Bellow is the list of FireHOL supported services. You can overwrite all the services (including those marked as complex) with the procedures defined in Adding Services.

In case you have problems with some service because it is defined by its port names instead of its port numbers, you can find the required port numbers at http://www.graffiti.com/services.

Please report problems related to port names usage. I will replace the faulty names with the relative numbers to eliminate this problem. All the services defined by name in FireHOL are known to resolve in RedHat systems 7.x and 8.


A
AH, all, amanda, any, anystateless, apcupsd, apcupsdnis, aptproxy, asterisk
C
cups, custom, cvspserver
D
darkstat, daytime, dcc, dcpp, dhcp, dhcprelay, dict, distcc, dns
E
echo, emule, eserver, ESP
F
finger, ftp
G
gift, giftui, gkrellmd, GRE
H
h323, heartbeat, http, https, hylafax
I
iax, iax2, icmp, ICMP, icp, ident, imap, imaps, ipsecnatt, irc, isakmp
J
jabber, jabberd
L
l2tp, ldap, ldaps, lpd
M
microsoft_ds, mms, ms_ds, msn, multicast, mysql
N
netbackup, netbios_dgm, netbios_ns, netbios_ssn, nfs, nis, nntp, nntps, ntp, nut, nxserver
O
oracle, OSPF
P
ping, pop3, pop3s, portmap, postgres, pptp, privoxy
R
radius, radiusold, radiusoldproxy, radiusproxy, rdp, rndc, rsync, rtp
S
samba, sane, sip, smtp, smtps, snmp, snmptrap, socks, squid, ssh, stun, submission, sunrpc, swat, syslog
T
telnet, tftp, time, timestamp
U
upnp, uucp
V
vmware, vmwareauth, vmwareweb, vnc
W
webcache, webmin, whois
X
xbox, xdmcp

ServiceTypeDescription
AH simple
Server Ports 51/any
Client Ports any
WikipediaIPSec Authentication Header (AH) in Wikipedia
NotesFor more information see the FreeS/WAN documentation and RFC 2402.
 
Exampleserver AH accept
all complex
Server Ports all
Client Ports all
NotesMatches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are loaded.
This service may indirectly setup a set of other services, if they are required by the kernel modules to be loaded. Currently it activates also ftp, irc and icmp.
 
Exampleserver all accept
amanda simple
Server Ports udp/10080
Client Ports default
Netfilter Modules amanda (CONFIG_NF_CONNTRACK_AMANDA)
Netfilter NAT Modules amanda (CONFIG_NF_NAT_AMANDA)
Official SiteAdvanced Maryland Automatic Network Disk Archiver Home
WikipediaAdvanced Maryland Automatic Network Disk Archiver in Wikipedia
Notes
 
Exampleserver amanda accept
any complex
Server Ports all
Client Ports all
NotesMatches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47).
 
Exampleserver any myname accept proto 47
anystateless complex
Server Ports all
Client Ports all
NotesMatches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the Optional Rule Parameters this service can match unusual traffic (e.g. GRE - protocol 47).

Also, this service is exactly the same with service any, but does not care about the state of traffic.
 

Exampleserver anystateless myname accept proto 47
apcupsd simple
Server Ports tcp/6544
Client Ports default
Official SiteAPC UPS Daemon Home
WikipediaAPC UPS Daemon in Wikipedia
NotesThis service must be defined as server apcupsd accept on all machines not directly connected to the UPS (i.e. slaves).

Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default is conflicting with IRC and many distributions (like Debian) have changed this to 6544.

You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this FireHOL service definition using the procedures described in Adding Services.
 

Exampleserver apcupsd accept
apcupsdnis simple
Server Ports tcp/3551
Client Ports default
Official SiteAPC UPS Daemon Home
WikipediaAPC UPS Daemon in Wikipedia
NotesAPC UPS Network Information Server. This service allows the remote WEB interfaces APCUPSD has, to connect and get information from the server directly connected to the UPS device.
 
Exampleserver apcupsdnis accept
aptproxy simple
Server Ports tcp/9999
Client Ports default
WikipediaAdvanced Packaging Tool in Wikipedia
Notes
 
Exampleserver aptproxy accept
asterisk simple
Server Ports tcp/5038
Client Ports default
Official Siteasterisk Home
Wikipediaasterisk in Wikipedia
NotesThis service refers only to the manager interface of asterisk. You should normally need to enable sip, h323, rtp, etc at the firewall level, if you enable the relative channel drivers of asterisk.
 
Exampleserver asterisk accept
cups simple
Server Ports tcp/631 , udp/631
Client Ports any
Official SiteCommon UNIX Printing System Home
WikipediaCommon UNIX Printing System in Wikipedia
Notes
 
Exampleserver cups accept
custom complex
Server Ports defined in the command
Client Ports defined in the command
NotesThis service is used by FireHOL to allow you define services it currently does not support.
To find more about this service please check the Adding Services section.
 
Exampleserver custom myimap tcp/143 default accept
cvspserver simple
Server Ports tcp/2401
Client Ports default
Official SiteConcurrent Versions System Home
WikipediaConcurrent Versions System in Wikipedia
Notes
 
Exampleserver cvspserver accept
darkstat simple
Server Ports tcp/666
Client Ports default
Official Sitedarkstat Home
NotesDarkstat is a network traffic analyzer. It's basically a packet sniffer which runs as a background process on a cable/DSL router and gathers all sorts of useless but interesting statistics.
 
Exampleserver darkstat accept
daytime simple
Server Ports tcp/13
Client Ports default
WikipediaDaytime Protocol in Wikipedia
Notes
 
Exampleserver daytime accept
dcc simple
Server Ports udp/6277
Client Ports default
WikipediaDistributed Checksum Clearinghouses in Wikipedia
NotesSee http://www.rhyolite.com/anti-spam/dcc/FAQ.html#firewall-ports.
 
Exampleserver dcc accept
dcpp simple
Server Ports tcp/1412 , udp/1412
Client Ports default
Official SiteDirect Connect++ Home
Notes
 
Exampleserver dcpp accept
dhcp simple
Server Ports udp/67
Client Ports 68
WikipediaDynamic Host Configuration Protocol in Wikipedia
NotesThe DHCP service has been changed in v1.211 of FireHOL and now it is implemented as stateless. This has been done because DHCP clients broadcast the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply. Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side).

Also, keep in mind that the server dhcp accept or client dhcp accept commands should placed within interfaces that either do not have src and / or dst defined (because of the initial broadcast).

You can overcome this problem by placing the DHCP service on a separate interface, without an src or dst but with a policy return. Place this interface before the one that defines the rest of the services.

For example:
 
    interface eth0 dhcp
        policy return
        server dhcp accept

    interface eth0 lan src "$mylan" dst "$myip"
        ...
        client all accept

 

Exampleserver dhcp accept
dhcprelay simple
Server Ports udp/67
Client Ports 67
NotesDHCP Relay.

From RFC 1812 section 9.1.2
In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead.

For more information about DHCP Relay see section 9.1.2 of RFC 1812 and section 4 of RFC 1542
 

Exampleserver dhcprelay accept
dict simple
Server Ports tcp/2628
Client Ports default
WikipediaDictionary Server Protocol in Wikipedia
NotesSee RFC2229.
 
Exampleserver dict accept
distcc simple
Server Ports tcp/3632
Client Ports default
Official Sitedistcc Home
Wikipediadistcc in Wikipedia
NotesFor distcc security, please check the distcc security design.
 
Exampleserver distcc accept
dns simple
Server Ports udp/53 , tcp/53
Client Ports any
WikipediaDomain Name System in Wikipedia
NotesOn very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The iptables connection tracker will timeout the session and leave unmatched DNS packets that arrive too late to be any usefull.
 
Exampleserver dns accept
echo simple
Server Ports tcp/7
Client Ports default
WikipediaEcho Protocol in Wikipedia
Notes
 
Exampleserver echo accept
emule complex
Server Ports many
Client Ports many
Official SiteeMule (Donkey network client) Home
NotesFireHOL defines:
  • Connection from any client port to the server at tcp/4661
     
  • Connection from any client port to the server at tcp/4662
     
  • Connection from any client port to the server at udp/4665
     
  • Connection from any client port to the server at udp/4672
     
  • Connection from any server port to the client at tcp/4662
     
  • Connection from any server port to the client at udp/4672
     
Use the FireHOL client command to match the eMule client.

Please note that the eMule client is an HTTP client also.
 

Exampleclient emule accept src 1.1.1.1
eserver simple
Server Ports tcp/4661 , udp/4661 , udp/4665
Client Ports any
WikipediaeDonkey network server in Wikipedia
Notes
 
Exampleserver eserver accept
ESP simple
Server Ports 50/any
Client Ports any
NotesIPSec Encapsulated Security Payload (ESP).

For more information see the FreeS/WAN documentation and RFC RFC 2406.
 

Exampleserver ESP accept
finger simple
Server Ports tcp/79
Client Ports default
WikipediaFinger Protocol in Wikipedia
Notes
 
Exampleserver finger accept
ftp simple
Server Ports tcp/21
Client Ports default
Netfilter Modules ftp (CONFIG_NF_CONNTRACK_FTP)
Netfilter NAT Modules ftp (CONFIG_NF_NAT_FTP)
WikipediaFile Transfer Protocol in Wikipedia
NotesFireHOL uses the netfilter module to match both active and passive ftp connections.
 
Exampleserver ftp accept
gift simple
Server Ports tcp/4302 , tcp/1214 , tcp/2182 , tcp/2472
Client Ports any
Official SitegiFT Internet File Transfer Home
WikipediagiFT Internet File Transfer in Wikipedia
NotesThe gift FireHOL service supports:
  • Gnutella listening at tcp/4302
  • FastTrack listening at tcp/1214
  • OpenFT listening at tcp/2182 and tcp/2472
The above ports are the defaults given for the coresponding GiFT modules.

To allow access to the user interface ports of GiFT, use the giftui FireHOL service.
 

Exampleserver gift accept
giftui simple
Server Ports tcp/1213
Client Ports default
Official SitegiFT Internet File Transfer Home
WikipediagiFT Internet File Transfer in Wikipedia
NotesThis service refers only to the user interface ports offered by GiFT. To allow gift accept P2P requests, use the gift FireHOL service.
 
Exampleserver giftui accept
gkrellmd simple
Server Ports tcp/19150
Client Ports default
Official Sitegkrellmd Home
Wikipediagkrellmd in Wikipedia
Notes
 
Exampleserver gkrellmd accept
GRE simple
Server Ports 47/any
Client Ports any
Netfilter Modules proto_gre (CONFIG_NF_CT_PROTO_GRE)
Netfilter NAT Modules proto_gre (CONFIG_NF_NAT_PROTO_GRE)
WikipediaGeneric Routing Encapsulation in Wikipedia
NotesThis service matches just the protocol. For full VPN functionality additional services may be needed (such as pptp)
 
Exampleserver GRE accept
h323 simple
Server Ports tcp/1720
Client Ports default
Netfilter Modules h323 (CONFIG_NF_CONNTRACK_H323)
Netfilter NAT Modules h323 (CONFIG_NF_NAT_H323)
Wikipediah323 in Wikipedia
Notes
 
Exampleserver h323 accept
heartbeat simple
Server Ports udp/690:699
Client Ports default
Official Siteheartbeat Home
NotesThis FireHOL service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN.
 
Exampleserver heartbeat accept
http simple
Server Ports tcp/80
Client Ports default
WikipediaHypertext Transfer Protocol in Wikipedia
Notes
 
Exampleserver http accept
https simple
Server Ports tcp/443
Client Ports default
WikipediaSecure Hypertext Transfer Protocol in Wikipedia
Notes
 
Exampleserver https accept
hylafax complex
Server Ports many
Client Ports many
Official Sitehylafax Home
Wikipediahylafax in Wikipedia
NotesThis complex service allows incomming requests to server port tcp/4559 and outgoing from server port tcp/4558.

The correct operation of this service has not been verified.

USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).
 

Exampleserver hylafax accept
iax simple
Server Ports udp/5036
Client Ports default
Official SiteInter-Asterisk eXchange Home
WikipediaInter-Asterisk eXchange in Wikipedia
NotesThis service refers to IAX version 1. There is also the iax2 service.


 

Exampleserver iax accept
iax2 simple
Server Ports udp/5469 , udp/4569
Client Ports default
Official SiteInter-Asterisk eXchange Home
WikipediaInter-Asterisk eXchange in Wikipedia
NotesThis service refers to IAX version 2. There is also the iax service.


 

Exampleserver iax2 accept
icmp simple
Server Ports icmp/any
Client Ports any
WikipediaInternet Control Message Protocol in Wikipedia
Notes
 
Exampleserver icmp accept
ICMP simple
Server Ports icmp/any
Client Ports any
WikipediaInternet Control Message Protocol in Wikipedia
Notes
 
Exampleserver ICMP accept
icp simple
Server Ports udp/3130
Client Ports 3130
WikipediaInternet Cache Protocol in Wikipedia
Notes
 
Exampleserver icp accept
ident simple
Server Ports tcp/113
Client Ports default
Wikipediaident in Wikipedia
Notes
 
Exampleserver ident reject with tcp-reset
imap simple
Server Ports tcp/143
Client Ports default
WikipediaInternet Message Access Protocol in Wikipedia
Notes
 
Exampleserver imap accept
imaps simple
Server Ports tcp/993
Client Ports default
WikipediaSecure Internet Message Access Protocol in Wikipedia
Notes
 
Exampleserver imaps accept
ipsecnatt simple
Server Ports udp/4500
Client Ports any
WikipediaNAT traversal and IPsec in Wikipedia
Notes
 
Exampleserver ipsecnatt accept
irc simple
Server Ports tcp/6667
Client Ports default
Netfilter Modules irc (CONFIG_NF_CONNTRACK_IRC)
Netfilter NAT Modules irc (CONFIG_NF_NAT_IRC)
WikipediaInternet Relay Chat in Wikipedia
Notes
 
Exampleserver irc accept
isakmp simple
Server Ports udp/500
Client Ports any
WikipediaInternet Security Association and Key Management Protocol in Wikipedia
NotesIPSec key negotiation (IKE on UDP port 500).

For more information see the FreeS/WAN documentation.
 

Exampleserver isakmp accept
jabber simple
Server Ports tcp/5222 , tcp/5223
Client Ports default
WikipediaExtensible Messaging and Presence Protocol in Wikipedia
NotesClear and SSL client-to-server connections.
 
Exampleserver jabber accept
jabberd simple
Server Ports tcp/5222 , tcp/5223 , tcp/5269
Client Ports default
WikipediaExtensible Messaging and Presence Protocol in Wikipedia
NotesClear and SSL jabber client-to-server and server-to-server connections.

Use this service for a jabberd server. In all other cases, use the jabber service.
 

Exampleserver jabberd accept
l2tp simple
Server Ports udp/1701
Client Ports any
WikipediaLayer 2 Tunneling Protocol in Wikipedia
Notes
 
Exampleserver l2tp accept
ldap simple
Server Ports tcp/389
Client Ports default
WikipediaLightweight Directory Access Protocol in Wikipedia
Notes
 
Exampleserver ldap accept
ldaps simple
Server Ports tcp/636
Client Ports default
WikipediaLightweight Directory Access Protocol in Wikipedia
Notes
 
Exampleserver ldaps accept
lpd simple
Server Ports tcp/515
Client Ports any
WikipediaLine Printer Daemon protocol in Wikipedia
NotesLPD is documented in RFC 1179.

Since many operating systems are incorrectly using non-default client ports for LPD access, this definition allows any client port to access the service (additionally to the RFC defined 721 to 731 inclusive).
 

Exampleserver lpd accept
microsoft_ds simple
Server Ports tcp/445
Client Ports default
NotesDirect Hosted (i.e. NETBIOS-less SMB)

This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution.

It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously.

Please refer to the netbios_ssn service for more information.
 

Exampleserver microsoft_ds accept
mms simple
Server Ports tcp/1755 , udp/1755
Client Ports default
Netfilter Modules mms (CONFIG_NF_CONNTRACK_MMS)
Netfilter NAT Modules mms (CONFIG_NF_NAT_MMS)
WikipediaMicrosoft Media Server in Wikipedia
NotesMicrosoft's proprietary network streaming protocol used to transfer unicast data in Windows Media Services (previously called NetShow Services). MMS can be transported via UDP or TCP. The MMS default port is UDP/TCP 1755.
 
Exampleserver mms accept
ms_ds simple
Server Ports tcp/445
Client Ports default
NotesDirect Hosted (i.e. NETBIOS-less SMB)

This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being indepedent of WINS for name resolution.

It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously.

Please refer to the netbios_ssn service for more information.
 

Exampleserver ms_ds accept
msn simple
Server Ports tcp/6891
Client Ports default
NotesMicrosoft MSN Messenger Service

For a discussion about what works and what is not, please take a look at this technet note.
 

Exampleserver msn accept
multicast complex
Server Ports N/A
Client Ports N/A
Wikipediamulticast in Wikipedia
NotesThe multicast service matches all packets send to 224.0.0.0/4 using IGMP or UDP.
 
Exampleserver multicast reject with proto-unreach
mysql simple
Server Ports tcp/3306
Client Ports default
Official Sitemysql Home
Wikipediamysql in Wikipedia
Notes
 
Exampleserver mysql accept
netbackup simple
Server Ports tcp/13701 , tcp/13711 , tcp/13720 , tcp/13721 , tcp/13724 , tcp/13782 , tcp/13783
Client Ports any
Wikipedianetbackup in Wikipedia
NotesThis is the Veritas NetBackup service. To use this service you must define it as both client and server in NetBackup clients and NetBackup servers.
 
Exampleserver netbackup accept
client netbackup accept
netbios_dgm simple
Server Ports udp/138
Client Ports any
WikipediaNETBIOS Datagram Distribution Service in Wikipedia
NotesSee also the samba service.

Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too.
 

Exampleserver netbios_dgm accept
netbios_ns simple
Server Ports udp/137
Client Ports any
WikipediaNETBIOS Name Service in Wikipedia
NotesSee also the samba service.
 
Exampleserver netbios_ns accept
netbios_ssn simple
Server Ports tcp/139
Client Ports default
WikipediaNETBIOS Session Service in Wikipedia
NotesSee also the samba service.

Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445.

If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes.

To overcome this problem either explicitly REJECT the microsoft_ds service with a tcp-reset message (server microsoft_ds reject with tcp-reset), or redirect port 445 to port 139 using the following rule (put it all-in-one-line at the top of your FireHOL config):

iptables -t nat -A PREROUTING -i eth0 -p tcp -s 1.1.1.1/24 --dport 445 -d 2.2.2.2 -j REDIRECT --to-port 139

or

redirect to 139 inface eth0 src 1.1.1.1/24 proto tcp dst 2.2.2.2 dport 445

where:

  • eth0 is the network interface your NETBIOS server uses
     
  • 1.1.1.1/24 is the subnet matching all the clients IP addresses
     
  • 2.2.2.2 is the IP of your linux server on eth0 (or whatever you set the first one above)

 
Exampleserver netbios_ssn accept
nfs complex
Server Ports many
Client Ports 500:65535
WikipediaNetwork File System in Wikipedia
NotesThe NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

For this reason, the NFS service requires that:

  • the firewall is restarted if the NFS server is restarted
  • the NFS server must be specified on all nfs statements (only if it is not the localhost)
Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall.

To avoid this you can setup your NFS server to listen on pre-defined ports, as it is well documented in http://nfs.sourceforge.net/nfs-howto/ar01s06.html#srv_security_nfsd_mountd. If you do this then you will have to define the the ports using the procedure described in Adding Services.
 

Exampleclient nfs accept dst 1.2.3.4
nis complex
Server Ports many
Client Ports 500:65535
WikipediaNetwork Information Service in Wikipedia
NotesThe nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

For this reason, the nis service requires that:

  • the firewall is restarted if the nis server is restarted
  • the nis server must be specified on all nis statements (only if it is not the localhost)
Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap service too. Take care, that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall.

This service has been created by Carlos Rodrigues. His comments regarding this implementation, are:

These rules work for client access only!

Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push.

Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps.
 

Exampleclient nis accept dst 1.2.3.4
nntp simple
Server Ports tcp/119
Client Ports default
WikipediaNetwork News Transfer Protocol in Wikipedia
Notes
 
Exampleserver nntp accept
nntps simple
Server Ports tcp/563
Client Ports default
WikipediaSecure Network News Transfer Protocol in Wikipedia
Notes
 
Exampleserver nntps accept
ntp simple
Server Ports udp/123 , tcp/123
Client Ports any
WikipediaNetwork Time Protocol in Wikipedia
Notes
 
Exampleserver ntp accept
nut simple
Server Ports tcp/3493 , udp/3493
Client Ports default
Official SiteNetwork UPS Tools Home
Notes
 
Exampleserver nut accept
nxserver simple
Server Ports tcp/5000:5200
Client Ports default
Wikipedianxserver in Wikipedia
NotesDefault ports used by NX server for connections without encryption.
Note that nxserver also needs the ssh service to be enabled.

The TCP ports used by nxserver is 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.

For encrypted nxserver sessions, only ssh is needed.
 

Exampleserver nxserver accept
oracle simple
Server Ports tcp/1521
Client Ports default
WikipediaOracle Database in Wikipedia
Notes
 
Exampleserver oracle accept
OSPF simple
Server Ports 89/any
Client Ports any
Notes
 
Exampleserver OSPF accept
ping complex
Server Ports N/A
Client Ports N/A
Wikipediaping in Wikipedia
NotesThis services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0).

The ping service is stateful.
 

Exampleserver ping accept
pop3 simple
Server Ports tcp/110
Client Ports default
WikipediaPost Office Protocol in Wikipedia
Notes
 
Exampleserver pop3 accept
pop3s simple
Server Ports tcp/995
Client Ports default
WikipediaSecure Post Office Protocol in Wikipedia
Notes
 
Exampleserver pop3s accept
portmap simple
Server Ports udp/111 , tcp/111
Client Ports any
WikipediaOpen Network Computing Remote Procedure Call - Port Mapper in Wikipedia
Notes
 
Exampleserver portmap accept
postgres simple
Server Ports tcp/5432
Client Ports default
WikipediaPostgreSQL in Wikipedia
Notes
 
Exampleserver postgres accept
pptp simple
Server Ports tcp/1723
Client Ports default
Netfilter Modules pptp (CONFIG_NF_CONNTRACK_PPTP) ,
proto_gre (CONFIG_NF_CT_PROTO_GRE)
Netfilter NAT Modules pptp (CONFIG_NF_NAT_PPTP) ,
proto_gre (CONFIG_NF_NAT_PROTO_GRE)
WikipediaPoint-to-Point Tunneling Protocol in Wikipedia
Notes
 
Exampleserver pptp accept
privoxy simple
Server Ports tcp/8118
Client Ports default
Official Siteprivoxy Home
Notes
 
Exampleserver privoxy accept
radius simple
Server Ports udp/1812 , udp/1813
Client Ports default
WikipediaRemote Authentication Dial In User Service (RADIUS) in Wikipedia
Notes
 
Exampleserver radius accept
radiusold simple
Server Ports udp/1645 , udp/1646
Client Ports default
WikipediaRemote Authentication Dial In User Service (RADIUS) in Wikipedia
Notes
 
Exampleserver radiusold accept
radiusoldproxy simple
Server Ports udp/1647
Client Ports default
WikipediaRemote Authentication Dial In User Service (RADIUS) in Wikipedia
Notes
 
Exampleserver radiusoldproxy accept
radiusproxy simple
Server Ports udp/1814
Client Ports default
WikipediaRemote Authentication Dial In User Service (RADIUS) in Wikipedia
Notes
 
Exampleserver radiusproxy accept
rdp simple
Server Ports tcp/3389
Client Ports default
WikipediaRemote Desktop Protocol (also known as Terminal Services) in Wikipedia
Notes
 
Exampleserver rdp accept
rndc simple
Server Ports tcp/953
Client Ports default
WikipediaRemote Name Daemon Control in Wikipedia
Notes
 
Exampleserver rndc accept
rsync simple
Server Ports tcp/873 , udp/873
Client Ports default
Official Sitersync Home
Wikipediarsync in Wikipedia
Notes
 
Exampleserver rsync accept
rtp simple
Server Ports udp/10000:20000
Client Ports any
WikipediaReal-time Transport Protocol in Wikipedia
NotesRTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to 20000.
 
Exampleserver rtp accept
samba complex
Server Ports many
Client Ports default
NotesThe samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn and microsoft_ds.

Please refer to the notes of the above services for more information.

NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the server samba accept statement drop the server reply, because of the way the iptables connection tracker works.

This service definition includes a hack, that allows a linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns port to the clients high ports.

However, for clients and routers this hack is not applied because it would open all unpriviliged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients.
 

Exampleserver samba accept
sane simple
Server Ports tcp/6566
Client Ports default
Netfilter Modules sane (CONFIG_NF_CONNTRACK_SANE)
Netfilter NAT Modules
Notes
 
Exampleserver sane accept
sip simple
Server Ports udp/5060
Client Ports 5060 , default
Netfilter Modules sip (CONFIG_NF_CONNTRACK_SIP)
Netfilter NAT Modules sip (CONFIG_NF_NAT_SIP)
NotesSIP is the Session Initiation Protocol, an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model.
 
Exampleserver sip accept
smtp simple
Server Ports tcp/25
Client Ports default
Notes
 
Exampleserver smtp accept
smtps simple
Server Ports tcp/465
Client Ports default
Notes
 
Exampleserver smtps accept
snmp simple
Server Ports udp/161
Client Ports default
Notes
 
Exampleserver snmp accept
snmptrap simple
Server Ports udp/162
Client Ports any
Notes
 
Exampleserver snmptrap accept
socks simple
Server Ports tcp/1080 , udp/1080
Client Ports default
Notes
 
Exampleserver socks accept
squid simple
Server Ports tcp/3128
Client Ports default
Notes
 
Exampleserver squid accept
ssh simple
Server Ports tcp/22
Client Ports default
Notes
 
Exampleserver ssh accept
stun simple
Server Ports udp/3478 , udp/3479
Client Ports any
NotesSTUN is a protocol for assisting devices behind a NAT firewall or router with their packet routing.
 
Exampleserver stun accept
submission simple
Server Ports tcp/587
Client Ports default
Notes
 
Exampleserver submission accept
sunrpc simple
Server Ports udp/111 , tcp/111
Client Ports any
Notes
 
Exampleserver sunrpc accept
swat simple
Server Ports tcp/901
Client Ports default
Notes
 
Exampleserver swat accept
syslog simple
Server Ports udp/514
Client Ports syslog , default
Notes
 
Exampleserver syslog accept
telnet simple
Server Ports tcp/23
Client Ports default
Notes
 
Exampleserver telnet accept
tftp simple
Server Ports udp/69
Client Ports default
Netfilter Modules tftp (CONFIG_NF_CONNTRACK_TFTP)
Netfilter NAT Modules tftp (CONFIG_NF_NAT_TFTP)
Notes
 
Exampleserver tftp accept
time simple
Server Ports tcp/37 , udp/37
Client Ports default
Notes
 
Exampleserver time accept
timestamp complex
Server Ports N/A
Client Ports N/A
NotesThis services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14).

The timestamp service is stateful.
 

Exampleserver timestamp accept
upnp simple
Server Ports udp/1900 , tcp/2869
Client Ports default
NotesUPNP is Univeral Plug and Play.

For a linux implementation check: Linux IGD.
 

Exampleserver upnp accept
uucp simple
Server Ports tcp/540
Client Ports default
Notes
 
Exampleserver uucp accept
vmware simple
Server Ports tcp/902
Client Ports default
Notes
 
Exampleserver vmware accept
vmwareauth simple
Server Ports tcp/903
Client Ports default
Notes
 
Exampleserver vmwareauth accept
vmwareweb simple
Server Ports tcp/8222 , tcp/8333
Client Ports default
Notes
 
Exampleserver vmwareweb accept
vnc simple
Server Ports tcp/5900:5903
Client Ports default
Notes
 
Exampleserver vnc accept
webcache simple
Server Ports tcp/8080
Client Ports default
Notes
 
Exampleserver webcache accept
webmin simple
Server Ports tcp/10000
Client Ports default
NotesWebmin is a web-based interface for system administration for Unix.
 
Exampleserver webmin accept
whois simple
Server Ports tcp/43
Client Ports default
NotesSee: O'Reilly's Building Internet Firewalls book about whois and firewalls.
 
Exampleserver whois accept
xbox simple
Server Ports
Client Ports
Notes
 
Exampleserver xbox accept
xdmcp simple
Server Ports udp/177
Client Ports default
NotesX Display Manager Control Protocol
See http://www.jirka.org/gdm-documentation/x70.html for a discussion about XDMCP and firewalls (this is about Gnome Display Manager, a replacement of XDM).
 
Exampleserver xdmcp accept


SourceForge Logo $Id: services.html,v 1.68 2013/01/06 23:49:08 ktsaou Exp $

FireHOL, a firewall for humans...
© Copyright 2004 Costa Tsaousis <costa@tsaousis.gr>