1. <strike id="j329m"></strike>
    2. <big id="j329m"><sup id="j329m"></sup></big>

    3. <code id="j329m"></code>

        NAME

        firehol-services - FireHOL services list

        SYNOPSIS

        AH all amanda any anystateless apcupsd apcupsdnis aptproxy asterisk

        cups custom cvspserver

        darkstat daytime dcc dcpp dhcp dhcprelay dhcpv6 dict distcc dns

        echo emule eserver ESP

        finger ftp

        gift giftui gkrellmd GRE

        h323 heartbeat http httpalt https hylafax

        iax iax2 ICMP icmp ICMPV6 icmpv6 icp ident imap imaps ipsecnatt ipv6error ipv6mld ipv6neigh ipv6router irc isakmp

        jabber jabberd

        l2tp ldap ldaps lpd

        microsoft_ds mms msn msnp ms_ds multicast mysql

        netbackup netbios_dgm netbios_ns netbios_ssn nfs nis nntp nntps nrpe ntp nut nxserver

        openvpn oracle OSPF

        ping pop3 pop3s portmap postgres pptp privoxy

        radius radiusold radiusoldproxy radiusproxy rdp rndc rsync rtp

        samba sane sip smtp smtps snmp snmptrap socks squid ssh stun submission sunrpc swat syslog

        telnet tftp time timestamp tomcat

        upnp uucp

        vmware vmwareauth vmwareweb vnc

        webcache webmin whois

        xbox xdmcp

        DESCRIPTION

        service: AH

        IPSec Authentication Header (AH)

        Example:

        server AH accept

        Service Type:

        • simple

        Server Ports:

        • 51/any

        Client Ports:

        • any

        Links

        Notes

        For more information see this Archive of the FreeS/WAN documentation and RFC 2402.

        service: all

        Match all traffic

        Example:

        server all accept

        Service Type:

        • simple

        Server Ports:

        • all

        Client Ports:

        • all

        Netfilter Modules

        Netfilter NAT Modules

        Notes

        Matches all traffic (all protocols, ports, etc.). Note that to provide "connections in one direction with replies" semantics, the kernel connection tracker is still used: this will therefore still not match packets if they are not understood as part of a connection (e.g. some ICMPv6 packets, requests and replies taking different routes, complex protocols with no helper loaded).

        This service may indirectly setup a set of other services, if they require kernel modules to be loaded. The following complex services are activated:

        service: amanda

        Advanced Maryland Automatic Network Disk Archiver

        Service Type:

        • simple

        Server Ports:

        • udp/10080

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        service: any

        Match all traffic (without modules or indirect)

        Example:

        server any *myname* accept proto 47

        Service Type:

        • simple

        Server Ports:

        • all

        Client Ports:

        • all

        Notes

        Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the firehol-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).

        Note that you have to supply your own name in addition to "any".

        service: anystateless

        Match all traffic statelessly

        Example:

        server anystateless *myname* accept proto 47

        Service Type:

        • complex

        Server Ports:

        • all

        Client Ports:

        • all

        Notes

        Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the firehol-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).

        This service is identical to "any" but does not care about the state of traffic.

        Note that you have to supply your own name in addition to "anystateless".

        service: apcupsd

        APC UPS Daemon

        Example:

        server apcupsd accept

        Service Type:

        • simple

        Server Ports:

        • tcp/6544

        Client Ports:

        • default

        Links

        Notes

        This service must be defined as "server apcupsd accept" on all machines not directly connected to the UPS (i.e. slaves).

        Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default conflicts with IRC and many distributions (like Debian) have changed this to 6544.

        You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this FireHOL service definition using the procedures described in Adding Services in firehol.conf(5).

        service: apcupsdnis

        APC UPS Daemon Network Information Server

        Example:

        server apcupsdnis accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3551

        Client Ports:

        • default

        Links

        Notes

        This service allows the remote WEB interfaces of APCUPSD, to connect and get information from the server directly connected to the UPS device.

        service: aptproxy

        Advanced Packaging Tool Proxy

        Example:

        server aptproxy accept

        Service Type:

        • simple

        Server Ports:

        • tcp/9999

        Client Ports:

        • default

        Links

        service: asterisk

        Asterisk PABX

        Example:

        server asterisk accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5038

        Client Ports:

        • default

        Links

        Notes

        This service refers only to the manager interface of asterisk. You should normally enable sip, h323, rtp, etc. at the firewall level, if you enable the relative channel drivers of asterisk.

        service: cups

        Common UNIX Printing System

        Example:

        server cups accept

        Service Type:

        • simple

        Server Ports:

        • tcp/631 udp/631

        Client Ports:

        • any

        Links

        service: custom

        Custom definitions

        Example:

        server custom myimap tcp/143 default accept

        Service Type:

        • custom

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Notes

        The full syntax is:

        subcommand custom name svr-proto/ports cli-ports action params

        This service is used by FireHOL to allow you create rules for services which do not have a definition.

        subcommand, action and params have their usual meanings.

        A name must be supplied along with server ports in the form proto/range and client ports which takes only a range.

        To define services with the built-in extension mechanism to avoid the need for custom services, see Adding Services in firehol.conf(5).

        service: cvspserver

        Concurrent Versions System

        Example:

        server cvspserver accept

        Service Type:

        • simple

        Server Ports:

        • tcp/2401

        Client Ports:

        • default

        Links

        service: darkstat

        Darkstat network traffic analyser

        Example:

        server darkstat accept

        Service Type:

        • simple

        Server Ports:

        • tcp/666

        Client Ports:

        • default

        Links

        service: daytime

        Daytime Protocol

        Example:

        server daytime accept

        Service Type:

        • simple

        Server Ports:

        • tcp/13

        Client Ports:

        • default

        Links

        service: dcc

        Distributed Checksum Clearinghouse

        Example:

        server dcc accept

        Service Type:

        • simple

        Server Ports:

        • udp/6277

        Client Ports:

        • default

        Links

        Notes

        See also this DCC FAQ.

        service: dcpp

        Direct Connect++ P2P

        Example:

        server dcpp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1412 udp/1412

        Client Ports:

        • default

        Links

        service: dhcp

        Dynamic Host Configuration Protocol

        Example:

        server dhcp accept

        Service Type:

        • complex

        Server Ports:

        • udp/67

        Client Ports:

        • 68

        Links

        Notes

        The dhcp service is implemented as stateless rules.

        DHCP clients broadcast to the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply.

        Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side).

        Note also that the "server dhcp accept" or "client dhcp accept" commands should placed within interfaces that do not have src and / or dst defined (because of the initial broadcast).

        You can overcome this problem by placing the DHCP service on a separate interface, without a src or dst but with a policy return. Place this interface before the one that defines the rest of the services.

        For example:

        interface eth0 dhcp

        policy return

        server dhcp accept

        interface eth0 lan src "$mylan" dst "$myip"

        client all accept

        For example: interface eth0 dhcp policy return server dhcp accept interface eth0 lan src "$mylan" dst "$myip" client all accept

        This service implicitly sets its client or server to ipv4 mode.

        service: dhcprelay

        DHCP Relay

        Example:

        server dhcprelay accept

        Service Type:

        • simple

        Server Ports:

        • udp/67

        Client Ports:

        • 67

        Links

        Notes

        From RFC 1812 section 9.1.2:

        In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead.

        For more information about DHCP Relay see section 9.1.2 of RFC 1812 and section 4 of RFC 1542

        service: dhcpv6

        Dynamic Host Configuration Protocol for IPv6

        Example:

        server dhcp accept
          client dhcp accept

        Service Type:

        • complex

        Server Ports:

        • udp/547

        Client Ports:

        • udp/546

        Links

        Notes

        The dhcp service is implemented as stateless rules. It cannot be stateful as the connection tracker will not match a unicast reply to a broadcast request. Further, if you wish to add src/dst rule parameters, you must account for both the broadcast and link-local network prefixes.

        Clients broadcast from a link-local address to the multicast address ff02::1:2 on UDP port 547 to find a server. The server sends a unicast reply back to the client which listens on UDP port 546.

        For a FireHOL interface, creating a client will allow sending to port 547 and receiving on port 546. Creating a server allows sending to port 546 and receiving on port 547.

        Unlike DHCP for IPv4, the source ports to be used are not defined in DHCPv6 - see section 5.2 of RFC3315. Some servers are known to make use of this to send from arbitrary ports, so FireHOL does not assume a source port.

        This service implicitly sets its client or server to ipv6 mode.

        service: dict

        Dictionary Server Protocol

        Example:

        server dict accept

        Service Type:

        • simple

        Server Ports:

        • tcp/2628

        Client Ports:

        • default

        Links

        Notes

        See RFC2229.

        service: distcc

        Distributed CC

        Example:

        server distcc accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3632

        Client Ports:

        • default

        Links

        Notes

        For distcc security, please check the distcc security design.

        service: dns

        Domain Name System

        Example:

        server dns accept

        Service Type:

        • simple

        Server Ports:

        • udp/53 tcp/53

        Client Ports:

        • any

        Links

        Notes

        On very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The iptables connection tracker will timeout the session and lose unmatched DNS packets that arrive too late to be useful.

        service: echo

        Echo Protocol

        Example:

        server echo accept

        Service Type:

        • simple

        Server Ports:

        • tcp/7

        Client Ports:

        • default

        Links

        service: emule

        eMule (Donkey network client)

        Example:

        client emule accept src 192.0.2.1

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • many

        Links

        Notes

        According to eMule Port Definitions, FireHOL defines:

        • Accept from any client port to the server at tcp/4661
        • Accept from any client port to the server at tcp/4662
        • Accept from any client port to the server at udp/4665
        • Accept from any client port to the server at udp/4672
        • Accept from any server port to the client at tcp/4662
        • Accept from any server port to the client at udp/4672

        Use the FireHOL firehol-client(5) command to match the eMule client.

        Please note that the eMule client is an HTTP client also.

        service: eserver

        eDonkey network server

        Example:

        server eserver accept

        Service Type:

        • simple

        Server Ports:

        • tcp/4661 udp/4661 udp/4665

        Client Ports:

        • any

        Links

        service: ESP

        IPSec Encapsulated Security Payload (ESP)

        Example:

        server ESP accept

        Service Type:

        • simple

        Server Ports:

        • 50/any

        Client Ports:

        • any

        Links

        Notes

        For more information see this Archive of the FreeS/WAN documentation RFC 2406.

        service: finger

        Finger Protocol

        Example:

        server finger accept

        Service Type:

        • simple

        Server Ports:

        • tcp/79

        Client Ports:

        • default

        Links

        service: ftp

        File Transfer Protocol

        Example:

        server ftp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/21

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        Notes

        The FTP service matches both active and passive FTP connections.

        service: gift

        giFT Internet File Transfer

        Example:

        server gift accept

        Service Type:

        • simple

        Server Ports:

        • tcp/4302 tcp/1214 tcp/2182 tcp/2472

        Client Ports:

        • any

        Links

        Notes

        The gift FireHOL service supports:

        • Gnutella listening at tcp/4302
        • FastTrack listening at tcp/1214
        • OpenFT listening at tcp/2182 and tcp/2472

        The above ports are the defaults given for the corresponding giFT modules.

        To allow access to the user interface ports of giFT, use the giftui.

        service: giftui

        giFT Internet File Transfer User Interface

        Example:

        server giftui accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1213

        Client Ports:

        • default

        Links

        Notes

        This service refers only to the user interface ports offered by giFT. To allow gift accept P2P requests, use the gift.

        service: gkrellmd

        GKrellM Daemon

        Example:

        server gkrellmd accept

        Service Type:

        • simple

        Server Ports:

        • tcp/19150

        Client Ports:

        • default

        Links

        service: GRE

        Generic Routing Encapsulation

        Example:

        server GRE accept

        Service Type:

        • simple

        Server Ports:

        • 47/any

        Client Ports:

        • any

        Netfilter Modules

        Netfilter NAT Modules

        Links

        Notes

        Protocol No 47.

        For more information see RFC RFC 2784.

        service: h323

        H.323 VoIP

        Example:

        server h323 accept

        Service Type:

        • simple

        Server Ports:

        • udp/1720 tcp/1720

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        service: heartbeat

        HeartBeat

        Example:

        server heartbeat accept

        Service Type:

        • simple

        Server Ports:

        • udp/690:699

        Client Ports:

        • default

        Links

        Notes

        This FireHOL service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN.

        service: http

        Hypertext Transfer Protocol

        Example:

        server http accept

        Service Type:

        • simple

        Server Ports:

        • tcp/80

        Client Ports:

        • default

        Links

        service: httpalt

        HTTP alternate port

        Example:

        server httpalt accept

        Service Type:

        • simple

        Server Ports:

        • tcp/8080

        Client Ports:

        • default

        Links

        Notes

        This port is commonly used by web servers, web proxies and caches where the standard http port is not available or can or should not be used.

        service: https

        Secure Hypertext Transfer Protocol

        Example:

        server https accept

        Service Type:

        • simple

        Server Ports:

        • tcp/443

        Client Ports:

        • default

        Links

        service: hylafax

        HylaFAX

        Example:

        server hylafax accept

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • many

        Links

        Notes

        This service allows incoming requests to server port tcp/4559 and outgoing from server port tcp/4558.

        The correct operation of this service has not been verified.

        USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).

        service: iax

        Inter-Asterisk eXchange

        Example:

        server iax accept

        Service Type:

        • simple

        Server Ports:

        • udp/5036

        Client Ports:

        • default

        Links

        Notes

        This service refers to IAX version 1. There is also iax2.

        service: iax2

        Inter-Asterisk eXchange v2

        Example:

        server iax2 accept

        Service Type:

        • simple

        Server Ports:

        • udp/5469 udp/4569

        Client Ports:

        • default

        Links

        Notes

        This service refers to IAX version 2. There is also iax.

        service: ICMP

        Internet Control Message Protocol

        Example:

        server ICMP accept

        Service Type:

        • simple

        Server Ports:

        • icmp/any

        Client Ports:

        • any

        Links

        service: icmp

        Internet Control Message Protocol
        Alias for ICMP

        service: ICMPV6

        Internet Control Message Protocol v6

        Example:

        server ICMPV6 accept

        Service Type:

        • simple

        Server Ports:

        • icmpv6/any

        Client Ports:

        • any

        Links

        service: icmpv6

        Internet Control Message Protocol v6
        Alias for ICMPV6

        service: icp

        Internet Cache Protocol

        Example:

        server icp accept

        Service Type:

        • simple

        Server Ports:

        • udp/3130

        Client Ports:

        • 3130

        Links

        service: ident

        Identification Protocol

        Example:

        server ident reject with tcp-reset

        Service Type:

        • simple

        Server Ports:

        • tcp/113

        Client Ports:

        • default

        Links

        service: imap

        Internet Message Access Protocol

        Example:

        server imap accept

        Service Type:

        • simple

        Server Ports:

        • tcp/143

        Client Ports:

        • default

        Links

        service: imaps

        Secure Internet Message Access Protocol

        Example:

        server imaps accept

        Service Type:

        • simple

        Server Ports:

        • tcp/993

        Client Ports:

        • default

        Links

        service: ipsecnatt

        NAT traversal and IPsec

        Service Type:

        • simple

        Server Ports:

        • udp/4500

        Client Ports:

        • any

        Links

        service: ipv6error

        ICMPv6 Error Handling

        Example:

        server ipv6error accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Notes

        This service is not needed from 3.0.0. It will do nothing but issue a warning from 3.1.0; it will be removed in 4.0.0.

        The linux connection tracker ensures that ICMPv6 errors are marked as RELATED. Since 3.0.0, these are automatially accepted by FireHOL, making a separate command redundant.

        service: ipv6mld

        IPv6 Multicast Listener Discovery for IPv6

        Example:

        client ipv6mld accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        IPv6 uses Multicast Listener Discovery to discover multicast listeners and what they are listening for.

        In practice all IPv6 nodes are multicast listeners since multicast is used in the neighbour discovery protocol which replaces ARP in IPv4.

        These rules are stateless since reports can happen automatically as well as on query.

        Unless muticast snooping is disabled across the network, MLD should be enabled for any clients:

        client ipv6mld accept

        MLD should also be enabled as a server on any hosts acting as a router:

        server ipv6mld accept

        The rules should generally not be used to pass packets across a firewall (e.g. in a router definition) unless the firewall is for a bridge.

        This service implicitly sets its client or server to ipv6 mode.

        service: ipv6neigh

        IPv6 Neighbour discovery

        Example:

        client ipv6neigh accept
          server ipv6neigh accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        IPv6 uses the Neighbour Discovery Protocol to do automatic configuration of routes and to replace ARP. To allow this functionality the network neighbour and router solicitation/advertisement messages should be enabled on each interface.

        These rules are stateless since advertisement can happen automatically as well as on solicitation.

        Neighbour discovery (incoming) should always be enabled:

        server ipv6neigh accept

        Neighbour advertisement (outgoing) should always be enabled:

        client ipv6neigh accept

        The rules should not be used to pass packets across a firewall (e.g. in a router definition) unless the firewall is for a bridge.

        This service implicitly sets its client or server to ipv6 mode.

        service: ipv6router

        IPv6 Router discovery

        Example:

        client ipv6router accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        IPv6 uses the Neighbour Discovery Protocol to do automatic configuration of routes and to replace ARP. To allow this functionality the network neighbour and router solicitation/advertisement messages should be enabled on each interface.

        These rules are stateless since advertisement can happen automatically as well as on solicitation.

        Router discovery (incoming) should always be enabled:

        client ipv6router accept

        Router advertisement (outgoing) should be enabled on a host that routes:

        server ipv6router accept

        The rules should not be used to pass packets across a firewall (e.g. in a router definition) unless the firewall is for a bridge.

        This service implicitly sets its client or server to ipv6 mode.

        service: irc

        Internet Relay Chat

        Example:

        server irc accept

        Service Type:

        • simple

        Server Ports:

        • tcp/6667

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        service: isakmp

        Internet Security Association and Key Management Protocol (IKE)

        Example:

        server isakmp accept

        Service Type:

        • simple

        Server Ports:

        • udp/500

        Client Ports:

        • any

        Links

        Notes

        For more information see the Archive of the FreeS/WAN documentation

        service: jabber

        Extensible Messaging and Presence Protocol

        Example:

        server jabber accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5222 tcp/5223

        Client Ports:

        • default

        Links

        Notes

        Allows clear and SSL client-to-server connections.

        service: jabberd

        Extensible Messaging and Presence Protocol (Server)

        Example:

        server jabberd accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5222 tcp/5223 tcp/5269

        Client Ports:

        • default

        Links

        Notes

        Allows clear and SSL client-to-server and server-to-server connections.

        Use this service for a jabberd server. In all other cases, use the jabber.

        service: l2tp

        Layer 2 Tunneling Protocol

        Service Type:

        • simple

        Server Ports:

        • udp/1701

        Client Ports:

        • any

        Links

        service: ldap

        Lightweight Directory Access Protocol

        Example:

        server ldap accept

        Service Type:

        • simple

        Server Ports:

        • tcp/389

        Client Ports:

        • default

        Links

        service: ldaps

        Secure Lightweight Directory Access Protocol

        Example:

        server ldaps accept

        Service Type:

        • simple

        Server Ports:

        • tcp/636

        Client Ports:

        • default

        Links

        service: lpd

        Line Printer Daemon Protocol

        Example:

        server lpd accept

        Service Type:

        • simple

        Server Ports:

        • tcp/515

        Client Ports:

        • any

        Links

        Notes

        LPD is documented in RFC 1179.

        Since many operating systems incorrectly use the non-default client ports for LPD access, this definition allows any client port to access the service (in addition to the RFC defined 721 to 731 inclusive).

        service: microsoft_ds

        Direct Hosted (NETBIOS-less) SMB

        Example:

        server microsoft_ds accept

        Service Type:

        • simple

        Server Ports:

        • tcp/445

        Client Ports:

        • default

        Notes

        Direct Hosted (i.e. NETBIOS-less SMB)

        This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being independent of WINS for name resolution.

        It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously.

        Please refer to the netbios_ssn for more information.

        service: mms

        Microsoft Media Server

        Example:

        server mms accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1755 udp/1755

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        Notes

        Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows Media Services (previously called NetShow Services).

        service: msn

        Microsoft MSN Messenger Service

        Example:

        server msn accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1863 udp/1863

        Client Ports:

        • default

        service: msnp

        msnp

        Example:

        server msnp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/6891

        Client Ports:

        • default

        service: ms_ds

        Direct Hosted (NETBIOS-less) SMB
        Alias for microsoft_ds

        service: multicast

        Multicast

        Example:

        server multicast reject with proto-unreach

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        The multicast service matches all packets sent to the $MULTICAST_IPS addresses using IGMP or UDP. For IPv4 that means 224.0.0.0/4 and for IPv6 FF00::/16.

        service: mysql

        MySQL

        Example:

        server mysql accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3306

        Client Ports:

        • default

        Links

        service: netbackup

        Veritas NetBackup service

        Example:

        server netbackup accept
          client netbackup accept

        Service Type:

        • simple

        Server Ports:

        • tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783

        Client Ports:

        • any

        Links

        Notes

        To use this service you must define it as both client and server in NetBackup clients and NetBackup servers.

        service: netbios_dgm

        NETBIOS Datagram Distribution Service

        Example:

        server netbios_dgm accept

        Service Type:

        • simple

        Server Ports:

        • udp/138

        Client Ports:

        • any

        Links

        Notes

        See also the samba.

        Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too.

        service: netbios_ns

        NETBIOS Name Service

        Example:

        server netbios_ns accept

        Service Type:

        • simple

        Server Ports:

        • udp/137

        Client Ports:

        • any

        Links

        Notes

        See also the samba.

        service: netbios_ssn

        NETBIOS Session Service

        Example:

        server netbios_ssn accept

        Service Type:

        • simple

        Server Ports:

        • tcp/139

        Client Ports:

        • default

        Links

        Notes

        See also the samba.

        Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445.

        If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes.

        To overcome this problem you can explicitly REJECT the microsoft_ds with a tcp-reset message:

        server microsoft_ds reject with tcp-reset

        service: nfs

        Network File System

        Example:

        client nfs accept dst 192.0.2.1

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • N/A

        Links

        Notes

        The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

        For this reason, the NFS service requires that:

        • the firewall is restarted if the NFS server is restarted
        • the NFS server must be specified on all nfs statements (only if it is not the localhost)

        Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap too. Take care that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall.

        To avoid this you can setup your NFS server to listen on pre-defined ports, as documented in NFS Howto. If you do this then you will have to define the the ports using the procedure described in Adding Services in firehol.conf(5).

        service: nis

        Network Information Service

        Example:

        client nis accept dst 192.0.2.1

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • N/A

        Links

        Notes

        The nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

        For this reason, the nis service requires that:

        • the firewall is restarted if the nis server is restarted
        • the nis server must be specified on all nis statements (only if it is not the localhost)

        Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap too. Take care that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall.

        This service was added to FireHOL by Carlos Rodrigues. His comments regarding this implementation, are:

        These rules work for client access only!

        Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push.

        Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps.

        service: nntp

        Network News Transfer Protocol

        Example:

        server nntp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/119

        Client Ports:

        • default

        Links

        service: nntps

        Secure Network News Transfer Protocol

        Example:

        server nntps accept

        Service Type:

        • simple

        Server Ports:

        • tcp/563

        Client Ports:

        • default

        Links

        service: nrpe

        Nagios NRPE

        Service Type:

        • simple

        Server Ports:

        • tcp/5666

        Client Ports:

        • default

        Links

        service: ntp

        Network Time Protocol

        Example:

        server ntp accept

        Service Type:

        • simple

        Server Ports:

        • udp/123 tcp/123

        Client Ports:

        • any

        Links

        service: nut

        Network UPS Tools

        Example:

        server nut accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3493 udp/3493

        Client Ports:

        • default

        Links

        service: nxserver

        NoMachine NX Server

        Example:

        server nxserver accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5000:5200

        Client Ports:

        • default

        Links

        Notes

        Default ports used by NX server for connections without encryption.

        Note that nxserver also needs the ssh to be enabled.

        This information has been extracted from this The TCP ports used by nxserver are 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.

        For encrypted nxserver sessions, only ssh is needed.

        service: openvpn

        OpenVPN

        Service Type:

        • simple

        Server Ports:

        • tcp/1194 udp/1194

        Client Ports:

        • default

        Links

        service: oracle

        Oracle Database

        Example:

        server oracle accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1521

        Client Ports:

        • default

        Links

        service: OSPF

        Open Shortest Path First

        Example:

        server OSPF accept

        Service Type:

        • simple

        Server Ports:

        • 89/any

        Client Ports:

        • any

        Links

        service: ping

        Ping (ICMP echo)

        Example:

        server ping accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0).

        The ping service is stateful.

        service: pop3

        Post Office Protocol

        Example:

        server pop3 accept

        Service Type:

        • simple

        Server Ports:

        • tcp/110

        Client Ports:

        • default

        Links

        service: pop3s

        Secure Post Office Protocol

        Example:

        server pop3s accept

        Service Type:

        • simple

        Server Ports:

        • tcp/995

        Client Ports:

        • default

        Links

        service: portmap

        Open Network Computing Remote Procedure Call - Port Mapper

        Example:

        server portmap accept

        Service Type:

        • simple

        Server Ports:

        • udp/111 tcp/111

        Client Ports:

        • any

        Links

        service: postgres

        PostgreSQL

        Example:

        server postgres accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5432

        Client Ports:

        • default

        Links

        service: pptp

        Point-to-Point Tunneling Protocol

        Example:

        server pptp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1723

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        service: privoxy

        Privacy Proxy

        Example:

        server privoxy accept

        Service Type:

        • simple

        Server Ports:

        • tcp/8118

        Client Ports:

        • default

        Links

        service: radius

        Remote Authentication Dial In User Service (RADIUS)

        Example:

        server radius accept

        Service Type:

        • simple

        Server Ports:

        • udp/1812 udp/1813

        Client Ports:

        • default

        Links

        service: radiusold

        Remote Authentication Dial In User Service (RADIUS)

        Example:

        server radiusold accept

        Service Type:

        • simple

        Server Ports:

        • udp/1645 udp/1646

        Client Ports:

        • default

        Links

        service: radiusoldproxy

        Remote Authentication Dial In User Service (RADIUS)

        Example:

        server radiusoldproxy accept

        Service Type:

        • simple

        Server Ports:

        • udp/1647

        Client Ports:

        • default

        Links

        service: radiusproxy

        Remote Authentication Dial In User Service (RADIUS)

        Example:

        server radiusproxy accept

        Service Type:

        • simple

        Server Ports:

        • udp/1814

        Client Ports:

        • default

        Links

        service: rdp

        Remote Desktop Protocol

        Example:

        server rdp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3389

        Client Ports:

        • default

        Links

        Notes

        Remote Desktop Protocol is also known also as Terminal Services.

        service: rndc

        Remote Name Daemon Control

        Example:

        server rndc accept

        Service Type:

        • simple

        Server Ports:

        • tcp/953

        Client Ports:

        • default

        Links

        service: rsync

        rsync protocol

        Example:

        server rsync accept

        Service Type:

        • simple

        Server Ports:

        • tcp/873 udp/873

        Client Ports:

        • default

        Links

        service: rtp

        Real-time Transport Protocol

        Example:

        server rtp accept

        Service Type:

        • simple

        Server Ports:

        • udp/10000:20000

        Client Ports:

        • any

        Links

        Notes

        RTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to 20000.

        service: samba

        Samba

        Example:

        server samba accept

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • default

        Links

        Notes

        The samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn and microsoft_ds.

        Please refer to the notes of the above services for more information.

        NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the "server samba accept" statement drop the server reply, because of the way the iptables connection tracker works.

        This service definition includes a hack, that allows a Linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns port to the clients high ports.

        However, for clients and routers this hack is not applied because it would open all unprivileged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients.

        service: sane

        SANE Scanner service

        Service Type:

        • simple

        Server Ports:

        • tcp/6566

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        • N/A

        Links

        service: sip

        Session Initiation Protocol

        Example:

        server sip accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5060 udp/5060

        Client Ports:

        • 5060 default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        Notes

        SIP is an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model.

        service: smtp

        Simple Mail Transport Protocol

        Example:

        server smtp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/25

        Client Ports:

        • default

        Links

        service: smtps

        Secure Simple Mail Transport Protocol

        Example:

        server smtps accept

        Service Type:

        • simple

        Server Ports:

        • tcp/465

        Client Ports:

        • default

        Links

        service: snmp

        Simple Network Management Protocol

        Example:

        server snmp accept

        Service Type:

        • simple

        Server Ports:

        • udp/161

        Client Ports:

        • default

        Links

        service: snmptrap

        SNMP Trap

        Example:

        server snmptrap accept

        Service Type:

        • simple

        Server Ports:

        • udp/162

        Client Ports:

        • any

        Links

        Notes

        An SNMP trap is a notification from an agent to a manager.

        service: socks

        SOCKet Secure

        Example:

        server socks accept

        Service Type:

        • simple

        Server Ports:

        • tcp/1080 udp/1080

        Client Ports:

        • default

        Links

        Notes

        See also RFC 1928.

        service: squid

        Squid Web Cache

        Example:

        server squid accept

        Service Type:

        • simple

        Server Ports:

        • tcp/3128

        Client Ports:

        • default

        Links

        service: ssh

        Secure Shell Protocol

        Example:

        server ssh accept

        Service Type:

        • simple

        Server Ports:

        • tcp/22

        Client Ports:

        • default

        Links

        service: stun

        Session Traversal Utilities for NAT

        Example:

        server stun accept

        Service Type:

        • simple

        Server Ports:

        • udp/3478 udp/3479

        Client Ports:

        • any

        Links

        Notes

        STUN is a protocol for assisting devices behind a NAT firewall or router with their packet routing.

        service: submission

        SMTP over SSL/TLS submission

        Example:

        server submission accept

        Service Type:

        • simple

        Server Ports:

        • tcp/587

        Client Ports:

        • default

        Links

        Notes

        Submission is essentially normal SMTP with an SSL/TLS negotiation.

        service: sunrpc

        Open Network Computing Remote Procedure Call - Port Mapper
        Alias for portmap

        service: swat

        Samba Web Administration Tool

        Example:

        server swat accept

        Service Type:

        • simple

        Server Ports:

        • tcp/901

        Client Ports:

        • default

        Links

        service: syslog

        Syslog Remote Logging Protocol

        Example:

        server syslog accept

        Service Type:

        • simple

        Server Ports:

        • udp/514

        Client Ports:

        • 514 default

        Links

        service: telnet

        Telnet

        Example:

        server telnet accept

        Service Type:

        • simple

        Server Ports:

        • tcp/23

        Client Ports:

        • default

        Links

        service: tftp

        Trivial File Transfer Protocol

        Example:

        server tftp accept

        Service Type:

        • simple

        Server Ports:

        • udp/69

        Client Ports:

        • default

        Netfilter Modules

        Netfilter NAT Modules

        Links

        service: time

        Time Protocol

        Example:

        server time accept

        Service Type:

        • simple

        Server Ports:

        • tcp/37 udp/37

        Client Ports:

        • default

        Links

        service: timestamp

        ICMP Timestamp

        Example:

        server timestamp accept

        Service Type:

        • complex

        Server Ports:

        • N/A

        Client Ports:

        • N/A

        Links

        Notes

        This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14).

        The timestamp service is stateful.

        service: tomcat

        HTTP alternate port
        Alias for httpalt

        service: upnp

        Universal Plug and Play

        Example:

        server upnp accept

        Service Type:

        • simple

        Server Ports:

        • udp/1900 tcp/2869

        Client Ports:

        • default

        Links

        Notes

        For a Linux implementation see: Linux IGD.

        service: uucp

        Unix-to-Unix Copy

        Example:

        server uucp accept

        Service Type:

        • simple

        Server Ports:

        • tcp/540

        Client Ports:

        • default

        Links

        service: vmware

        vmware

        Example:

        server vmware accept

        Service Type:

        • simple

        Server Ports:

        • tcp/902

        Client Ports:

        • default

        Notes

        Used from VMWare 1 and up. See the VMWare KnowledgeBase.

        service: vmwareauth

        vmwareauth

        Example:

        server vmwareauth accept

        Service Type:

        • simple

        Server Ports:

        • tcp/903

        Client Ports:

        • default

        Notes

        Used from VMWare 1 and up. See the VMWare KnowledgeBase.

        service: vmwareweb

        vmwareweb

        Example:

        server vmwareweb accept

        Service Type:

        • simple

        Server Ports:

        • tcp/8222 tcp/8333

        Client Ports:

        • default

        Notes

        Used from VMWare 2 and up. See VMWare Server 2.0 release notes and the VMWare KnowledgeBase.

        service: vnc

        Virtual Network Computing

        Example:

        server vnc accept

        Service Type:

        • simple

        Server Ports:

        • tcp/5900:5903

        Client Ports:

        • default

        Links

        Notes

        VNC is a graphical desktop sharing protocol.

        service: webcache

        HTTP alternate port
        Alias for httpalt

        service: webmin

        Webmin Administration System

        Example:

        server webmin accept

        Service Type:

        • simple

        Server Ports:

        • tcp/10000

        Client Ports:

        • default

        Links

        service: whois

        WHOIS Protocol

        Example:

        server whois accept

        Service Type:

        • simple

        Server Ports:

        • tcp/43

        Client Ports:

        • default

        Links

        service: xbox

        Xbox Live

        Example:

        client xbox accept

        Service Type:

        • complex

        Server Ports:

        • many

        Client Ports:

        • default

        Notes

        Definition for the Xbox live service.

        See program source for contributor details.

        service: xdmcp

        X Display Manager Control Protocol

        Example:

        server xdmcp accept

        Service Type:

        • simple

        Server Ports:

        • udp/177

        Client Ports:

        • default

        Links

        Notes

        See Gnome Display Manager for a discussion about XDMCP and firewalls (Gnome Display Manager is a replacement for XDM).

        1比1现金棋牌