Provided by: firehol-doc_2.0.3+ds-1_all 
NAME
firehol-services - FireHOL services list
SYNOPSIS
AH all amanda any anystateless apcupsd apcupsdnis aptproxy asterisk
cups custom cvspserver
darkstat daytime dcc dcpp dhcp dhcprelay dhcpv6 dict distcc dns
echo emule eserver ESP
finger ftp
gift giftui gkrellmd GRE
h323 heartbeat http httpalt https hylafax
iax iax2 ICMP icmp ICMPV6 icmpv6 icp ident imap imaps ipsecnatt ipv6error ipv6neigh ipv6router irc isakmp
jabber jabberd
l2tp ldap ldaps lpd
microsoft_ds mms msn msnp ms_ds multicast mysql
netbackup netbios_dgm netbios_ns netbios_ssn nfs nis nntp nntps nrpe ntp nut nxserver
openvpn oracle OSPF
ping pop3 pop3s portmap postgres pptp privoxy
radius radiusold radiusoldproxy radiusproxy rdp rndc rsync rtp
samba sane sip smtp smtps snmp snmptrap socks squid ssh stun submission sunrpc swat syslog
telnet tftp time timestamp tomcat
upnp uucp
vmware vmwareauth vmwareweb vnc
webcache webmin whois
xbox xdmcp
DESCRIPTION
service: AH
IPSec Authentication Header (AH)
Example:
server AH accept
Service Type:
• simple
Server Ports:
• 51/any
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/IPsec#Authentication_Header)
Notes
> For more information see this
> [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec)
> and [RFC 2402](http://www.ietf.org/rfc/rfc2402.txt).
service: all
Match all traffic
Example:
server all accept
Service Type:
• complex
Server Ports:
• all
Client Ports:
• all
Notes
Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules
are loaded.
This service may indirectly setup a set of other services, if they require kernel modules
to be loaded. The following complex services are activated:
ftp irc
service: amanda
Advanced Maryland Automatic Network Disk Archiver
Service Type:
• simple
Server Ports:
• udp/10080
Client Ports:
• default
Netfilter Modules
• nf_conntrack_amanda CONFIG_NF_CONNTRACK_AMANDA (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_AMANDA.html)
Netfilter NAT Modules
• nf_nat_amanda CONFIG_NF_NAT_AMANDA (http://cateee.net/lkddb/web-lkddb/NF_NAT_AMANDA.html)
Links
• Homepage (http://www.amanda.org/)
• Wikipedia (http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver)
service: any
Match all traffic (without modules or indirect)
Example:
server any *myname* accept proto 47
Service Type:
• complex
Server Ports:
• all
Client Ports:
• all
Notes
Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and
does not activate any other service indirectly. In combination with the firehol-params(5)
this service can match unusual traffic (e.g. GRE - protocol 47).
Note that you have to supply your own name in addition to "any".
service: anystateless
Match all traffic statelessly
Example:
server anystateless *myname* accept proto 47
Service Type:
• complex
Server Ports:
• all
Client Ports:
• all
Notes
Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and
does not activate any other service indirectly. In combination with the firehol-params(5)
this service can match unusual traffic (e.g. GRE - protocol 47).
This service is identical to "any" but does not care about the state of traffic.
Note that you have to supply your own name in addition to "anystateless".
service: apcupsd
APC UPS Daemon
Example:
server apcupsd accept
Service Type:
• simple
Server Ports:
• tcp/6544
Client Ports:
• default
Links
• Homepage (http://www.apcupsd.com)
• Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)
Notes
> This service must be defined as "server apcupsd accept" on
> all machines not directly connected to the UPS (i.e. slaves).
>
> Note that the port defined here is not the default port (6666)
> used if you download and compile APCUPSD, since the default
> conflicts with IRC and many distributions (like Debian) have
> changed this to 6544.
>
> You can define port 6544 in APCUPSD, by changing the value
> of NETPORT in its configuration file, or overwrite this
> FireHOL service definition using the procedures described
> in [Adding Services](#adding-services)
> in [firehol.conf(5)](#firehol.conf5).
service: apcupsdnis
APC UPS Daemon Network Information Server
Example:
server apcupsdnis accept
Service Type:
• simple
Server Ports:
• tcp/3551
Client Ports:
• default
Links
• Homepage (http://www.apcupsd.com)
• Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)
Notes
> This service allows the remote WEB interfaces of
> [APCUPSD](http://www.apcupsd.com/), to connect
> and get information from the server directly connected to
> the UPS device.
service: aptproxy
Advanced Packaging Tool Proxy
Example:
server aptproxy accept
Service Type:
• simple
Server Ports:
• tcp/9999
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Apt-proxy)
service: asterisk
Asterisk PABX
Example:
server asterisk accept
Service Type:
• simple
Server Ports:
• tcp/5038
Client Ports:
• default
Links
• Homepage (http://www.asterisk.org)
• Wikipedia (http://en.wikipedia.org/wiki/Asterisk_PBX)
Notes
> This service refers only to the manager interface of asterisk.
> You should normally enable
> [sip][keyword-service-sip],
> [h323][keyword-service-h323],
> [rtp][keyword-service-rtp], etc. at the
> firewall level, if you enable the relative channel drivers
> of asterisk.
service: cups
Common UNIX Printing System
Example:
server cups accept
Service Type:
• simple
Server Ports:
• tcp/631 udp/631
Client Ports:
• any
Links
• Homepage (http://www.cups.org)
• Wikipedia (http://en.wikipedia.org/wiki/Common_Unix_Printing_System)
service: custom
Custom definitions
Example:
server custom myimap tcp/143 default accept
Service Type:
• custom
Server Ports:
• N/A
Client Ports:
• N/A
Notes
The full syntax is:
subcommand custom name svr-proto/ports cli-ports action params
This service is used by FireHOL to allow you create rules for services which do not have a
definition.
subcommand, action and params have their usual meanings.
A name must be supplied along with server ports in the form proto/range and client ports
which takes only a range.
To define services with the built-in extension mechanism to avoid the need for custom
services, see Adding Services in firehol.conf(5).
service: cvspserver
Concurrent Versions System
Example:
server cvspserver accept
Service Type:
• simple
Server Ports:
• tcp/2401
Client Ports:
• default
Links
• Homepage (http://www.nongnu.org/cvs/)
• Wikipedia (http://en.wikipedia.org/wiki/Concurrent_Versions_System)
service: darkstat
Darkstat network traffic analyser
Example:
server darkstat accept
Service Type:
• simple
Server Ports:
• tcp/666
Client Ports:
• default
Links
• Homepage (http://unix4lyfe.org/darkstat/)
service: daytime
Daytime Protocol
Example:
server daytime accept
Service Type:
• simple
Server Ports:
• tcp/13
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Daytime_Protocol)
service: dcc
Distributed Checksum Clearinghouse
Example:
server dcc accept
Service Type:
• simple
Server Ports:
• udp/6277
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse)
Notes
> See also this
> [DCC FAQ](http://www.rhyolite.com/dcc/FAQ.html#firewall-ports).
service: dcpp
Direct Connect++ P2P
Example:
server dcpp accept
Service Type:
• simple
Server Ports:
• tcp/1412 udp/1412
Client Ports:
• default
Links
• Homepage (http://dcplusplus.sourceforge.net)
service: dhcp
Dynamic Host Configuration Protocol
Example:
server dhcp accept
Service Type:
• complex
Server Ports:
• udp/67
Client Ports:
• 68
Links
• Wikipedia (http://en.wikipedia.org/wiki/Dhcp)
Notes
> The dhcp service is implemented as stateless rules.
>
> DHCP clients broadcast to the network (src 0.0.0.0
> dst 255.255.255.255) to find a DHCP server. If the DHCP
> service was stateful the iptables connection tracker would
> not match the packets and deny to send the reply.
>
> Note that this change does not affect the security of either
> DHCP servers or clients, since only the specific ports are
> allowed (there is no random port at either the server or the
> client side).
>
> Note also that the "server dhcp accept" or "client dhcp accept"
> commands should placed within interfaces that do not
> have src and / or dst defined (because of the initial
> broadcast).
>
> You can overcome this problem by placing the DHCP service on
> a separate interface, without a src or dst but with a policy
> return. Place this interface before the one that defines the
> rest of the services.
>
> For example:
>
> `interface eth0 dhcp`
>
> ` policy return`
>
> ` server dhcp accept`
>
>
> `interface eth0 lan src "$mylan" dst "$myip"`
>
> ` client all accept`
>
> For example:
> interface eth0 dhcp
> policy return
> server dhcp accept
> interface eth0 lan src "$mylan" dst "$myip"
> client all accept
>
> This service implicitly sets its client or server to ipv4 mode.
service: dhcprelay
DHCP Relay
Example:
server dhcprelay accept
Service Type:
• simple
Server Ports:
• udp/67
Client Ports:
• 67
Links
• Wikipedia (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying)
Notes
> From RFC 1812 section 9.1.2:
>
> In many cases, BOOTP clients and their associated BOOTP
> server(s) do not reside on the same IP (sub)network. In
> such cases, a third-party agent is required to transfer
> BOOTP messages between clients and servers. Such an agent
> was originally referred to as a BOOTP forwarding agent.
> However, to avoid confusion with the IP forwarding function
> of a router, the name BOOTP relay agent has been adopted
> instead.
>
> For more information about DHCP Relay see section 9.1.2 of
> [RFC 1812](http://www.ietf.org/rfc/rfc1812.txt)
> and section 4 of
> [RFC 1542](http://www.ietf.org/rfc/rfc1542.txt)
service: dhcpv6
Dynamic Host Configuration Protocol for IPv6
Example:
server dhcp accept
client dhcp accept
Service Type:
• complex
Server Ports:
• udp/547
Client Ports:
• udp/546
Links
• Wikipedia (https://en.wikipedia.org/wiki/DHCPv6)
Notes
> The dhcp service is implemented as stateless rules.
> It cannot be stateful as the connection tracker will not
> match a unicast reply to a broadcast request. Further,
> if you wish to add src/dst rule parameters, you must
> account for both the broadcast and link-local network prefixes.
>
> Clients broadcast from a link-local address to the
> multicast address ff02::1:2 on UDP port 547 to find a
> server. The server sends a unicast reply back to the
> client which listens on UDP port 546.
>
> For a FireHOL interface, creating a client will allow
> sending to port 547 and receiving on port 546. Creating
> a server allows sending to port 546 and receiving on port 547.
>
> Unlike DHCP for IPv4, the source ports to be used are not
> defined in DHCPv6 - see section 5.2 of
> [RFC3315](http://www.ietf.org/rfc/rfc3315.txt).
> Some servers are known to make use of this to send from
> arbitrary ports, so FireHOL does not assume a source port.
>
> This service implicitly sets its client or server to ipv6 mode.
service: dict
Dictionary Server Protocol
Example:
server dict accept
Service Type:
• simple
Server Ports:
• tcp/2628
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/DICT)
Notes
> See
> [RFC2229](http://www.ietf.org/rfc/rfc2229.txt).
service: distcc
Distributed CC
Example:
server distcc accept
Service Type:
• simple
Server Ports:
• tcp/3632
Client Ports:
• default
Links
• Homepage (http://distcc.samba.org/)
• Wikipedia (http://en.wikipedia.org/wiki/Distcc)
Notes
> For distcc security, please check the
> [distcc security design](http://distcc.googlecode.com/svn/trunk/doc/web/security.html).
service: dns
Domain Name System
Example:
server dns accept
Service Type:
• simple
Server Ports:
• udp/53 tcp/53
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Domain_Name_System)
Notes
> On very busy DNS servers you may see a few dropped DNS
> packets in your logs. This is normal. The iptables
> connection tracker will timeout the session and lose
> unmatched DNS packets that arrive too late to be useful.
service: echo
Echo Protocol
Example:
server echo accept
Service Type:
• simple
Server Ports:
• tcp/7
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Echo_Protocol)
service: emule
eMule (Donkey network client)
Example:
client emule accept src 192.0.2.1
Service Type:
• complex
Server Ports:
• many
Client Ports:
• many
Links
• Homepage (http://www.emule-project.com)
Notes
> According to
> [eMule Port Definitions](http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122),
> FireHOL defines:
>
> * Accept from any client port to the server at tcp/4661
> * Accept from any client port to the server at tcp/4662
> * Accept from any client port to the server at udp/4665
> * Accept from any client port to the server at udp/4672
> * Accept from any server port to the client at tcp/4662
> * Accept from any server port to the client at udp/4672
>
> Use the FireHOL [firehol-client(5)][keyword-firehol-client]
> command to match the eMule client.
>
> Please note that the eMule client is an HTTP client also.
service: eserver
eDonkey network server
Example:
server eserver accept
Service Type:
• simple
Server Ports:
• tcp/4661 udp/4661 udp/4665
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Eserver)
service: ESP
IPSec Encapsulated Security Payload (ESP)
Example:
server ESP accept
Service Type:
• simple
Server Ports:
• 50/any
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload)
Notes
> For more information see this
> [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec)
> [RFC 2406](http://www.ietf.org/rfc/rfc2406.txt).
service: finger
Finger Protocol
Example:
server finger accept
Service Type:
• simple
Server Ports:
• tcp/79
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Finger_protocol)
service: ftp
File Transfer Protocol
Example:
server ftp accept
Service Type:
• simple
Server Ports:
• tcp/21
Client Ports:
• default
Netfilter Modules
• nf_conntrack_ftp CONFIG_NF_CONNTRACK_FTP (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_FTP.html)
Netfilter NAT Modules
• nf_nat_ftp CONFIG_NF_NAT_FTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_FTP.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ftp)
Notes
> The FTP service matches both active and passive FTP
> connections.
service: gift
giFT Internet File Transfer
Example:
server gift accept
Service Type:
• simple
Server Ports:
• tcp/4302 tcp/1214 tcp/2182 tcp/2472
Client Ports:
• any
Links
• Homepage (http://gift.sourceforge.net)
• Wikipedia (http://en.wikipedia.org/wiki/GiFT)
Notes
> The gift FireHOL service supports:
>
> * Gnutella listening at tcp/4302
> * FastTrack listening at tcp/1214
> * OpenFT listening at tcp/2182 and tcp/2472
>
> The above ports are the defaults given for the corresponding
> giFT modules.
>
> To allow access to the user interface ports of giFT, use
> the [giftui][keyword-service-giftui].
service: giftui
giFT Internet File Transfer User Interface
Example:
server giftui accept
Service Type:
• simple
Server Ports:
• tcp/1213
Client Ports:
• default
Links
• Homepage (http://gift.sourceforge.net)
• Wikipedia (http://en.wikipedia.org/wiki/GiFT)
Notes
> This service refers only to the user interface ports offered
> by giFT. To allow gift accept P2P requests, use the
> [gift][keyword-service-gift].
service: gkrellmd
GKrellM Daemon
Example:
server gkrellmd accept
Service Type:
• simple
Server Ports:
• tcp/19150
Client Ports:
• default
Links
• Homepage (http://gkrellm.net/)
• Wikipedia (http://en.wikipedia.org/wiki/Gkrellm)
service: GRE
Generic Routing Encapsulation
Example:
server GRE accept
Service Type:
• simple
Server Ports:
• 47/any
Client Ports:
• any
Netfilter Modules
• nf_conntrack_proto_gre CONFIG_NF_CT_PROTO_GRE (http://cateee.net/lkddb/web-
lkddb/NF_CT_PROTO_GRE.html)
Netfilter NAT Modules
• nf_nat_proto_gre CONFIG_NF_NAT_PROTO_GRE (http://cateee.net/lkddb/web-
lkddb/NF_NAT_PROTO_GRE.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation)
Notes
> Protocol No 47.
>
> For more information see RFC [RFC 2784](http://www.ietf.org/rfc/rfc2784.txt).
service: h323
H.323 VoIP
Example:
server h323 accept
Service Type:
• simple
Server Ports:
• tcp/1720
Client Ports:
• default
Netfilter Modules
• nf_conntrack_h323 CONFIG_NF_CONNTRACK_H323 (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_H323.html)
Netfilter NAT Modules
• nf_nat_h323 CONFIG_NF_NAT_H323 (http://cateee.net/lkddb/web-lkddb/NF_NAT_H323.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/H323)
service: heartbeat
HeartBeat
Example:
server heartbeat accept
Service Type:
• simple
Server Ports:
• udp/690:699
Client Ports:
• default
Links
• Homepage (http://www.linux-ha.org/)
Notes
> This FireHOL service has been designed such a way that it
> will allow multiple heartbeat clusters on the same LAN.
service: http
Hypertext Transfer Protocol
Example:
server http accept
Service Type:
• simple
Server Ports:
• tcp/80
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Http)
service: httpalt
HTTP alternate port
Example:
server httpalt accept
Service Type:
• simple
Server Ports:
• tcp/8080
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Http)
Notes
> This port is commonly used by web servers, web proxies
> and caches where the standard [http][keyword-service-http]
> port is not available or can or should not be used.
service: https
Secure Hypertext Transfer Protocol
Example:
server https accept
Service Type:
• simple
Server Ports:
• tcp/443
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Https)
service: hylafax
HylaFAX
Example:
server hylafax accept
Service Type:
• complex
Server Ports:
• many
Client Ports:
• many
Links
• Homepage (http://www.hylafax.org)
• Wikipedia (http://en.wikipedia.org/wiki/Hylafax)
Notes
> This service allows incoming requests to server port
> tcp/4559 and outgoing from server port tcp/4558.
>
> The correct operation of this service has not been verified.
>
> USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP
> UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).
service: iax
Inter-Asterisk eXchange
Example:
server iax accept
Service Type:
• simple
Server Ports:
• udp/5036
Client Ports:
• default
Links
• Homepage (http://www.asterisk.org)
• Wikipedia (http://en.wikipedia.org/wiki/Iax)
Notes
> This service refers to IAX version 1.
> There is also [iax2][keyword-service-iax2].
service: iax2
Inter-Asterisk eXchange v2
Example:
server iax2 accept
Service Type:
• simple
Server Ports:
• udp/5469 udp/4569
Client Ports:
• default
Links
• Homepage (http://www.asterisk.org)
• Wikipedia (http://en.wikipedia.org/wiki/Iax)
Notes
> This service refers to IAX version 2.
> There is also [iax][keyword-service-iax].
service: ICMP
Internet Control Message Protocol
Example:
server ICMP accept
Service Type:
• simple
Server Ports:
• icmp/any
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol)
service: icmp
Internet Control Message Protocol
Alias for ICMP
service: ICMPV6
Internet Control Message Protocol v6
Example:
server ICMPV6 accept
Service Type:
• simple
Server Ports:
• icmpv6/any
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/ICMPv6)
service: icmpv6
Internet Control Message Protocol v6
Alias for ICMPV6
service: icp
Internet Cache Protocol
Example:
server icp accept
Service Type:
• simple
Server Ports:
• udp/3130
Client Ports:
• 3130
Links
• Wikipedia (http://en.wikipedia.org/wiki/Internet_Cache_Protocol)
service: ident
Identification Protocol
Example:
server ident reject with tcp-reset
Service Type:
• simple
Server Ports:
• tcp/113
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ident_protocol)
service: imap
Internet Message Access Protocol
Example:
server imap accept
Service Type:
• simple
Server Ports:
• tcp/143
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Imap)
service: imaps
Secure Internet Message Access Protocol
Example:
server imaps accept
Service Type:
• simple
Server Ports:
• tcp/993
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Imap)
service: ipsecnatt
NAT traversal and IPsec
Service Type:
• simple
Server Ports:
• udp/4500
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/NAT_traversal#NAT_traversal_and_IPsec)
service: ipv6error
ICMPv6 Error Handling
Example:
server ipv6error accept
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Notes
Not all icmpv6 error types should be treated equally inbound and outbound.
The ipv6error rule wraps all of them in the following way: * allow incoming messages only
for existing sessions * allow outgoing messages always
The following ICMPv6 messages are handled:
• destination-unreachable
• packet-too-big
• ttl-zero-during-transit
• ttl-zero-during-reassembly
• unknown-header-type
• unknown-option
Interfaces should always have this set:
server ipv6error accept
In a router with inface being internal and outface being external the following will meet
the recommendations of RFC 4890 (http://tools.ietf.org/html/rfc4890):
server ipv6error accept
Do not use: client ipv6error accept unless you are controlling traffic on a router
interface where outface is the internal destination.
This service implicitly sets its client or server to ipv6 mode.
service: ipv6neigh
IPv6 Neighbour discovery
Example:
client ipv6neigh accept
server ipv6neigh accept
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Links
• Wikipedia (https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol)
Notes
> IPv6 uses the Neighbour Discovery Protocol to do automatic
> configuration of routes and to replace ARP. To allow this
> functionality the network neighbour and router
> solicitation/advertisement messages should be enabled on
> each interface.
>
> These rules are stateless since advertisement can happen
> automatically as well as on solicitation.
>
> Neighbour discovery (incoming) should always be enabled:
>
> `server ipv6neigh accept`
>
> Neighbour advertisement (outgoing) should always be enabled:
>
> `client ipv6neigh accept`
>
> The rules should not be used to pass packets across a
> firewall (e.g. in a router definition) unless the firewall
> is for a bridge.
>
> This service implicitly sets its client or server to ipv6 mode.
service: ipv6router
IPv6 Router discovery
Example:
client ipv6router accept
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Links
• Wikipedia (https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol)
Notes
> IPv6 uses the Neighbour Discovery Protocol to do automatic
> configuration of routes and to replace ARP. To allow this
> functionality the network neighbour and router
> solicitation/advertisement messages should be enabled on
> each interface.
>
> These rules are stateless since advertisement can happen
> automatically as well as on solicitation.
>
> Router discovery (incoming) should always be enabled:
>
> `client ipv6router accept`
>
> Router advertisement (outgoing) should be enabled on
> a host that routes:
>
> `server ipv6router accept`
>
> The rules should not be used to pass packets across a
> firewall (e.g. in a router definition) unless the firewall
> is for a bridge.
>
> This service implicitly sets its client or server to ipv6 mode.
service: irc
Internet Relay Chat
Example:
server irc accept
Service Type:
• simple
Server Ports:
• tcp/6667
Client Ports:
• default
Netfilter Modules
• nf_conntrack_irc CONFIG_NF_CONNTRACK_IRC (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_IRC.html)
Netfilter NAT Modules
• nf_nat_irc CONFIG_NF_NAT_IRC (http://cateee.net/lkddb/web-lkddb/NF_NAT_IRC.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Internet_Relay_Chat)
service: isakmp
Internet Security Association and Key Management Protocol (IKE)
Example:
server isakmp accept
Service Type:
• simple
Server Ports:
• udp/500
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/ISAKMP)
Notes
> For more information see the
> [Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec)
service: jabber
Extensible Messaging and Presence Protocol
Example:
server jabber accept
Service Type:
• simple
Server Ports:
• tcp/5222 tcp/5223
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Jabber)
Notes
> Allows clear and SSL client-to-server connections.
service: jabberd
Extensible Messaging and Presence Protocol (Server)
Example:
server jabberd accept
Service Type:
• simple
Server Ports:
• tcp/5222 tcp/5223 tcp/5269
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Jabber)
Notes
> Allows clear and SSL client-to-server and server-to-server
> connections.
>
> Use this service for a jabberd server. In all other cases,
> use the [jabber][keyword-service-jabber].
service: l2tp
Layer 2 Tunneling Protocol
Service Type:
• simple
Server Ports:
• udp/1701
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/L2tp)
service: ldap
Lightweight Directory Access Protocol
Example:
server ldap accept
Service Type:
• simple
Server Ports:
• tcp/389
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ldap)
service: ldaps
Secure Lightweight Directory Access Protocol
Example:
server ldaps accept
Service Type:
• simple
Server Ports:
• tcp/636
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ldap)
service: lpd
Line Printer Daemon Protocol
Example:
server lpd accept
Service Type:
• simple
Server Ports:
• tcp/515
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol)
Notes
> LPD is documented in
> [RFC 1179](http://www.ietf.org/rfc/rfc1179.txt).
>
> Since many operating systems incorrectly use the non-default
> client ports for LPD access, this definition allows any
> client port to access the service (in addition to
> the RFC defined 721 to 731 inclusive).
service: microsoft_ds
Direct Hosted (NETBIOS-less) SMB
Example:
server microsoft_ds accept
Service Type:
• simple
Server Ports:
• tcp/445
Client Ports:
• default
Notes
Direct Hosted (i.e. NETBIOS-less SMB)
This is another NETBIOS Session Service with minor differences with netbios_ssn. It is
supported only by Windows 2000 and Windows XP and it offers the advantage of being
independent of WINS for name resolution.
It seems that samba supports transparently this protocol on the netbios_ssn ports, so that
either direct hosted or traditional SMB can be served simultaneously.
Please refer to the netbios_ssn for more information.
service: mms
Microsoft Media Server
Example:
server mms accept
Service Type:
• simple
Server Ports:
• tcp/1755 udp/1755
Client Ports:
• default
Netfilter Modules
• See here (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).
Netfilter NAT Modules
• See here (http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).
Links
• Wikipedia (http://en.wikipedia.org/wiki/Microsoft_Media_Server)
Notes
> Microsoft's proprietary network streaming protocol used
> to transfer unicast data in Windows Media Services
> (previously called NetShow Services).
service: msn
Microsoft MSN Messenger Service
Example:
server msn accept
Service Type:
• simple
Server Ports:
• tcp/1863 udp/1863
Client Ports:
• default
service: msnp
msnp Example:
server msnp accept
Service Type:
• simple
Server Ports:
• tcp/6891
Client Ports:
• default
service: ms_ds
Direct Hosted (NETBIOS-less) SMB
Alias for microsoft_ds
service: multicast
Multicast
Example:
server multicast reject with proto-unreach
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Links
• Wikipedia (http://en.wikipedia.org/wiki/Multicast)
Notes
> The multicast service matches all packets sent to
> the $MULTICAST_IPS addresses using IGMP or UDP.
> For IPv4 that means 224.0.0.0/4 and for IPv6 FF00::/16.
service: mysql
MySQL Example:
server mysql accept
Service Type:
• simple
Server Ports:
• tcp/3306
Client Ports:
• default
Links
• Homepage (http://www.mysql.com/)
• Wikipedia (http://en.wikipedia.org/wiki/Mysql)
service: netbackup
Veritas NetBackup service
Example:
server netbackup accept
client netbackup accept
Service Type:
• simple
Server Ports:
• tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Netbackup)
Notes
> To use this service you must define it as both client and
> server in NetBackup clients and NetBackup servers.
service: netbios_dgm
NETBIOS Datagram Distribution Service
Example:
server netbios_dgm accept
Service Type:
• simple
Server Ports:
• udp/138
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service)
Notes
> See also the [samba][keyword-service-samba].
>
> Keep in mind that this service broadcasts (to the broadcast
> address of your LAN) UDP packets. If you place this service
> within an interface that has a dst parameter, remember to
> include (in the dst parameter) the broadcast address of your
> LAN too.
service: netbios_ns
NETBIOS Name Service
Example:
server netbios_ns accept
Service Type:
• simple
Server Ports:
• udp/137
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Netbios#Name_service)
Notes
> See also the [samba][keyword-service-samba].
service: netbios_ssn
NETBIOS Session Service
Example:
server netbios_ssn accept
Service Type:
• simple
Server Ports:
• tcp/139
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Netbios#Session_service)
Notes
> See also the [samba][keyword-service-samba].
>
> Please keep in mind that newer NETBIOS clients prefer to use
> port 445 ([microsoft_ds][keyword-service-microsoft_ds]) for the
> NETBIOS session service, and when this is not available they
> fall back to port 139 (netbios_ssn). Versions of samba above
> 3.x bind automatically to ports 139 and 445.
>
> If you have an older samba version and your policy on an
> interface or router is DROP, clients trying to access port
> 445 will have to timeout before falling back to port 139.
> This timeout can be up to several minutes.
>
> To overcome this problem you can explicitly REJECT the
> [microsoft_ds][keyword-service-microsoft_ds] with a
> tcp-reset message:
>
> server microsoft_ds reject with tcp-reset
service: nfs
Network File System
Example:
client nfs accept dst 192.0.2.1
Service Type:
• complex
Server Ports:
• many
Client Ports:
• N/A
Links
• Wikipedia (http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29)
Notes
> The NFS service queries the RPC service on the NFS server
> host to find out the ports nfsd, mountd, lockd and rquotad
> are listening. Then, according to these ports it sets up
> rules on all the supported protocols (as reported by RPC)
> in order the clients to be able to reach the server.
>
> For this reason, the NFS service requires that:
>
> * the firewall is restarted if the NFS server is restarted
> * the NFS server must be specified on all nfs statements (only if it is not the localhost)
>
> Since NFS queries the remote RPC server, it is required to
> also be allowed to do so, by allowing the
> [portmap][keyword-service-portmap] too. Take care that
> this is allowed by the running firewall when FireHOL tries
> to query the RPC server. So you might have to setup NFS in
> two steps: First add the portmap service and activate the
> firewall, then add the NFS service and restart the firewall.
>
> To avoid this you can setup your NFS server to listen on
> pre-defined ports, as documented in
> [NFS Howto][NFS Howto].
> If you do this then you will have to define the the ports
> using the procedure described
> in [Adding Services](#adding-services)
> in [firehol.conf(5)](#firehol.conf5).
>
> [NFS Howto]: http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls
service: nis
Network Information Service
Example:
client nis accept dst 192.0.2.1
Service Type:
• complex
Server Ports:
• many
Client Ports:
• N/A
Links
• Wikipedia (http://en.wikipedia.org/wiki/Network_Information_Service)
Notes
> The nis service queries the RPC service on the nis server
> host to find out the ports ypserv and yppasswdd are listening.
> Then, according to these ports it sets up rules on all the
> supported protocols (as reported by RPC) in order the clients
> to be able to reach the server.
>
> For this reason, the nis service requires that:
>
> * the firewall is restarted if the nis server is restarted
> * the nis server must be specified on all nis statements (only if it is not the localhost)
>
> Since nis queries the remote RPC server, it is required to
> also be allowed to do so, by allowing the
> [portmap][keyword-service-portmap] too. Take care that
> this is allowed by the running firewall when FireHOL tries
> to query the RPC server. So you might have to setup nis in
> two steps: First add the portmap service and activate the
> firewall, then add the nis service and restart the firewall.
>
> This service was added to FireHOL by
> [Carlos Rodrigues](http://sourceforge.net/p/firehol/feature-requests/20).
> His comments regarding this implementation, are:
>
> These rules work for client access only!
>
> Pushing changes to slave servers won't work if these rules
> are active somewhere between the master and its slaves,
> because it is impossible to predict the ports where yppush
> will be listening on each push.
>
> Pulling changes directly on the slaves will work, and could
> be improved performance-wise if these rules are modified to
> open fypxfrd. This wasn't done because it doesn't make that
> much sense since pushing changes on the master server is
> the most common, and recommended, way to replicate maps.
service: nntp
Network News Transfer Protocol
Example:
server nntp accept
Service Type:
• simple
Server Ports:
• tcp/119
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Nntp)
service: nntps
Secure Network News Transfer Protocol
Example:
server nntps accept
Service Type:
• simple
Server Ports:
• tcp/563
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Nntp)
service: nrpe
Nagios NRPE
Service Type:
• simple
Server Ports:
• tcp/5666
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Nagios#NRPE)
service: ntp
Network Time Protocol
Example:
server ntp accept
Service Type:
• simple
Server Ports:
• udp/123 tcp/123
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Network_Time_Protocol)
service: nut
Network UPS Tools
Example:
server nut accept
Service Type:
• simple
Server Ports:
• tcp/3493 udp/3493
Client Ports:
• default
Links
• Homepage (http://www.networkupstools.org/)
service: nxserver
NoMachine NX Server
Example:
server nxserver accept
Service Type:
• simple
Server Ports:
• tcp/5000:5200
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/NX_Server)
Notes
> Default ports used by NX server for connections without
> encryption.
>
> Note that nxserver also needs the [ssh][keyword-service-ssh]
> to be enabled.
>
> This information has been extracted from this
> The TCP ports used by nxserver are
> 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT.
> DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf
> and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.
>
> For encrypted nxserver sessions, only
> [ssh][keyword-service-ssh] is needed.
service: openvpn
OpenVPN
Service Type:
• simple
Server Ports:
• tcp/1194 udp/1194
Client Ports:
• default
Links
• Homepage (http://openvpn.net/)
• Wikipedia (http://en.wikipedia.org/wiki/OpenVPN)
service: oracle
Oracle Database
Example:
server oracle accept
Service Type:
• simple
Server Ports:
• tcp/1521
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Oracle_db)
service: OSPF
Open Shortest Path First
Example:
server OSPF accept
Service Type:
• simple
Server Ports:
• 89/any
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ospf)
service: ping
Ping (ICMP echo)
Example:
server ping accept
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Links
• Wikipedia (http://en.wikipedia.org/wiki/Ping)
Notes
> This services matches requests of protocol ICMP and type
> echo-request (TYPE=8) and their replies of type echo-reply
> (TYPE=0).
>
> The ping service is stateful.
service: pop3
Post Office Protocol
Example:
server pop3 accept
Service Type:
• simple
Server Ports:
• tcp/110
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Pop3)
service: pop3s
Secure Post Office Protocol
Example:
server pop3s accept
Service Type:
• simple
Server Ports:
• tcp/995
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Pop3)
service: portmap
Open Network Computing Remote Procedure Call - Port Mapper
Example:
server portmap accept
Service Type:
• simple
Server Ports:
• udp/111 tcp/111
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Portmap)
service: postgres
PostgreSQL
Example:
server postgres accept
Service Type:
• simple
Server Ports:
• tcp/5432
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Postgres)
service: pptp
Point-to-Point Tunneling Protocol
Example:
server pptp accept
Service Type:
• simple
Server Ports:
• tcp/1723
Client Ports:
• default
Netfilter Modules
• nf_conntrack_pptp CONFIG_NF_CONNTRACK_PPTP (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_PPTP.html)
• nf_conntrack_proto_gre CONFIG_NF_CT_PROTO_GRE (http://cateee.net/lkddb/web-
lkddb/NF_CT_PROTO_GRE.html)
Netfilter NAT Modules
• nf_nat_pptp CONFIG_NF_NAT_PPTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_PPTP.html)
• nf_nat_proto_gre CONFIG_NF_NAT_PROTO_GRE (http://cateee.net/lkddb/web-
lkddb/NF_NAT_PROTO_GRE.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Pptp)
service: privoxy
Privacy Proxy
Example:
server privoxy accept
Service Type:
• simple
Server Ports:
• tcp/8118
Client Ports:
• default
Links
• Homepage (http://www.privoxy.org/)
service: radius
Remote Authentication Dial In User Service (RADIUS)
Example:
server radius accept
Service Type:
• simple
Server Ports:
• udp/1812 udp/1813
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/RADIUS)
service: radiusold
Remote Authentication Dial In User Service (RADIUS)
Example:
server radiusold accept
Service Type:
• simple
Server Ports:
• udp/1645 udp/1646
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/RADIUS)
service: radiusoldproxy
Remote Authentication Dial In User Service (RADIUS)
Example:
server radiusoldproxy accept
Service Type:
• simple
Server Ports:
• udp/1647
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/RADIUS)
service: radiusproxy
Remote Authentication Dial In User Service (RADIUS)
Example:
server radiusproxy accept
Service Type:
• simple
Server Ports:
• udp/1814
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/RADIUS)
service: rdp
Remote Desktop Protocol
Example:
server rdp accept
Service Type:
• simple
Server Ports:
• tcp/3389
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Remote_Desktop_Protocol)
Notes
> Remote Desktop Protocol is also known also as
> Terminal Services.
service: rndc
Remote Name Daemon Control
Example:
server rndc accept
Service Type:
• simple
Server Ports:
• tcp/953
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Rndc)
service: rsync
rsync protocol
Example:
server rsync accept
Service Type:
• simple
Server Ports:
• tcp/873 udp/873
Client Ports:
• default
Links
• Homepage (http://rsync.samba.org/)
• Wikipedia (http://en.wikipedia.org/wiki/Rsync)
service: rtp
Real-time Transport Protocol
Example:
server rtp accept
Service Type:
• simple
Server Ports:
• udp/10000:20000
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Real-time_Transport_Protocol)
Notes
> RTP ports are generally all the UDP ports.
> This definition narrows down RTP ports to UDP 10000 to 20000.
service: samba
Samba Example:
server samba accept
Service Type:
• complex
Server Ports:
• many
Client Ports:
• default
Links
• Homepage (http://www.samba.org/)
• Wikipedia (http://en.wikipedia.org/wiki/Samba_(software))
Notes
> The samba service automatically sets all the rules for
> [netbios_ns][keyword-service-netbios_ns],
> [netbios_dgm][keyword-service-netbios_dgm],
> [netbios_ssn][keyword-service-netbios_ssn] and
> [microsoft_ds][keyword-service-microsoft_ds].
>
> Please refer to the notes of the above services for more
> information.
>
> NETBIOS initiates based on the broadcast address of an
> interface (request goes to broadcast address) but the server
> responds from its own IP address. This makes the
> "server samba accept" statement drop the server reply,
> because of the way the iptables connection tracker works.
>
> This service definition includes a hack, that allows a
> Linux samba server to respond correctly in such situations,
> by allowing new outgoing connections from the well known
> [netbios_ns][keyword-service-netbios_ns] port to the clients
> high ports.
>
> However, for clients and routers this hack is not applied
> because it would open all unprivileged ports to the samba
> server. The only solution to overcome the problem in such
> cases (routers or clients) is to build a trust relationship
> between the samba servers and clients.
service: sane
SANE Scanner service
Service Type:
• simple
Server Ports:
• tcp/6566
Client Ports:
• default
Netfilter Modules
• nf_conntrack_sane CONFIG_NF_CONNTRACK_SANE (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_SANE.html)
Netfilter NAT Modules
• N/A
Links
• Homepage (http://www.sane-project.org/)
service: sip
Session Initiation Protocol
Example:
server sip accept
Service Type:
• simple
Server Ports:
• udp/5060
Client Ports:
• 5060 default
Netfilter Modules
• nf_conntrack_sip CONFIG_NF_CONNTRACK_SIP (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_SIP.html)
Netfilter NAT Modules
• nf_nat_sip CONFIG_NF_NAT_SIP (http://cateee.net/lkddb/web-lkddb/NF_NAT_SIP.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
Notes
> [SIP](http://www.voip-info.org/wiki/view/SIP) is an IETF
> standard protocol (RFC 2543) for initiating interactive user
> sessions involving multimedia elements such as video, voice,
> chat, gaming, etc. SIP works in the application layer of
> the OSI communications model.
service: smtp
Simple Mail Transport Protocol
Example:
server smtp accept
Service Type:
• simple
Server Ports:
• tcp/25
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)
service: smtps
Secure Simple Mail Transport Protocol
Example:
server smtps accept
Service Type:
• simple
Server Ports:
• tcp/465
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/SMTPS)
service: snmp
Simple Network Management Protocol
Example:
server snmp accept
Service Type:
• simple
Server Ports:
• udp/161
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol)
service: snmptrap
SNMP Trap
Example:
server snmptrap accept
Service Type:
• simple
Server Ports:
• udp/162
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap)
Notes
> An SNMP trap is a notification from an agent to a manager.
service: socks
SOCKet Secure
Example:
server socks accept
Service Type:
• simple
Server Ports:
• tcp/1080 udp/1080
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/SOCKS)
Notes
> See also [RFC 1928](http://www.ietf.org/rfc/rfc1928.txt).
service: squid
Squid Web Cache
Example:
server squid accept
Service Type:
• simple
Server Ports:
• tcp/3128
Client Ports:
• default
Links
• Homepage (http://www.squid-cache.org/)
• Wikipedia (http://en.wikipedia.org/wiki/Squid_(software))
service: ssh
Secure Shell Protocol
Example:
server ssh accept
Service Type:
• simple
Server Ports:
• tcp/22
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Secure_Shell)
service: stun
Session Traversal Utilities for NAT
Example:
server stun accept
Service Type:
• simple
Server Ports:
• udp/3478 udp/3479
Client Ports:
• any
Links
• Wikipedia (http://en.wikipedia.org/wiki/STUN)
Notes
> [STUN](http://www.voip-info.org/wiki/view/STUN)
> is a protocol for assisting devices behind a NAT firewall or
> router with their packet routing.
service: submission
SMTP over SSL/TLS submission
Example:
server submission accept
Service Type:
• simple
Server Ports:
• tcp/587
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol)
Notes
> Submission is essentially normal SMTP with an SSL/TLS
> negotiation.
service: sunrpc
Open Network Computing Remote Procedure Call - Port Mapper
Alias for portmap
service: swat
Samba Web Administration Tool
Example:
server swat accept
Service Type:
• simple
Server Ports:
• tcp/901
Client Ports:
• default
Links
• Homepage (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html)
service: syslog
Syslog Remote Logging Protocol
Example:
server syslog accept
Service Type:
• simple
Server Ports:
• udp/514
Client Ports:
• syslog default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Syslog)
service: telnet
Telnet Example:
server telnet accept
Service Type:
• simple
Server Ports:
• tcp/23
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Telnet)
service: tftp
Trivial File Transfer Protocol
Example:
server tftp accept
Service Type:
• simple
Server Ports:
• udp/69
Client Ports:
• default
Netfilter Modules
• nf_conntrack_tftp CONFIG_NF_CONNTRACK_TFTP (http://cateee.net/lkddb/web-
lkddb/NF_CONNTRACK_TFTP.html)
Netfilter NAT Modules
• nf_nat_tftp CONFIG_NF_NAT_TFTP (http://cateee.net/lkddb/web-lkddb/NF_NAT_TFTP.html)
Links
• Wikipedia (http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol)
service: time
Time Protocol
Example:
server time accept
Service Type:
• simple
Server Ports:
• tcp/37 udp/37
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Time_Protocol)
service: timestamp
ICMP Timestamp
Example:
server timestamp accept
Service Type:
• complex
Server Ports:
• N/A
Client Ports:
• N/A
Links
• Wikipedia (http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp)
Notes
> This services matches requests of protocol ICMP and type
> timestamp-request (TYPE=13) and their replies of type
> timestamp-reply (TYPE=14).
>
> The timestamp service is stateful.
service: tomcat
HTTP alternate port
Alias for httpalt
service: upnp
Universal Plug and Play
Example:
server upnp accept
Service Type:
• simple
Server Ports:
• udp/1900 tcp/2869
Client Ports:
• default
Links
• Homepage (http://upnp.sourceforge.net/)
• Wikipedia (http://en.wikipedia.org/wiki/Universal_Plug_and_Play)
Notes
> For a Linux implementation see:
> [Linux IGD](http://linux-igd.sourceforge.net/).
service: uucp
Unix-to-Unix Copy
Example:
server uucp accept
Service Type:
• simple
Server Ports:
• tcp/540
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/UUCP)
service: vmware
vmware Example:
server vmware accept
Service Type:
• simple
Server Ports:
• tcp/902
Client Ports:
• default
Notes
Used from VMWare 1 and up. See the VMWare KnowledgeBase
(http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
service: vmwareauth
vmwareauth
Example:
server vmwareauth accept
Service Type:
• simple
Server Ports:
• tcp/903
Client Ports:
• default
Notes
Used from VMWare 1 and up. See the VMWare KnowledgeBase
(http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
service: vmwareweb
vmwareweb
Example:
server vmwareweb accept
Service Type:
• simple
Server Ports:
• tcp/8222 tcp/8333
Client Ports:
• default
Notes
Used from VMWare 2 and up. See VMWare Server 2.0 release notes
(http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html) and the VMWare
KnowledgeBase
(http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
service: vnc
Virtual Network Computing
Example:
server vnc accept
Service Type:
• simple
Server Ports:
• tcp/5900:5903
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Virtual_Network_Computing)
Notes
> VNC is a graphical desktop sharing protocol.
service: webcache
HTTP alternate port
Alias for httpalt
service: webmin
Webmin Administration System
Example:
server webmin accept
Service Type:
• simple
Server Ports:
• tcp/10000
Client Ports:
• default
Links
• Homepage (http://www.webmin.com/)
service: whois
WHOIS Protocol
Example:
server whois accept
Service Type:
• simple
Server Ports:
• tcp/43
Client Ports:
• default
Links
• Wikipedia (http://en.wikipedia.org/wiki/Whois)
service: xbox
Xbox Live
Example:
client xbox accept
Service Type:
• complex
Server Ports:
• many
Client Ports:
• default
Notes
Definition for the Xbox live service.
See program source for contributor details.
service: xdmcp
X Display Manager Control Protocol
Example:
server xdmcp accept
Service Type:
• simple
Server Ports:
• udp/177
Client Ports:
• default
Links
• Wikipedia
(http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol)
Notes
> See [Gnome Display Manager](http://www.jirka.org/gdm-documentation/x70.html)
> for a discussion about XDMCP and firewalls (Gnome Display
> Manager is a replacement for XDM).
AUTHORS
FireHOL Team.
FireHOL Reference Built 06 May 2015 firehol-services(5)