Copyright © 2001-2002, 2004 Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.
2004-10-01
Abstract
In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.
Table of Contents
Beginning with Shorewall 2.0.0, the Shorewall distribution
contains a library of user-defined actions that allow for easily
allowing or blocking a particular application. Check your
/usr/share/shorewall/actions.std
file for a list of
the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the
dmz zone to the net zone:
#ACTION SOURCE DESTINATION AllowDNS dmz net
In the rules that are shown in this document, the ACTION is shown as ACCEPT. You may need to use DNAT (see FAQ 30) or you may want DROP or REJECT if you are trying to block the application.
Example: You want to port forward FTP from the net to your server at 192.168.1.4 in your DMZ. The FTP section below gives you:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21
You would code your rule as follows:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net dmz:192.168.1.4 tcp 21
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 53 ACCEPT <source> <destination> tcp 53
Note that if you are setting up a DNS server that supports recursive resolution, the server is the <destination> for resolution requests (from clients) and is also the <source> of recursive resolution requests (usually to other servers in the 'net' zone). So for example, if you have a public DNS server in your DMZ that supports recursive resolution for local clients then you would need:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT all dmz udp 53 ACCEPT all dmz tcp 53 ACCEPT dmz net udp 53 ACCEPT dmz net tcp 53
Recursive Resolution means that if the server itself can't resolve the name presented to it, the server will attempt to resolve the name with the help of other servers.
In contrast to how the rest of this article is organized, for emule I will give you the rules necessary to run emule on a single machine in your loc network (since that's what 99.99% of you want to do). Assume that:
The internal machine running emule has IP address 192.168.1.4.
You use Masquerading or SNAT for the local network.
The zones are named as they are in the two- and three-interface QuickStart guides).
Your loc->net policy is ACCEPT
/etc/shorewall/rules:
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) DNAT net loc:192.168.1.4 tcp 4662 DNAT net loc:192.168.1.4 udp 4672 DNAT net loc:192.168.1.4 tcp 4711
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 21
Look here for much more information.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 143 #Unsecure IMAP ACCEPT <source> <destination> tcp 993 #Secure IMAP
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 50 ACCEPT <source> <destination> 51 ACCEPT <source> <destination> udp 500 ACCEPT <destination> <source> 50 ACCEPT <destination> <source> 51 ACCEPT <destination> <source> udp 500
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d tcp 111 ACCEPT <z1>:<list of client IPs> <z2>:a.b.c.d udp
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 123
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 5632 ACCEPT <source> <destination> tcp 5631
TCP Port 110 (Secure Pop3 is TCP Port 995)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 110 #Unsecure Pop3 ACCEPT <source> <destination> tcp 995 #Secure Pop3
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> 47 ACCEPT <source> <destination> tcp 1723
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 137,139,445 ACCEPT <source> <destination> udp 137:139 ACCEPT <destination> <source> tcp 137,139,445 ACCEPT <destination> <source> udp 137:139
Also, see this page.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 25 #Insecure SMTP ACCEPT <source> <destination> tcp 465 #SMTP over SSL (TLS)
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 161:162 ACCEPT <source> <destination> tcp 161
You must have TFTP connection tracking support in your kernel. If
modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These
modules may be loaded using entries in
/etc/shorewall/modules
. The ip_conntrack_tftp module must be loaded first. Note
that the /etc/shorewall/modules
file released with
recent Shorewall versions contains entries for these modules.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 69
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> udp 33434:33443 #Good for 10 hops ACCEPT <source> <destination> icmp 8
UDP traceroute uses ports 33434 through 33434+<max number of hops>-1. Note that for the firewall to respond with a TTL expired ICMP reply, you will need to allow ICMP 11 outbound from the firewall. The standard Shorewall sample configurations all set this up for you automatically since those sample configurations enable all ICMP packet types originating on the firewall itself.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT fw net icmp ACCEPT fw loc icmp ACCEPT fw ...
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 119
TCP Port 119
Vncviewer to Vncserver -- TCP port 5900 + <display number>.
Vncviewer to Vncserver -- TCP port 5900 + <display number>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5901 #Display Number 1 ACCEPT <source> <destination> tcp 5902 #Display Number 2 ...
Vncserver to Vncviewer in listen mode -- TCP port 5500.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 5500
The standard Shorewall loc->net ACCEPT policy is all that is required for Vonage™ IP phone service to work, provided that you have loaded the tftp helper modules (add the following entries to /etc/shorewall/modules if they are not there already):
loadmodule ip_conntrack_tftp loadmodule ip_nat_tftp
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <source> <destination> tcp 80 #Insecure HTTP ACCEPT <source> <destination> tcp 443 #Secure HTTP
Assume that the Choser and/or X Server are running at <chooser> and the Display Manager/X applications are running at <apps>.
#ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT <chooser> <apps> udp 177 #XDMCP ACCEPT <apps> <chooser> tcp 6000:6009 #X Displays 0-9
Didn't find what you are looking for -- have you looked in your own /etc/services file?
Still looking? Try http://www.networkice.com/advice/Exploits/Ports
Revision History | ||
---|---|---|
Revision 1.15 | 2005-05-02 | TE |
Added Emule | ||
Revision 1.14 | 2004-10-01 | TE |
Add rsync. | ||
Revision 1.13 | 2004-09-21 | TE |
Add note about ICMP type 11 to Traceroute. | ||
Revision 1.12 | 2004-09-09 | TE |
Add note about Vonage™. | ||
Revision 1.11 | 2004-05-28 | TE |
Corrected directory for actions.std and enhanced the DNS section. | ||
Revision 1.10 | 2004-05-09 | TE |
Added TFTP. | ||
Revision 1.9 | 2004-04-24 | TE |
Revised ICQ/AIM. | ||
Revision 1.8 | 2004-04-23 | TE |
Added SNMP. | ||
Revision 1.7 | 2004-02-18 | TE |
Make NFS work for everyone. | ||
Revision 1.6 | 2004-02-14 | TE |
Add PCAnywhere. | ||
Revision 1.5 | 2004-02-05 | TE |
Added information about VNC viewers in listen mode. | ||
Revision 1.4 | 2004-01-26 | TE |
Correct ICQ. | ||
Revision 1.3 | 2004-01-04 | TE |
Alphabetize | ||
Revision 1.2 | 2004-01-03 | TE |
Add rules file entries. | ||
Revision 1.1 | 2002-07-30 | TE |
Initial version converted to Docbook XML |