2 . Example Configuration sample: server iax2 accept Server Ports udp/5469 udp/4569 Client Ports default Links Homepage[13], Wikipedia[61] Notes This service refers to IAX version 2. There is also iax - Inter-Asterisk eXchange. icmp - Internet Control Message Protocol . Example Configuration sample: server icmp accept Server Ports icmp/any Client Ports any Links Wikipedia[62] ICMP - Internet Control Message Protocol . Alias See icmp - Internet Control Message Protocol icp - Internet Cache Protocol . Example Configuration sample: server icp accept Server Ports udp/3130 Client Ports 3130 Links Wikipedia[63] ident - Identification Protocol . Example Configuration sample: server ident reject with tcp-reset Server Ports tcp/113 Client Ports default Links Wikipedia[64] imap - Internet Message Access Protocol . Example Configuration sample: server imap accept Server Ports tcp/143 Client Ports default Links Wikipedia[65] imaps - Secure Internet Message Access Protocol . Example Configuration sample: server imaps accept Server Ports tcp/993 Client Ports default Links Wikipedia[65] ipsecnatt - NAT traversal and IPsec . Server Ports udp/4500 Client Ports any Links Wikipedia[66] irc - Internet Relay Chat . Example Configuration sample: server irc accept Server Ports tcp/6667 Client Ports default Netfilter Modules nf_conntrack_irc (CONFIG_NF_CONNTRACK_IRC[67]) Netfilter NAT Modules nf_nat_irc (CONFIG_NF_NAT_IRC[68]) Links Wikipedia[69] isakmp - Internet Security Association and Key Management Protocol (IKE) . Example Configuration sample: server isakmp accept Server Ports udp/500 Client Ports any Links Wikipedia[70] Notes For more information see the Archive of the FreeS/WAN documentation[71] jabber - Extensible Messaging and Presence Protocol . Example Configuration sample: server jabber accept Server Ports tcp/5222 tcp/5223 Client Ports default Links Wikipedia[72] Notes Allows clear and SSL client-to-server connections. jabberd - Extensible Messaging and Presence Protocol (Server) . Example Configuration sample: server jabberd accept Server Ports tcp/5222 tcp/5223 tcp/5269 Client Ports default Links Wikipedia[72] Notes Allows clear and SSL client-to-server and server-to-server connections. Use this service for a jabberd server. In all other cases, use the jabber - Extensible Messaging and Presence Protocol service. l2tp - Layer 2 Tunneling Protocol . Server Ports udp/1701 Client Ports any Links Wikipedia[73] ldap - Lightweight Directory Access Protocol . Example Configuration sample: server ldap accept Server Ports tcp/389 Client Ports default Links Wikipedia[74] ldaps - Secure Lightweight Directory Access Protocol . Example Configuration sample: server ldaps accept Server Ports tcp/636 Client Ports default Links Wikipedia[74] lpd - Line Printer Daemon Protocol . Example Configuration sample: server lpd accept Server Ports tcp/515 Client Ports any Links Wikipedia[75] Notes LPD is documented in RFC 1179[76]. Since many operating systems incorrectly use the non-default client ports for LPD access, this definition allows any client port to access the service (in addition to the RFC defined 721 to 731 inclusive). microsoft_ds - Direct Hosted (NETBIOS-less) SMB . Example Configuration sample: server microsoft_ds accept Server Ports tcp/445 Client Ports default Notes Direct Hosted (i.e. NETBIOS-less SMB) This is another NETBIOS Session Service with minor differences with netbios_ssn - NETBIOS Session Service. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being independent of WINS for name resolution. It seems that samba supports transparently this protocol on the netbios_ssn - NETBIOS Session Service ports, so that either direct hosted or traditional SMB can be served simultaneously. Please refer to the netbios_ssn - NETBIOS Session Service service for more information. mms - Microsoft Media Server . Example Configuration sample: server mms accept Server Ports tcp/1755 udp/1755 Client Ports default Netfilter Modules See here[77]. Netfilter NAT Modules See here[77]. Links Wikipedia[78] Notes Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows Media Services (previously called NetShow Services). msn - Microsoft MSN Messenger Service . Example Configuration sample: server msn accept Server Ports tcp/1863 udp/1863 Client Ports default msnp - msnp . Example Configuration sample: server msnp accept Server Ports tcp/6891 Client Ports default ms_ds - Direct Hosted (NETBIOS-less) SMB . Alias See microsoft_ds - Direct Hosted (NETBIOS-less) SMB multicast - Multicast . Example Configuration sample: server multicast reject with proto-unreach Server Ports N/A Client Ports N/A Links Wikipedia[79] Notes The multicast service matches all packets sent to 224.0.0.0/4 using IGMP or UDP. mysql - MySQL . Example Configuration sample: server mysql accept Server Ports tcp/3306 Client Ports default Links Homepage[80], Wikipedia[81] netbackup - Veritas NetBackup service . Example Configuration sample: server netbackup accept client netbackup accept Server Ports tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783 Client Ports any Links Wikipedia[82] Notes To use this service you must define it as both client and server in NetBackup clients and NetBackup servers. netbios_dgm - NETBIOS Datagram Distribution Service . Example Configuration sample: server netbios_dgm accept Server Ports udp/138 Client Ports any Links Wikipedia[83] Notes See also the samba - Samba service. Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too. netbios_ns - NETBIOS Name Service . Example Configuration sample: server netbios_ns accept Server Ports udp/137 Client Ports any Links Wikipedia[84] Notes See also the samba - Samba service. netbios_ssn - NETBIOS Session Service . Example Configuration sample: server netbios_ssn accept Server Ports tcp/139 Client Ports default Links Wikipedia[85] Notes See also the samba - Samba service. Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds - Direct Hosted (NETBIOS-less) SMB) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445. If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes. To overcome this problem you can explicitly REJECT the microsoft_ds - Direct Hosted (NETBIOS-less) SMB service with a tcp-reset message: server microsoft_ds reject with tcp-reset nfs - Network File System . Example Configuration sample: client nfs accept dst 192.0.2.1 Server Ports many Client Ports N/A Links Wikipedia[86] Notes The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the NFS service requires that: the firewall is restarted if the NFS server is restarted the NFS server must be specified on all nfs statements (only if it is not the localhost) Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap - Open Network Computing Remote Procedure Call - Port Mapper service too. Take care that this is allowed by the running firewall when Sanewall tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall. To avoid this you can setup your NFS server to listen on pre-defined ports, as documented in NFS Howto[87]. If you do this then you will have to define the the ports using the procedure described in the section called “ADDING SERVICES” of Sanewall configuration: sanewall.conf(5). nis - Network Information Service . Example Configuration sample: client nis accept dst 192.0.2.1 Server Ports many Client Ports N/A Links Wikipedia[88] Notes The nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the nis service requires that: the firewall is restarted if the nis server is restarted the nis server must be specified on all nis statements (only if it is not the localhost) Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap - Open Network Computing Remote Procedure Call - Port Mapper service too. Take care that this is allowed by the running firewall when Sanewall tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall. This service was added to FireHOL by Carlos Rodrigues[89]. His comments regarding this implementation, are: These rules work for client access only! Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push. Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps. nntp - Network News Transfer Protocol . Example Configuration sample: server nntp accept Server Ports tcp/119 Client Ports default Links Wikipedia[90] nntps - Secure Network News Transfer Protocol . Example Configuration sample: server nntps accept Server Ports tcp/563 Client Ports default Links Wikipedia[90] nrpe - Nagios NRPE . Server Ports tcp/5666 Client Ports default Links Wikipedia[91] ntp - Network Time Protocol . Example Configuration sample: server ntp accept Server Ports udp/123 tcp/123 Client Ports any Links Wikipedia[92] nut - Network UPS Tools . Example Configuration sample: server nut accept Server Ports tcp/3493 udp/3493 Client Ports default Links Homepage[93] nxserver - NoMachine NX Server . Example Configuration sample: server nxserver accept Server Ports tcp/5000:5200 Client Ports default Links Wikipedia[94] Notes Default ports used by NX server for connections without encryption. Note that nxserver also needs the ssh - Secure Shell Protocol service to be enabled. This information has been extracted from this The TCP ports used by nxserver are 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200. For encrypted nxserver sessions, only ssh - Secure Shell Protocol is needed. openvpn - OpenVPN . Server Ports tcp/1194 udp/1194 Client Ports default Links Homepage[95], Wikipedia[96] oracle - Oracle Database . Example Configuration sample: server oracle accept Server Ports tcp/1521 Client Ports default Links Wikipedia[97] OSPF - Open Shortest Path First . Example Configuration sample: server OSPF accept Server Ports 89/any Client Ports any Links Wikipedia[98] ping - Ping (ICMP echo) . Example Configuration sample: server ping accept Server Ports N/A Client Ports N/A Links Wikipedia[99] Notes This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0). The ping service is stateful. pop3 - Post Office Protocol . Example Configuration sample: server pop3 accept Server Ports tcp/110 Client Ports default Links Wikipedia[100] pop3s - Secure Post Office Protocol . Example Configuration sample: server pop3s accept Server Ports tcp/995 Client Ports default Links Wikipedia[100] portmap - Open Network Computing Remote Procedure Call - Port Mapper . Example Configuration sample: server portmap accept Server Ports udp/111 tcp/111 Client Ports any Links Wikipedia[101] postgres - PostgreSQL . Example Configuration sample: server postgres accept Server Ports tcp/5432 Client Ports default Links Wikipedia[102] pptp - Point-to-Point Tunneling Protocol . Example Configuration sample: server pptp accept Server Ports tcp/1723 Client Ports default Netfilter Modules nf_conntrack_pptp (CONFIG_NF_CONNTRACK_PPTP[103]), nf_conntrack_proto_gre (CONFIG_NF_CT_PROTO_GRE[49]) Netfilter NAT Modules nf_nat_pptp (CONFIG_NF_NAT_PPTP[104]), nf_nat_proto_gre (CONFIG_NF_NAT_PROTO_GRE[50]) Links Wikipedia[105] privoxy - Privacy Proxy . Example Configuration sample: server privoxy accept Server Ports tcp/8118 Client Ports default Links Homepage[106] radius - Remote Authentication Dial In User Service (RADIUS) . Example Configuration sample: server radius accept Server Ports udp/1812 udp/1813 Client Ports default Links Wikipedia[107] radiusold - Remote Authentication Dial In User Service (RADIUS) . Example Configuration sample: server radiusold accept Server Ports udp/1645 udp/1646 Client Ports default Links Wikipedia[107] radiusoldproxy - Remote Authentication Dial In User Service (RADIUS) . Example Configuration sample: server radiusoldproxy accept Server Ports udp/1647 Client Ports default Links Wikipedia[107] radiusproxy - Remote Authentication Dial In User Service (RADIUS) . Example Configuration sample: server radiusproxy accept Server Ports udp/1814 Client Ports default Links Wikipedia[107] rdp - Remote Desktop Protocol . Example Configuration sample: server rdp accept Server Ports tcp/3389 Client Ports default Links Wikipedia[108] Notes Remote Desktop Protocol is also known also as Terminal Services. rndc - Remote Name Daemon Control . Example Configuration sample: server rndc accept Server Ports tcp/953 Client Ports default Links Wikipedia[109] rsync - rsync protocol . Example Configuration sample: server rsync accept Server Ports tcp/873 udp/873 Client Ports default Links Homepage[110], Wikipedia[111] rtp - Real-time Transport Protocol . Example Configuration sample: server rtp accept Server Ports udp/10000:20000 Client Ports any Links Wikipedia[112] Notes RTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to 20000. samba - Samba . Example Configuration sample: server samba accept Server Ports many Client Ports default Links Homepage[113], Wikipedia[114] Notes The samba service automatically sets all the rules for netbios_ns - NETBIOS Name Service, netbios_dgm - NETBIOS Datagram Distribution Service, netbios_ssn - NETBIOS Session Service and microsoft_ds - Direct Hosted (NETBIOS-less) SMB. Please refer to the notes of the above services for more information. NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the "server samba accept" statement drop the server reply, because of the way the iptables connection tracker works. This service definition includes a hack, that allows a Linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns - NETBIOS Name Service port to the clients high ports. However, for clients and routers this hack is not applied because it would open all unprivileged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients. sane - SANE Scanner service . Server Ports tcp/6566 Client Ports default Netfilter Modules nf_conntrack_sane (CONFIG_NF_CONNTRACK_SANE[115]) Netfilter NAT Modules N/A Links Homepage[116] sip - Session Initiation Protocol . Example Configuration sample: server sip accept Server Ports udp/5060 Client Ports 5060 default Netfilter Modules nf_conntrack_sip (CONFIG_NF_CONNTRACK_SIP[117]) Netfilter NAT Modules nf_nat_sip (CONFIG_NF_NAT_SIP[118]) Links Wikipedia[119] Notes SIP[120] is an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model. smtp - Simple Mail Transport Protocol . Example Configuration sample: server smtp accept Server Ports tcp/25 Client Ports default Links Wikipedia[121] smtps - Secure Simple Mail Transport Protocol . Example Configuration sample: server smtps accept Server Ports tcp/465 Client Ports default Links Wikipedia[122] snmp - Simple Network Management Protocol . Example Configuration sample: server snmp accept Server Ports udp/161 Client Ports default Links Wikipedia[123] snmptrap - SNMP Trap . Example Configuration sample: server snmptrap accept Server Ports udp/162 Client Ports any Links Wikipedia[124] Notes An SNMP trap is a notification from an agent to a manager. socks - SOCKet Secure . Example Configuration sample: server socks accept Server Ports tcp/1080 udp/1080 Client Ports default Links Wikipedia[125] Notes See also RFC 1928[126]. squid - Squid Web Cache . Example Configuration sample: server squid accept Server Ports tcp/3128 Client Ports default Links Homepage[127], Wikipedia[128] ssh - Secure Shell Protocol . Example Configuration sample: server ssh accept Server Ports tcp/22 Client Ports default Links Wikipedia[129] stun - Session Traversal Utilities for NAT . Example Configuration sample: server stun accept Server Ports udp/3478 udp/3479 Client Ports any Links Wikipedia[130] Notes STUN[131] is a protocol for assisting devices behind a NAT firewall or router with their packet routing. submission - SMTP over SSL/TLS submission . Example Configuration sample: server submission accept Server Ports tcp/587 Client Ports default Links Wikipedia[121] Notes Submission is essentially normal SMTP with an SSL/TLS negotation. sunrpc - Open Network Computing Remote Procedure Call - Port Mapper . Alias See portmap - Open Network Computing Remote Procedure Call - Port Mapper swat - Samba Web Administration Tool . Example Configuration sample: server swat accept Server Ports tcp/901 Client Ports default Links Homepage[132] syslog - Syslog Remote Logging Protocol . Example Configuration sample: server syslog accept Server Ports udp/514 Client Ports syslog default Links Wikipedia[133] telnet - Telnet . Example Configuration sample: server telnet accept Server Ports tcp/23 Client Ports default Links Wikipedia[134] tftp - Trivial File Transfer Protocol . Example Configuration sample: server tftp accept Server Ports udp/69 Client Ports default Netfilter Modules nf_conntrack_tftp (CONFIG_NF_CONNTRACK_TFTP[135]) Netfilter NAT Modules nf_nat_tftp (CONFIG_NF_NAT_TFTP[136]) Links Wikipedia[137] time - Time Protocol . Example Configuration sample: server time accept Server Ports tcp/37 udp/37 Client Ports default Links Wikipedia[138] timestamp - ICMP Timestamp . Example Configuration sample: server timestamp accept Server Ports N/A Client Ports N/A Links Wikipedia[139] Notes This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14). The timestamp service is stateful. tomcat - HTTP alternate port . Alias See httpalt - HTTP alternate port upnp - Universal Plug and Play . Example Configuration sample: server upnp accept Server Ports udp/1900 tcp/2869 Client Ports default Links Homepage[140], Wikipedia[141] Notes For a Linux implementation see: Linux IGD[142]. uucp - Unix-to-Unix Copy . Example Configuration sample: server uucp accept Server Ports tcp/540 Client Ports default Links Wikipedia[143] vmware - vmware . Example Configuration sample: server vmware accept Server Ports tcp/902 Client Ports default Notes Used from VMWare 1 and up. See the VMWare KnowledgeBase[144]. vmwareauth - vmwareauth . Example Configuration sample: server vmwareauth accept Server Ports tcp/903 Client Ports default Notes Used from VMWare 1 and up. See the VMWare KnowledgeBase[144]. vmwareweb - vmwareweb . Example Configuration sample: server vmwareweb accept Server Ports tcp/8222 tcp/8333 Client Ports default Notes Used from VMWare 2 and up. See VMWare Server 2.0 release notes[145] and the VMWare KnowledgeBase[144]. vnc - Virtual Network Computing . Example Configuration sample: server vnc accept Server Ports tcp/5900:5903 Client Ports default Links Wikipedia[146] Notes VNC is a graphical desktop sharing protocol. webcache - HTTP alternate port . Alias See httpalt - HTTP alternate port webmin - Webmin Administration System . Example Configuration sample: server webmin accept Server Ports tcp/10000 Client Ports default Links Homepage[147] whois - WHOIS Protocol . Example Configuration sample: server whois accept Server Ports tcp/43 Client Ports default Links Wikipedia[148] xbox - Xbox Live . Example Configuration sample: client xbox accept Server Ports many Client Ports default Notes Complex service definition for the Xbox live service. See program source for contributor details. xdmcp - X Display Manager Control Protocol . Example Configuration sample: server xdmcp accept Server Ports udp/177 Client Ports default Links Wikipedia[149] Notes See Gnome Display Manager[150] for a discussion about XDMCP and firewalls (Gnome Display Manager is a replacement for XDM).
SEE ALSO
Sanewall program: sanewall(1) Sanewall configuration: sanewall.conf(5)
AUTHOR
Sanewall Team
COPYRIGHT
Copyright © 2012, 2013 Phil Whineray <phil@sanewall.org>
NOTES
1. Wikipedia list of ports http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 2. Wikipedia http://en.wikipedia.org/wiki/IPsec#Authentication_Header 3. Archive of the FreeS/WAN documentation http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec 4. RFC 2402 http://www.ietf.org/rfc/rfc2402.txt 5. CONFIG_NF_CONNTRACK_AMANDA http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_AMANDA.html 6. CONFIG_NF_NAT_AMANDA http://cateee.net/lkddb/web-lkddb/NF_NAT_AMANDA.html 7. Homepage http://www.amanda.org/ 8. Wikipedia http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver 9. Homepage http://www.apcupsd.com 10. Wikipedia http://en.wikipedia.org/wiki/Apcupsd 11. APCUPSD http://www.apcupsd.com/ 12. Wikipedia http://en.wikipedia.org/wiki/Apt-proxy 13. Homepage http://www.asterisk.org 14. Wikipedia http://en.wikipedia.org/wiki/Asterisk_PBX 15. Homepage http://www.cups.org 16. Wikipedia http://en.wikipedia.org/wiki/Common_Unix_Printing_System 17. Homepage http://www.nongnu.org/cvs/ 18. Wikipedia http://en.wikipedia.org/wiki/Concurrent_Versions_System 19. Homepage http://dmr.ath.cx/net/darkstat/ 20. Wikipedia http://en.wikipedia.org/wiki/Daytime_Protocol 21. Wikipedia http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse 22. DCC FAQ http://www.rhyolite.com/anti-spam/dcc/FAQ.html#firewall-ports 23. Homepage http://dcplusplus.sourceforge.net 24. Wikipedia http://en.wikipedia.org/wiki/Dhcp 25. Wikipedia http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying 26. RFC 1812 http://www.ietf.org/rfc/rfc1812.txt 27. RFC 1542 http://www.ietf.org/rfc/rfc1542.txt 28. Wikipedia http://en.wikipedia.org/wiki/DICT 29. RFC2229 http://www.ietf.org/rfc/rfc2229.txt 30. Homepage http://distcc.samba.org/ 31. Wikipedia http://en.wikipedia.org/wiki/Distcc 32. distcc security design http://distcc.googlecode.com/svn/trunk/doc/web/security.html 33. Wikipedia http://en.wikipedia.org/wiki/Domain_Name_System 34. Wikipedia http://en.wikipedia.org/wiki/Echo_Protocol 35. Homepage http://www.emule-project.com 36. eMule Port Definitions http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122 37. Wikipedia http://en.wikipedia.org/wiki/Eserver 38. Wikipedia http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload 39. Archive of the FreeS/WAN documentation http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec 40. RFC 2406 http://www.ietf.org/rfc/rfc2406.txt 41. Wikipedia http://en.wikipedia.org/wiki/Finger_protocol 42. CONFIG_NF_CONNTRACK_FTP http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_FTP.html 43. CONFIG_NF_NAT_FTP http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html 44. Wikipedia http://en.wikipedia.org/wiki/Ftp 45. Homepage http://gift.sourceforge.net 46. Wikipedia http://en.wikipedia.org/wiki/GiFT 47. Homepage http://gkrellm.net/ 48. Wikipedia http://en.wikipedia.org/wiki/Gkrellm 49. CONFIG_NF_CT_PROTO_GRE http://cateee.net/lkddb/web-lkddb/NF_CT_PROTO_GRE.html 50. CONFIG_NF_NAT_PROTO_GRE http://cateee.net/lkddb/web-lkddb/NF_NAT_PROTO_GRE.html 51. Wikipedia http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation 52. RFC 2784 http://www.ietf.org/rfc/rfc2784.txt 53. CONFIG_NF_CONNTRACK_H323 http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_H323.html 54. CONFIG_NF_NAT_H323 http://cateee.net/lkddb/web-lkddb/NF_NAT_H323.html 55. Wikipedia http://en.wikipedia.org/wiki/H323 56. Homepage http://www.linux-ha.org/ 57. Wikipedia http://en.wikipedia.org/wiki/Http 58. Wikipedia http://en.wikipedia.org/wiki/Https 59. Homepage http://www.hylafax.org 60. Wikipedia http://en.wikipedia.org/wiki/Hylafax 61. Wikipedia http://en.wikipedia.org/wiki/Iax 62. Wikipedia http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol 63. Wikipedia http://en.wikipedia.org/wiki/Internet_Cache_Protocol 64. Wikipedia http://en.wikipedia.org/wiki/Ident_protocol 65. Wikipedia http://en.wikipedia.org/wiki/Imap 66. Wikipedia http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec 67. CONFIG_NF_CONNTRACK_IRC http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_IRC.html 68. CONFIG_NF_NAT_IRC http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html 69. Wikipedia http://en.wikipedia.org/wiki/Internet_Relay_Chat 70. Wikipedia http://en.wikipedia.org/wiki/ISAKMP 71. Archive of the FreeS/WAN documentation http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec 72. Wikipedia http://en.wikipedia.org/wiki/Jabber 73. Wikipedia http://en.wikipedia.org/wiki/L2tp 74. Wikipedia http://en.wikipedia.org/wiki/Ldap 75. Wikipedia http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol 76. RFC 1179 http://www.ietf.org/rfc/rfc1179.txt 77. here http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5 78. Wikipedia http://en.wikipedia.org/wiki/Microsoft_Media_Server 79. Wikipedia http://en.wikipedia.org/wiki/Multicast 80. Homepage http://www.mysql.com/ 81. Wikipedia http://en.wikipedia.org/wiki/Mysql 82. Wikipedia http://en.wikipedia.org/wiki/Netbackup 83. Wikipedia http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service 84. Wikipedia http://en.wikipedia.org/wiki/Netbios#Name_service 85. Wikipedia http://en.wikipedia.org/wiki/Netbios#Session_service 86. Wikipedia http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29 87. NFS Howto http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls 88. Wikipedia http://en.wikipedia.org/wiki/Network_Information_Service 89. Carlos Rodrigues https://sourceforge.net/tracker/?func=detail&atid=487695&aid=1050951&group_id=58425 90. Wikipedia http://en.wikipedia.org/wiki/Nntp 91. Wikipedia http://en.wikipedia.org/wiki/Nagios#NRPE 92. Wikipedia http://en.wikipedia.org/wiki/Network_Time_Protocol 93. Homepage http://networkupstools.org/ 94. Wikipedia http://en.wikipedia.org/wiki/NX_Server 95. Homepage http://openvpn.net/ 96. Wikipedia http://en.wikipedia.org/wiki/OpenVPN 97. Wikipedia http://en.wikipedia.org/wiki/Oracle_db 98. Wikipedia http://en.wikipedia.org/wiki/Ospf 99. Wikipedia http://en.wikipedia.org/wiki/Ping 00. Wikipedia http://en.wikipedia.org/wiki/Pop3 01. Wikipedia http://en.wikipedia.org/wiki/Portmap 02. Wikipedia http://en.wikipedia.org/wiki/Postgres 03. CONFIG_NF_CONNTRACK_PPTP http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_PPTP.html 04. CONFIG_NF_NAT_PPTP http://cateee.net/lkddb/web-lkddb/NF_NAT_PPTP.html 05. Wikipedia http://en.wikipedia.org/wiki/Pptp 06. Homepage http://www.privoxy.org/ 07. Wikipedia http://en.wikipedia.org/wiki/RADIUS 08. Wikipedia http://en.wikipedia.org/wiki/Remote_Desktop_Protocol 09. Wikipedia http://en.wikipedia.org/wiki/Rndc 10. Homepage http://rsync.samba.org/ 11. Wikipedia http://en.wikipedia.org/wiki/Rsync 12. Wikipedia http://en.wikipedia.org/wiki/Real-time_Transport_Protocol 13. Homepage http://www.samba.org/ 14. Wikipedia http://en.wikipedia.org/wiki/Samba_(software) 15. CONFIG_NF_CONNTRACK_SANE http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SANE.html 16. Homepage http://www.sane-project.org/ 17. CONFIG_NF_CONNTRACK_SIP http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_SIP.html 18. CONFIG_NF_NAT_SIP http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html 19. Wikipedia http://en.wikipedia.org/wiki/Session_Initiation_Protocol 20. SIP http://www.voip-info.org/wiki-SIP 21. Wikipedia http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol 22. Wikipedia http://en.wikipedia.org/wiki/SMTPS 23. Wikipedia http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol 24. Wikipedia http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap 25. Wikipedia http://en.wikipedia.org/wiki/SOCKS 26. RFC 1928 http://www.ietf.org/rfc/rfc1928.txt 27. Homepage http://www.squid-cache.org/ 28. Wikipedia http://en.wikipedia.org/wiki/Squid_(software) 29. Wikipedia http://en.wikipedia.org/wiki/Secure_Shell 30. Wikipedia http://en.wikipedia.org/wiki/STUN 31. STUN http://www.voip-info.org/wiki-STUN 32. Homepage http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html 33. Wikipedia http://en.wikipedia.org/wiki/Syslog 34. Wikipedia http://en.wikipedia.org/wiki/Telnet 35. CONFIG_NF_CONNTRACK_TFTP http://cateee.net/lkddb/web-lkddb/NF_CONNTRACK_TFTP.html 36. CONFIG_NF_NAT_TFTP http://cateee.net/lkddb/web-lkddb/NF_NAT_TFTP.html 37. Wikipedia http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol 38. Wikipedia http://en.wikipedia.org/wiki/Time_Protocol 39. Wikipedia http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp 40. Homepage http://upnp.sourceforge.net/ 41. Wikipedia http://en.wikipedia.org/wiki/Universal_Plug_and_Play 42. Linux IGD http://linux-igd.sourceforge.net/ 43. Wikipedia http://en.wikipedia.org/wiki/UUCP 44. VMWare KnowledgeBase http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382 45. VMWare Server 2.0 release notes http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html 46. Wikipedia http://en.wikipedia.org/wiki/Virtual_Network_Computing 47. Homepage http://www.webmin.com/ 48. Wikipedia http://en.wikipedia.org/wiki/Whois 49. Wikipedia http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol 50. Gnome Display Manager http://www.jirka.org/gdm-documentation/x70.html