Service | Type | Description |
AH |
simple |
|
all |
complex |
Server Ports |
all
| Client Ports |
all
| Notes | Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are loaded. This service may indirectly setup a set of other services, if they are required by the kernel modules to be loaded. Currently it activates also ftp, irc and icmp. |
Example | server all accept |
|
amanda |
simple |
|
any |
complex |
Server Ports |
all
| Client Ports |
all
| Notes | Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47). |
Example | server any myname accept proto 47 |
|
anystateless |
complex |
Server Ports |
all
| Client Ports |
all
| Notes | Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47). Also, this service is exactly the same with service any, but does not care about the state of traffic. |
Example | server anystateless myname accept proto 47 |
|
apcupsd |
simple |
Server Ports |
tcp/6544
| Client Ports |
default
| Official Site | APC UPS Daemon Home |
Wikipedia | APC UPS Daemon in Wikipedia |
Notes | This service must be defined as server apcupsd accept on all machines not directly connected to the UPS (i.e. slaves). Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default is conflicting with IRC and many distributions (like Debian) have changed this to 6544. You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this FireHOL service definition using the procedures described in Adding Services. |
Example | server apcupsd accept |
|
apcupsdnis |
simple |
Server Ports |
tcp/3551
| Client Ports |
default
| Official Site | APC UPS Daemon Home |
Wikipedia | APC UPS Daemon in Wikipedia |
Notes | APC UPS Network Information Server. This service allows the remote WEB interfaces APCUPSD has, to connect and get information from the server directly connected to the UPS device. |
Example | server apcupsdnis accept |
|
aptproxy |
simple |
|
asterisk |
simple |
Server Ports |
tcp/5038
| Client Ports |
default
| Official Site | asterisk Home |
Wikipedia | asterisk in Wikipedia |
Notes | This service refers only to the manager interface of asterisk. You should normally need to enable sip, h323, rtp, etc at the firewall level, if you enable the relative channel drivers of asterisk. |
Example | server asterisk accept |
|
cups |
simple |
|
custom |
complex |
Server Ports |
defined in the command
| Client Ports |
defined in the command
| Notes | This service is used by FireHOL to allow you define services it currently does not support. To find more about this service please check the Adding Services section. |
Example | server custom myimap tcp/143 default accept |
|
cvspserver |
simple |
|
darkstat |
simple |
Server Ports |
tcp/666
| Client Ports |
default
| Official Site | darkstat Home |
Notes | Darkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router and gathers all sorts of useless but interesting statistics. |
Example | server darkstat accept |
|
daytime |
simple |
|
dcc |
simple |
|
dcpp |
simple |
Server Ports |
tcp/1412
,
udp/1412
| Client Ports |
default
| Official Site | Direct Connect++ Home |
Notes | |
Example | server dcpp accept |
|
dhcp |
simple |
Server Ports |
udp/67
| Client Ports |
68
| Wikipedia | Dynamic Host Configuration Protocol in Wikipedia |
Notes | The DHCP service has been changed in v1.211 of FireHOL and now it is implemented as stateless. This has been done because DHCP clients broadcast the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply. Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side). Also, keep in mind that the server dhcp accept or client dhcp accept commands should placed within interfaces that either do not have src and / or dst defined (because of the initial broadcast). You can overcome this problem by placing the DHCP service on a separate interface, without an src or dst but with a policy return. Place this interface before the one that defines the rest of the services. For example: interface eth0 dhcp policy return server dhcp accept interface eth0 lan src "$mylan" dst "$myip" ... client all accept | |
Example | server dhcp accept |
|
dhcprelay |
simple |
Server Ports |
udp/67
| Client Ports |
67
| Notes | DHCP Relay. From RFC 1812 section 9.1.2 In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead. For more information about DHCP Relay see section 9.1.2 of RFC 1812 and section 4 of RFC 1542 |
Example | server dhcprelay accept |
|
dict |
simple |
|
distcc |
simple |
|
dns |
simple |
Server Ports |
udp/53
,
tcp/53
| Client Ports |
any
| Wikipedia | Domain Name System in Wikipedia |
Notes | On very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The iptables connection tracker will timeout the session and leave unmatched DNS packets that arrive too late to be any usefull. |
Example | server dns accept |
|
echo |
simple |
|
emule |
complex |
Server Ports |
many
| Client Ports |
many
| Official Site | eMule (Donkey network client) Home |
Notes | FireHOL defines: - Connection from any client port to the server at tcp/4661
- Connection from any client port to the server at tcp/4662
- Connection from any client port to the server at udp/4665
- Connection from any client port to the server at udp/4672
- Connection from any server port to the client at tcp/4662
- Connection from any server port to the client at udp/4672
Use the FireHOL client command to match the eMule client. Please note that the eMule client is an HTTP client also. |
Example | client emule accept src 1.1.1.1 |
|
eserver |
simple |
|
ESP |
simple |
Server Ports |
50/any
| Client Ports |
any
| Notes | IPSec Encapsulated Security Payload (ESP). For more information see the FreeS/WAN documentation and RFC RFC 2406. |
Example | server ESP accept |
|
finger |
simple |
|
ftp |
simple |
|
gift |
simple |
Server Ports |
tcp/4302
,
tcp/1214
,
tcp/2182
,
tcp/2472
| Client Ports |
any
| Official Site | giFT Internet File Transfer Home |
Wikipedia | giFT Internet File Transfer in Wikipedia |
Notes | The gift FireHOL service supports: - Gnutella listening at tcp/4302
- FastTrack listening at tcp/1214
- OpenFT listening at tcp/2182 and tcp/2472
The above ports are the defaults given for the coresponding GiFT modules. To allow access to the user interface ports of GiFT, use the giftui FireHOL service. |
Example | server gift accept |
|
giftui |
simple |
|
gkrellmd |
simple |
|
GRE |
simple |
|
h323 |
simple |
|
heartbeat |
simple |
Server Ports |
udp/690:699
| Client Ports |
default
| Official Site | heartbeat Home |
Notes | This FireHOL service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN. |
Example | server heartbeat accept |
|
http |
simple |
|
https |
simple |
|
hylafax |
complex |
Server Ports |
many
| Client Ports |
many
| Official Site | hylafax Home |
Wikipedia | hylafax in Wikipedia |
Notes | This complex service allows incomming requests to server port tcp/4559 and outgoing from server port tcp/4558. The correct operation of this service has not been verified. USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558). |
Example | server hylafax accept |
|
iax |
simple |
|
iax2 |
simple |
|
icmp |
simple |
|
ICMP |
simple |
|
icp |
simple |
|
ident |
simple |
Server Ports |
tcp/113
| Client Ports |
default
| Wikipedia | ident in Wikipedia |
Notes | |
Example | server ident reject with tcp-reset |
|
imap |
simple |
|
imaps |
simple |
|
ipsecnatt |
simple |
|
irc |
simple |
|
isakmp |
simple |
|
jabber |
simple |
|
jabberd |
simple |
Server Ports |
tcp/5222
,
tcp/5223
,
tcp/5269
| Client Ports |
default
| Wikipedia | Extensible Messaging and Presence Protocol in Wikipedia |
Notes | Clear and SSL jabber client-to-server and server-to-server connections. Use this service for a jabberd server. In all other cases, use the jabber service. |
Example | server jabberd accept |
|
l2tp |
simple |
|
ldap |
simple |
|
ldaps |
simple |
|
lpd |
simple |
Server Ports |
tcp/515
| Client Ports |
any
| Wikipedia | Line Printer Daemon protocol in Wikipedia |
Notes | LPD is documented in RFC 1179. Since many operating systems are incorrectly using non-default client ports for LPD access, this definition allows any client port to access the service (additionally to the RFC defined 721 to 731 inclusive). |
Example | server lpd accept |
|
microsoft_ds |
simple |
Server Ports |
tcp/445
| Client Ports |
default
| Notes | Direct Hosted (i.e. NETBIOS-less SMB) This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution. It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously. Please refer to the netbios_ssn service for more information. |
Example | server microsoft_ds accept |
|
mms |
simple |
Server Ports |
tcp/1755
,
udp/1755
| Client Ports |
default
| Netfilter Modules |
mms (CONFIG_NF_CONNTRACK_MMS)
| Netfilter NAT Modules |
mms (CONFIG_NF_NAT_MMS)
|
Wikipedia | Microsoft Media Server in Wikipedia |
Notes | Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows Media Services (previously called NetShow Services). MMS can be transported via UDP or TCP. The MMS default port is UDP/TCP 1755. |
Example | server mms accept |
|
ms_ds |
simple |
Server Ports |
tcp/445
| Client Ports |
default
| Notes | Direct Hosted (i.e. NETBIOS-less SMB) This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution. It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously. Please refer to the netbios_ssn service for more information. |
Example | server ms_ds accept |
|
msn |
simple |
Server Ports |
tcp/6891
| Client Ports |
default
| Notes | Microsoft MSN Messenger Service For a discussion about what works and what is not, please take a look at this technet note. |
Example | server msn accept |
|
multicast |
complex |
Server Ports |
N/A
| Client Ports |
N/A
| Wikipedia | multicast in Wikipedia |
Notes | The multicast service matches all packets send to 224.0.0.0/4 using IGMP or UDP. |
Example | server multicast reject with proto-unreach |
|
mysql |
simple |
|
netbackup |
simple |
Server Ports |
tcp/13701
,
tcp/13711
,
tcp/13720
,
tcp/13721
,
tcp/13724
,
tcp/13782
,
tcp/13783
| Client Ports |
any
| Wikipedia | netbackup in Wikipedia |
Notes | This is the Veritas NetBackup service. To use this service you must define it as both client and server in NetBackup clients and NetBackup servers. |
Example | server netbackup accept client netbackup accept |
|
netbios_dgm |
simple |
Server Ports |
udp/138
| Client Ports |
any
| Wikipedia | NETBIOS Datagram Distribution Service in Wikipedia |
Notes | See also the samba service. Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too. |
Example | server netbios_dgm accept |
|
netbios_ns |
simple |
|
netbios_ssn |
simple |
Server Ports |
tcp/139
| Client Ports |
default
| Wikipedia | NETBIOS Session Service in Wikipedia |
Notes | See also the samba service. Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445. If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes. To overcome this problem either explicitly REJECT the microsoft_ds service with a tcp-reset message (server microsoft_ds reject with tcp-reset), or redirect port 445 to port 139 using the following rule (put it all-in-one-line at the top of your FireHOL config): iptables -t nat -A PREROUTING -i eth0 -p tcp -s 1.1.1.1/24 --dport 445 -d 2.2.2.2 -j REDIRECT --to-port 139 or redirect to 139 inface eth0 src 1.1.1.1/24 proto tcp dst 2.2.2.2 dport 445 where: - eth0 is the network interface your NETBIOS server uses
- 1.1.1.1/24 is the subnet matching all the clients IP addresses
- 2.2.2.2 is the IP of your linux server on eth0 (or whatever you set the first one above)
|
Example | server netbios_ssn accept |
|
nfs |
complex |
Server Ports |
many
| Client Ports |
500:65535
| Wikipedia | Network File System in Wikipedia |
Notes | The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the NFS service requires that: - the firewall is restarted if the NFS server is restarted
- the NFS server must be specified on all nfs statements (only if it is not the localhost)
Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall. To avoid this you can setup your NFS server to listen on pre-defined ports, as it is well documented in http://nfs.sourceforge.net/nfs-howto/ar01s06.html#srv_security_nfsd_mountd. If you do this then you will have to define the the ports using the procedure described in Adding Services. |
Example | client nfs accept dst 1.2.3.4 |
|
nis |
complex |
Server Ports |
many
| Client Ports |
500:65535
| Wikipedia | Network Information Service in Wikipedia |
Notes | The nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server. For this reason, the nis service requires that: - the firewall is restarted if the nis server is restarted
- the nis server must be specified on all nis statements (only if it is not the localhost)
Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall. This service has been created by Carlos Rodrigues. His comments regarding this implementation, are: These rules work for client access only! Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push. Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps. |
Example | client nis accept dst 1.2.3.4 |
|
nntp |
simple |
|
nntps |
simple |
|
ntp |
simple |
|
nut |
simple |
Server Ports |
tcp/3493
,
udp/3493
| Client Ports |
default
| Official Site | Network UPS Tools Home |
Notes | |
Example | server nut accept |
|
nxserver |
simple |
Server Ports |
tcp/5000:5200
| Client Ports |
default
| Wikipedia | nxserver in Wikipedia |
Notes | Default ports used by NX server for connections without encryption. Note that nxserver also needs the ssh service to be enabled. The TCP ports used by nxserver is 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200. For encrypted nxserver sessions, only ssh is needed. |
Example | server nxserver accept |
|
oracle |
simple |
|
OSPF |
simple |
Server Ports |
89/any
| Client Ports |
any
| Notes | |
Example | server OSPF accept |
|
ping |
complex |
Server Ports |
N/A
| Client Ports |
N/A
| Wikipedia | ping in Wikipedia |
Notes | This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0). The ping service is stateful. |
Example | server ping accept |
|
pop3 |
simple |
|
pop3s |
simple |
|
portmap |
simple |
|
postgres |
simple |
|
pptp |
simple |
|
privoxy |
simple |
Server Ports |
tcp/8118
| Client Ports |
default
| Official Site | privoxy Home |
Notes | |
Example | server privoxy accept |
|
radius |
simple |
|
radiusold |
simple |
|
radiusoldproxy |
simple |
|
radiusproxy |
simple |
|
rdp |
simple |
|
rndc |
simple |
|
rsync |
simple |
|
rtp |
simple |
Server Ports |
udp/10000:20000
| Client Ports |
any
| Wikipedia | Real-time Transport Protocol in Wikipedia |
Notes | RTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to 20000. |
Example | server rtp accept |
|
samba |
complex |
Server Ports |
many
| Client Ports |
default
| Notes | The samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn and microsoft_ds. Please refer to the notes of the above services for more information. NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the server samba accept statement drop the server reply, because of the way the iptables connection tracker works. This service definition includes a hack, that allows a linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns port to the clients high ports. However, for clients and routers this hack is not applied because it would open all unpriviliged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients. |
Example | server samba accept |
|
sane |
simple |
Server Ports |
tcp/6566
| Client Ports |
default
| Netfilter Modules |
sane (CONFIG_NF_CONNTRACK_SANE)
| Netfilter NAT Modules |
|
Notes | |
Example | server sane accept |
|
sip |
simple |
Server Ports |
udp/5060
| Client Ports |
5060
,
default
| Netfilter Modules |
sip (CONFIG_NF_CONNTRACK_SIP)
| Netfilter NAT Modules |
sip (CONFIG_NF_NAT_SIP)
|
Notes | SIP is the Session Initiation Protocol, an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model. |
Example | server sip accept |
|
smtp |
simple |
Server Ports |
tcp/25
| Client Ports |
default
| Notes | |
Example | server smtp accept |
|
smtps |
simple |
Server Ports |
tcp/465
| Client Ports |
default
| Notes | |
Example | server smtps accept |
|
snmp |
simple |
Server Ports |
udp/161
| Client Ports |
default
| Notes | |
Example | server snmp accept |
|
snmptrap |
simple |
Server Ports |
udp/162
| Client Ports |
any
| Notes | |
Example | server snmptrap accept |
|
socks |
simple |
Server Ports |
tcp/1080
,
udp/1080
| Client Ports |
default
| Notes | |
Example | server socks accept |
|
squid |
simple |
Server Ports |
tcp/3128
| Client Ports |
default
| Notes | |
Example | server squid accept |
|
ssh |
simple |
Server Ports |
tcp/22
| Client Ports |
default
| Notes | |
Example | server ssh accept |
|
stun |
simple |
Server Ports |
udp/3478
,
udp/3479
| Client Ports |
any
| Notes | STUN is a protocol for assisting devices behind a NAT firewall or router with their packet routing. |
Example | server stun accept |
|
submission |
simple |
Server Ports |
tcp/587
| Client Ports |
default
| Notes | |
Example | server submission accept |
|
sunrpc |
simple |
Server Ports |
udp/111
,
tcp/111
| Client Ports |
any
| Notes | |
Example | server sunrpc accept |
|
swat |
simple |
Server Ports |
tcp/901
| Client Ports |
default
| Notes | |
Example | server swat accept |
|
syslog |
simple |
Server Ports |
udp/514
| Client Ports |
syslog
,
default
| Notes | |
Example | server syslog accept |
|
telnet |
simple |
Server Ports |
tcp/23
| Client Ports |
default
| Notes | |
Example | server telnet accept |
|
tftp |
simple |
|
time |
simple |
Server Ports |
tcp/37
,
udp/37
| Client Ports |
default
| Notes | |
Example | server time accept |
|
timestamp |
complex |
Server Ports |
N/A
| Client Ports |
N/A
| Notes | This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14). The timestamp service is stateful. |
Example | server timestamp accept |
|
upnp |
simple |
Server Ports |
udp/1900
,
tcp/2869
| Client Ports |
default
| Notes | UPNP is Univeral Plug and Play. For a linux implementation check: Linux IGD. |
Example | server upnp accept |
|
uucp |
simple |
Server Ports |
tcp/540
| Client Ports |
default
| Notes | |
Example | server uucp accept |
|
vmware |
simple |
Server Ports |
tcp/902
| Client Ports |
default
| Notes | |
Example | server vmware accept |
|
vmwareauth |
simple |
Server Ports |
tcp/903
| Client Ports |
default
| Notes | |
Example | server vmwareauth accept |
|
vmwareweb |
simple |
Server Ports |
tcp/8222
,
tcp/8333
| Client Ports |
default
| Notes | |
Example | server vmwareweb accept |
|
vnc |
simple |
Server Ports |
tcp/5900:5903
| Client Ports |
default
| Notes | |
Example | server vnc accept |
|
webcache |
simple |
Server Ports |
tcp/8080
| Client Ports |
default
| Notes | |
Example | server webcache accept |
|
webmin |
simple |
Server Ports |
tcp/10000
| Client Ports |
default
| Notes | Webmin is a web-based interface for system administration for Unix. |
Example | server webmin accept |
|
whois |
simple |
|
xbox |
simple |
Server Ports |
| Client Ports |
| Notes | |
Example | server xbox accept |
|
xdmcp |
simple |
Server Ports |
udp/177
| Client Ports |
default
| Notes | X Display Manager Control Protocol See http://www.jirka.org/gdm-documentation/x70.html for a discussion about XDMCP and firewalls (this is about Gnome Display Manager, a replacement of XDM). |
Example | server xdmcp accept |
|