firehol-services man page

firehol-services — FireHOL services list

Synopsis

AH all amanda any anystateless apcupsd apcupsdnis aptproxy asterisk

cups custom cvspserver

darkstat daytime dcc dcpp dhcp dhcprelay dhcpv6 dict distcc dns

echo emule eserver ESP

finger ftp

gift giftui gkrellmd GRE

h323 heartbeat http httpalt https hylafax

iax iax2 ICMP icmp ICMPV6 icmpv6 icp ident imap imaps ipsecnatt ipv6error ipv6neigh ipv6router irc isakmp

jabber jabberd

l2tp ldap ldaps lpd

microsoft_ds mms msn msnp ms_ds multicast mysql

netbackup netbios_dgm netbios_ns netbios_ssn nfs nis nntp nntps nrpe ntp nut nxserver

openvpn oracle OSPF

ping pop3 pop3s portmap postgres pptp privoxy

radius radiusold radiusoldproxy radiusproxy rdp rndc rsync rtp

samba sane sip smtp smtps snmp snmptrap socks squid ssh stun submission sunrpc swat syslog

telnet tftp time timestamp tomcat

upnp uucp

vmware vmwareauth vmwareweb vnc

webcache webmin whois

xbox xdmcp

Description

service: AH

IPSec Authentication Header (AH)

Example:

server AH accept

Service Type:

·
simple

Server Ports:

·
51/any

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/IPsec#Auth…)

Notes

For more information see this Archive of the FreeS/WAN documentation (http://web.archive.org/web/201009181341…) and RFC 2402 (http://www.ietf.org/rfc/rfc2402.txt).

service: all

Match all traffic

Example:

server all accept

Service Type:

·
complex

Server Ports:

·
all

Client Ports:

·
all

Notes

Matches all traffic (all protocols, ports, etc) while ensuring that required kernel modules are loaded.

This service may indirectly setup a set of other services, if they require kernel modules to be loaded. The following complex services are activated:

ftp irc

service: amanda

Advanced Maryland Automatic Network Disk Archiver

Service Type:

·
simple

Server Ports:

·
udp/10080

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_amanda CONFIG_NF_CONNTRACK_AMANDA (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_amanda CONFIG_NF_NAT_AMANDA (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Homepage (http://www.amanda.org/)
·
Wikipedia (http://en.wikipedia.org/wiki/Advanced_M…)

service: any

Match all traffic (without modules or indirect)

Example:

server any *myname* accept proto 47

Service Type:

·
complex

Server Ports:

·
all

Client Ports:

·
all

Notes

Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the firehol-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).

Note that you have to supply your own name in addition to "any".

service: anystateless

Match all traffic statelessly

Example:

server anystateless *myname* accept proto 47

Service Type:

·
complex

Server Ports:

·
all

Client Ports:

·
all

Notes

Matches all traffic (all protocols, ports, etc), but does not care about kernel modules and does not activate any other service indirectly. In combination with the firehol-params(5) this service can match unusual traffic (e.g. GRE - protocol 47).

This service is identical to "any" but does not care about the state of traffic.

Note that you have to supply your own name in addition to "anystateless".

service: apcupsd

APC UPS Daemon

Example:

server apcupsd accept

Service Type:

·
simple

Server Ports:

·
tcp/6544

Client Ports:

·
default

Links

·
Homepage (http://www.apcupsd.com)
·
Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)

Notes

This service must be defined as "server apcupsd accept" on all machines not directly connected to the UPS (i.e. slaves).

Note that the port defined here is not the default port (6666) used if you download and compile APCUPSD, since the default conflicts with IRC and many distributions (like Debian) have changed this to 6544.

You can define port 6544 in APCUPSD, by changing the value of NETPORT in its configuration file, or overwrite this FireHOL service definition using the procedures described in Adding Services in firehol.conf(5).

service: apcupsdnis

APC UPS Daemon Network Information Server

Example:

server apcupsdnis accept

Service Type:

·
simple

Server Ports:

·
tcp/3551

Client Ports:

·
default

Links

·
Homepage (http://www.apcupsd.com)
·
Wikipedia (http://en.wikipedia.org/wiki/Apcupsd)

Notes

This service allows the remote WEB interfaces of APCUPSD (http://www.apcupsd.com/), to connect and get information from the server directly connected to the UPS device.

service: aptproxy

Advanced Packaging Tool Proxy

Example:

server aptproxy accept

Service Type:

·
simple

Server Ports:

·
tcp/9999

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Apt-proxy)

service: asterisk

Asterisk PABX

Example:

server asterisk accept

Service Type:

·
simple

Server Ports:

·
tcp/5038

Client Ports:

·
default

Links

·
Homepage (http://www.asterisk.org)
·
Wikipedia (http://en.wikipedia.org/wiki/Asterisk_P…)

Notes

This service refers only to the manager interface of asterisk. You should normally enable sip, h323, rtp, etc. at the firewall level, if you enable the relative channel drivers of asterisk.

service: cups

Common UNIX Printing System

Example:

server cups accept

Service Type:

·
simple

Server Ports:

·
tcp/631 udp/631

Client Ports:

·
any

Links

·
Homepage (http://www.cups.org)
·
Wikipedia (http://en.wikipedia.org/wiki/Common_Uni…)

service: custom

Custom definitions

Example:

server custom myimap tcp/143 default accept

Service Type:

·
custom

Server Ports:

·
N/A

Client Ports:

·
N/A

Notes

The full syntax is:

subcommand custom name svr-proto/ports cli-ports action params

This service is used by FireHOL to allow you create rules for services which do not have a definition.

subcommand, action and params have their usual meanings.

A name must be supplied along with server ports in the form proto/range and client ports which takes only a range.

To define services with the built-in extension mechanism to avoid the need for custom services, see Adding Services in firehol.conf(5).

service: cvspserver

Concurrent Versions System

Example:

server cvspserver accept

Service Type:

·
simple

Server Ports:

·
tcp/2401

Client Ports:

·
default

Links

·
Homepage (http://www.nongnu.org/cvs/)
·
Wikipedia (http://en.wikipedia.org/wiki/Concurrent…)

service: darkstat

Darkstat network traffic analyser

Example:

server darkstat accept

Service Type:

·
simple

Server Ports:

·
tcp/666

Client Ports:

·
default

Links

·
Homepage (http://unix4lyfe.org/darkstat/)

service: daytime

Daytime Protocol

Example:

server daytime accept

Service Type:

·
simple

Server Ports:

·
tcp/13

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Daytime_Pr…)

service: dcc

Distributed Checksum Clearinghouse

Example:

server dcc accept

Service Type:

·
simple

Server Ports:

·
udp/6277

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Distribute…)

Notes

See also this DCC FAQ (http://www.rhyolite.com/dcc/FAQ.html#fi…).

service: dcpp

Direct Connect++ P2P

Example:

server dcpp accept

Service Type:

·
simple

Server Ports:

·
tcp/1412 udp/1412

Client Ports:

·
default

Links

·
Homepage (http://dcplusplus.sourceforge.net)

service: dhcp

Dynamic Host Configuration Protocol

Example:

server dhcp accept

Service Type:

·
complex

Server Ports:

·
udp/67

Client Ports:

·
68

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Dhcp)

Notes

The dhcp service is implemented as stateless rules.

DHCP clients broadcast to the network (src 0.0.0.0 dst 255.255.255.255) to find a DHCP server. If the DHCP service was stateful the iptables connection tracker would not match the packets and deny to send the reply.

Note that this change does not affect the security of either DHCP servers or clients, since only the specific ports are allowed (there is no random port at either the server or the client side).

Note also that the "server dhcp accept" or "client dhcp accept" commands should placed within interfaces that do not have src and / or dst defined (because of the initial broadcast).

You can overcome this problem by placing the DHCP service on a separate interface, without a src or dst but with a policy return. Place this interface before the one that defines the rest of the services.

For example:

interface eth0 dhcp

policy return

server dhcp accept

interface eth0 lan src "$mylan" dst "$myip"

client all accept

For example: interface eth0 dhcp policy return server dhcp accept interface eth0 lan src "$mylan" dst "$myip" client all accept

This service implicitly sets its client or server to ipv4 mode.

service: dhcprelay

DHCP Relay

Example:

server dhcprelay accept

Service Type:

·
simple

Server Ports:

·
udp/67

Client Ports:

·
67

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Dynamic_Ho…)

Notes

From RFC 1812 section 9.1.2:

In many cases, BOOTP clients and their associated BOOTP server(s) do not reside on the same IP (sub)network. In such cases, a third-party agent is required to transfer BOOTP messages between clients and servers. Such an agent was originally referred to as a BOOTP forwarding agent. However, to avoid confusion with the IP forwarding function of a router, the name BOOTP relay agent has been adopted instead.

For more information about DHCP Relay see section 9.1.2 of RFC 1812 (http://www.ietf.org/rfc/rfc1812.txt) and section 4 of RFC 1542 (http://www.ietf.org/rfc/rfc1542.txt)

service: dhcpv6

Dynamic Host Configuration Protocol for IPv6

Example:

server dhcp accept
client dhcp accept

Service Type:

·
complex

Server Ports:

·
udp/547

Client Ports:

·
udp/546

Links

·
Wikipedia (https://en.wikipedia.org/wiki/DHCPv6)

Notes

The dhcp service is implemented as stateless rules. It cannot be stateful as the connection tracker will not match a unicast reply to a broadcast request. Further, if you wish to add src/dst rule parameters, you must account for both the broadcast and link-local network prefixes.

Clients broadcast from a link-local address to the multicast address ff02::1:2 on UDP port 547 to find a server. The server sends a unicast reply back to the client which listens on UDP port 546.

For a FireHOL interface, creating a client will allow sending to port 547 and receiving on port 546. Creating a server allows sending to port 546 and receiving on port 547.

Unlike DHCP for IPv4, the source ports to be used are not defined in DHCPv6 - see section 5.2 of RFC3315 (http://www.ietf.org/rfc/rfc3315.txt). Some servers are known to make use of this to send from arbitrary ports, so FireHOL does not assume a source port.

This service implicitly sets its client or server to ipv6 mode.

service: dict

Dictionary Server Protocol

Example:

server dict accept

Service Type:

·
simple

Server Ports:

·
tcp/2628

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/DICT)

Notes

See RFC2229 (http://www.ietf.org/rfc/rfc2229.txt).

service: distcc

Distributed CC

Example:

server distcc accept

Service Type:

·
simple

Server Ports:

·
tcp/3632

Client Ports:

·
default

Links

·
Homepage (http://distcc.samba.org/)
·
Wikipedia (http://en.wikipedia.org/wiki/Distcc)

Notes

For distcc security, please check the distcc security design (http://distcc.googlecode.com/svn/trunk/…).

service: dns

Domain Name System

Example:

server dns accept

Service Type:

·
simple

Server Ports:

·
udp/53 tcp/53

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Domain_Nam…)

Notes

On very busy DNS servers you may see a few dropped DNS packets in your logs. This is normal. The iptables connection tracker will timeout the session and lose unmatched DNS packets that arrive too late to be useful.

service: echo

Echo Protocol

Example:

server echo accept

Service Type:

·
simple

Server Ports:

·
tcp/7

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Echo_Proto…)

service: emule

eMule (Donkey network client)

Example:

client emule accept src 192.0.2.1

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
many

Links

·
Homepage (http://www.emule-project.com)

Notes

According to eMule Port Definitions (http://www.emule-project.net/home/perl/…), FireHOL defines:

·
Accept from any client port to the server at tcp/4661
·
Accept from any client port to the server at tcp/4662
·
Accept from any client port to the server at udp/4665
·
Accept from any client port to the server at udp/4672
·
Accept from any server port to the client at tcp/4662
·
Accept from any server port to the client at udp/4672

Use the FireHOL firehol-client(5) command to match the eMule client.

Please note that the eMule client is an HTTP client also.

service: eserver

eDonkey network server

Example:

server eserver accept

Service Type:

·
simple

Server Ports:

·
tcp/4661 udp/4661 udp/4665

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Eserver)

service: ESP

IPSec Encapsulated Security Payload (ESP)

Example:

server ESP accept

Service Type:

·
simple

Server Ports:

·
50/any

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/IPsec#Enca…)

Notes

For more information see this Archive of the FreeS/WAN documentation (http://web.archive.org/web/201009181341…) RFC 2406 (http://www.ietf.org/rfc/rfc2406.txt).

service: finger

Finger Protocol

Example:

server finger accept

Service Type:

·
simple

Server Ports:

·
tcp/79

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Finger_pro…)

service: ftp

File Transfer Protocol

Example:

server ftp accept

Service Type:

·
simple

Server Ports:

·
tcp/21

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_ftp CONFIG_NF_CONNTRACK_FTP (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_ftp CONFIG_NF_NAT_FTP (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ftp)

Notes

The FTP service matches both active and passive FTP connections.

service: gift

giFT Internet File Transfer

Example:

server gift accept

Service Type:

·
simple

Server Ports:

·
tcp/4302 tcp/1214 tcp/2182 tcp/2472

Client Ports:

·
any

Links

·
Homepage (http://gift.sourceforge.net)
·
Wikipedia (http://en.wikipedia.org/wiki/GiFT)

Notes

The gift FireHOL service supports:

·
Gnutella listening at tcp/4302
·
FastTrack listening at tcp/1214
·
OpenFT listening at tcp/2182 and tcp/2472

The above ports are the defaults given for the corresponding giFT modules.

To allow access to the user interface ports of giFT, use the giftui.

service: giftui

giFT Internet File Transfer User Interface

Example:

server giftui accept

Service Type:

·
simple

Server Ports:

·
tcp/1213

Client Ports:

·
default

Links

·
Homepage (http://gift.sourceforge.net)
·
Wikipedia (http://en.wikipedia.org/wiki/GiFT)

Notes

This service refers only to the user interface ports offered by giFT. To allow gift accept P2P requests, use the gift.

service: gkrellmd

GKrellM Daemon

Example:

server gkrellmd accept

Service Type:

·
simple

Server Ports:

·
tcp/19150

Client Ports:

·
default

Links

·
Homepage (http://gkrellm.net/)
·
Wikipedia (http://en.wikipedia.org/wiki/Gkrellm)

service: GRE

Generic Routing Encapsulation

Example:

server GRE accept

Service Type:

·
simple

Server Ports:

·
47/any

Client Ports:

·
any

Netfilter Modules

·
nf_conntrack_proto_gre CONFIG_NF_CT_PROTO_GRE (http://cateee.net/lkddb/web-lkddb/NF_CT…)

Netfilter NAT Modules

·
nf_nat_proto_gre CONFIG_NF_NAT_PROTO_GRE (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Generic_Ro…)

Notes

Protocol No 47.

For more information see RFC RFC 2784 (http://www.ietf.org/rfc/rfc2784.txt).

service: h323

H.323 VoIP

Example:

server h323 accept

Service Type:

·
simple

Server Ports:

·
tcp/1720

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_h323 CONFIG_NF_CONNTRACK_H323 (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_h323 CONFIG_NF_NAT_H323 (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/H323)

service: heartbeat

HeartBeat

Example:

server heartbeat accept

Service Type:

·
simple

Server Ports:

·
udp/690:699

Client Ports:

·
default

Links

·
Homepage (http://www.linux-ha.org/)

Notes

This FireHOL service has been designed such a way that it will allow multiple heartbeat clusters on the same LAN.

service: http

Hypertext Transfer Protocol

Example:

server http accept

Service Type:

·
simple

Server Ports:

·
tcp/80

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Http)

service: httpalt

HTTP alternate port

Example:

server httpalt accept

Service Type:

·
simple

Server Ports:

·
tcp/8080

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Http)

Notes

This port is commonly used by web servers, web proxies and caches where the standard http port is not available or can or should not be used.

service: https

Secure Hypertext Transfer Protocol

Example:

server https accept

Service Type:

·
simple

Server Ports:

·
tcp/443

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Https)

service: hylafax

HylaFAX

Example:

server hylafax accept

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
many

Links

·
Homepage (http://www.hylafax.org)
·
Wikipedia (http://en.wikipedia.org/wiki/Hylafax)

Notes

This service allows incoming requests to server port tcp/4559 and outgoing from server port tcp/4558.

The correct operation of this service has not been verified.

USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).

service: iax

Inter-Asterisk eXchange

Example:

server iax accept

Service Type:

·
simple

Server Ports:

·
udp/5036

Client Ports:

·
default

Links

·
Homepage (http://www.asterisk.org)
·
Wikipedia (http://en.wikipedia.org/wiki/Iax)

Notes

This service refers to IAX version 1. There is also iax2.

service: iax2

Inter-Asterisk eXchange v2

Example:

server iax2 accept

Service Type:

·
simple

Server Ports:

·
udp/5469 udp/4569

Client Ports:

·
default

Links

·
Homepage (http://www.asterisk.org)
·
Wikipedia (http://en.wikipedia.org/wiki/Iax)

Notes

This service refers to IAX version 2. There is also iax.

service: ICMP

Internet Control Message Protocol

Example:

server ICMP accept

Service Type:

·
simple

Server Ports:

·
icmp/any

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Internet_C…)

service: icmp

Internet Control Message Protocol
Alias for ICMP

service: ICMPV6

Internet Control Message Protocol v6

Example:

server ICMPV6 accept

Service Type:

·
simple

Server Ports:

·
icmpv6/any

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/ICMPv6)

service: icmpv6

Internet Control Message Protocol v6
Alias for ICMPV6

service: icp

Internet Cache Protocol

Example:

server icp accept

Service Type:

·
simple

Server Ports:

·
udp/3130

Client Ports:

·
3130

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Internet_C…)

service: ident

Identification Protocol

Example:

server ident reject with tcp-reset

Service Type:

·
simple

Server Ports:

·
tcp/113

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ident_prot…)

service: imap

Internet Message Access Protocol

Example:

server imap accept

Service Type:

·
simple

Server Ports:

·
tcp/143

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Imap)

service: imaps

Secure Internet Message Access Protocol

Example:

server imaps accept

Service Type:

·
simple

Server Ports:

·
tcp/993

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Imap)

service: ipsecnatt

NAT traversal and IPsec

Service Type:

·
simple

Server Ports:

·
udp/4500

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/NAT_traver…)

service: ipv6error

ICMPv6 Error Handling

Example:

server ipv6error accept

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Notes

Not all icmpv6 error types should be treated equally inbound and outbound.

The ipv6error rule wraps all of them in the following way: * allow incoming messages only for existing sessions * allow outgoing messages always

The following ICMPv6 messages are handled:

·
destination-unreachable
·
packet-too-big
·
ttl-zero-during-transit
·
ttl-zero-during-reassembly
·
unknown-header-type
·
unknown-option

Interfaces should always have this set:

server ipv6error accept

In a router with inface being internal and outface being external the following will meet the recommendations of RFC 4890 (http://tools.ietf.org/html/rfc4890):

server ipv6error accept

Do not use: client ipv6error accept unless you are controlling traffic on a router interface where outface is the internal destination.

This service implicitly sets its client or server to ipv6 mode.

service: ipv6neigh

IPv6 Neighbour discovery

Example:

client ipv6neigh accept
server ipv6neigh accept

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Links

·
Wikipedia (https://en.wikipedia.org/wiki/Neighbor_…)

Notes

IPv6 uses the Neighbour Discovery Protocol to do automatic configuration of routes and to replace ARP. To allow this functionality the network neighbour and router solicitation/advertisement messages should be enabled on each interface.

These rules are stateless since advertisement can happen automatically as well as on solicitation.

Neighbour discovery (incoming) should always be enabled:

server ipv6neigh accept

Neighbour advertisement (outgoing) should always be enabled:

client ipv6neigh accept

The rules should not be used to pass packets across a firewall (e.g. in a router definition) unless the firewall is for a bridge.

This service implicitly sets its client or server to ipv6 mode.

service: ipv6router

IPv6 Router discovery

Example:

client ipv6router accept

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Links

·
Wikipedia (https://en.wikipedia.org/wiki/Neighbor_…)

Notes

IPv6 uses the Neighbour Discovery Protocol to do automatic configuration of routes and to replace ARP. To allow this functionality the network neighbour and router solicitation/advertisement messages should be enabled on each interface.

These rules are stateless since advertisement can happen automatically as well as on solicitation.

Router discovery (incoming) should always be enabled:

client ipv6router accept

Router advertisement (outgoing) should be enabled on a host that routes:

server ipv6router accept

The rules should not be used to pass packets across a firewall (e.g. in a router definition) unless the firewall is for a bridge.

This service implicitly sets its client or server to ipv6 mode.

service: irc

Internet Relay Chat

Example:

server irc accept

Service Type:

·
simple

Server Ports:

·
tcp/6667

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_irc CONFIG_NF_CONNTRACK_IRC (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_irc CONFIG_NF_NAT_IRC (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Internet_R…)

service: isakmp

Internet Security Association and Key Management Protocol (IKE)

Example:

server isakmp accept

Service Type:

·
simple

Server Ports:

·
udp/500

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/ISAKMP)

Notes

For more information see the Archive of the FreeS/WAN documentation (http://web.archive.org/web/201009181341…)

service: jabber

Extensible Messaging and Presence Protocol

Example:

server jabber accept

Service Type:

·
simple

Server Ports:

·
tcp/5222 tcp/5223

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Jabber)

Notes

Allows clear and SSL client-to-server connections.

service: jabberd

Extensible Messaging and Presence Protocol (Server)

Example:

server jabberd accept

Service Type:

·
simple

Server Ports:

·
tcp/5222 tcp/5223 tcp/5269

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Jabber)

Notes

Allows clear and SSL client-to-server and server-to-server connections.

Use this service for a jabberd server. In all other cases, use the jabber.

service: l2tp

Layer 2 Tunneling Protocol

Service Type:

·
simple

Server Ports:

·
udp/1701

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/L2tp)

service: ldap

Lightweight Directory Access Protocol

Example:

server ldap accept

Service Type:

·
simple

Server Ports:

·
tcp/389

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ldap)

service: ldaps

Secure Lightweight Directory Access Protocol

Example:

server ldaps accept

Service Type:

·
simple

Server Ports:

·
tcp/636

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ldap)

service: lpd

Line Printer Daemon Protocol

Example:

server lpd accept

Service Type:

·
simple

Server Ports:

·
tcp/515

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Line_Print…)

Notes

LPD is documented in RFC 1179 (http://www.ietf.org/rfc/rfc1179.txt).

Since many operating systems incorrectly use the non-default client ports for LPD access, this definition allows any client port to access the service (in addition to the RFC defined 721 to 731 inclusive).

service: microsoft_ds

Direct Hosted (NETBIOS-less) SMB

Example:

server microsoft_ds accept

Service Type:

·
simple

Server Ports:

·
tcp/445

Client Ports:

·
default

Notes

Direct Hosted (i.e. NETBIOS-less SMB)

This is another NETBIOS Session Service with minor differences with netbios_ssn. It is supported only by Windows 2000 and Windows XP and it offers the advantage of being independent of WINS for name resolution.

It seems that samba supports transparently this protocol on the netbios_ssn ports, so that either direct hosted or traditional SMB can be served simultaneously.

Please refer to the netbios_ssn for more information.

service: mms

Microsoft Media Server

Example:

server mms accept

Service Type:

·
simple

Server Ports:

·
tcp/1755 udp/1755

Client Ports:

·
default

Netfilter Modules

·
See here (http://www.netfilter.org/documentation/…).

Netfilter NAT Modules

·
See here (http://www.netfilter.org/documentation/…).

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Microsoft_…)

Notes

Microsoft's proprietary network streaming protocol used to transfer unicast data in Windows Media Services (previously called NetShow Services).

service: msn

Microsoft MSN Messenger Service

Example:

server msn accept

Service Type:

·
simple

Server Ports:

·
tcp/1863 udp/1863

Client Ports:

·
default

service: msnp

msnp

Example:

server msnp accept

Service Type:

·
simple

Server Ports:

·
tcp/6891

Client Ports:

·
default

service: ms_ds

Direct Hosted (NETBIOS-less) SMB
Alias for microsoft_ds

service: multicast

Multicast

Example:

server multicast reject with proto-unreach

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Multicast)

Notes

The multicast service matches all packets sent to the $MULTICAST_IPS addresses using IGMP or UDP. For IPv4 that means 224.0.0.0/4 and for IPv6 FF00::/16.

service: mysql

MySQL

Example:

server mysql accept

Service Type:

·
simple

Server Ports:

·
tcp/3306

Client Ports:

·
default

Links

·
Homepage (http://www.mysql.com/)
·
Wikipedia (http://en.wikipedia.org/wiki/Mysql)

service: netbackup

Veritas NetBackup service

Example:

server netbackup accept
client netbackup accept

Service Type:

·
simple

Server Ports:

·
tcp/13701 tcp/13711 tcp/13720 tcp/13721 tcp/13724 tcp/13782 tcp/13783

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Netbackup)

Notes

To use this service you must define it as both client and server in NetBackup clients and NetBackup servers.

service: netbios_dgm

NETBIOS Datagram Distribution Service

Example:

server netbios_dgm accept

Service Type:

·
simple

Server Ports:

·
udp/138

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Netbios#Da…)

Notes

See also the samba.

Keep in mind that this service broadcasts (to the broadcast address of your LAN) UDP packets. If you place this service within an interface that has a dst parameter, remember to include (in the dst parameter) the broadcast address of your LAN too.

service: netbios_ns

NETBIOS Name Service

Example:

server netbios_ns accept

Service Type:

·
simple

Server Ports:

·
udp/137

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Netbios#Na…)

Notes

See also the samba.

service: netbios_ssn

NETBIOS Session Service

Example:

server netbios_ssn accept

Service Type:

·
simple

Server Ports:

·
tcp/139

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Netbios#Se…)

Notes

See also the samba.

Please keep in mind that newer NETBIOS clients prefer to use port 445 (microsoft_ds) for the NETBIOS session service, and when this is not available they fall back to port 139 (netbios_ssn). Versions of samba above 3.x bind automatically to ports 139 and 445.

If you have an older samba version and your policy on an interface or router is DROP, clients trying to access port 445 will have to timeout before falling back to port 139. This timeout can be up to several minutes.

To overcome this problem you can explicitly REJECT the microsoft_ds with a tcp-reset message:

server microsoft_ds reject with tcp-reset

service: nfs

Network File System

Example:

client nfs accept dst 192.0.2.1

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
N/A

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Network_Fi…)

Notes

The NFS service queries the RPC service on the NFS server host to find out the ports nfsd, mountd, lockd and rquotad are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

For this reason, the NFS service requires that:

·
the firewall is restarted if the NFS server is restarted
·
the NFS server must be specified on all nfs statements (only if it is not the localhost)

Since NFS queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap too. Take care that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup NFS in two steps: First add the portmap service and activate the firewall, then add the NFS service and restart the firewall.

To avoid this you can setup your NFS server to listen on pre-defined ports, as documented in [NFS Howto][NFS Howto]. If you do this then you will have to define the the ports using the procedure described in Adding Services in firehol.conf(5).

[NFS Howto]: http://nfs.sourceforge.net/nfs-howto/ar…

service: nis

Network Information Service

Example:

client nis accept dst 192.0.2.1

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
N/A

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Network_In…)

Notes

The nis service queries the RPC service on the nis server host to find out the ports ypserv and yppasswdd are listening. Then, according to these ports it sets up rules on all the supported protocols (as reported by RPC) in order the clients to be able to reach the server.

For this reason, the nis service requires that:

·
the firewall is restarted if the nis server is restarted
·
the nis server must be specified on all nis statements (only if it is not the localhost)

Since nis queries the remote RPC server, it is required to also be allowed to do so, by allowing the portmap too. Take care that this is allowed by the running firewall when FireHOL tries to query the RPC server. So you might have to setup nis in two steps: First add the portmap service and activate the firewall, then add the nis service and restart the firewall.

This service was added to FireHOL by Carlos Rodrigues (http://sourceforge.net/p/firehol/featur…). His comments regarding this implementation, are:

These rules work for client access only!

Pushing changes to slave servers won't work if these rules are active somewhere between the master and its slaves, because it is impossible to predict the ports where yppush will be listening on each push.

Pulling changes directly on the slaves will work, and could be improved performance-wise if these rules are modified to open fypxfrd. This wasn't done because it doesn't make that much sense since pushing changes on the master server is the most common, and recommended, way to replicate maps.

service: nntp

Network News Transfer Protocol

Example:

server nntp accept

Service Type:

·
simple

Server Ports:

·
tcp/119

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Nntp)

service: nntps

Secure Network News Transfer Protocol

Example:

server nntps accept

Service Type:

·
simple

Server Ports:

·
tcp/563

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Nntp)

service: nrpe

Nagios NRPE

Service Type:

·
simple

Server Ports:

·
tcp/5666

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Nagios#NRPE)

service: ntp

Network Time Protocol

Example:

server ntp accept

Service Type:

·
simple

Server Ports:

·
udp/123 tcp/123

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Network_Ti…)

service: nut

Network UPS Tools

Example:

server nut accept

Service Type:

·
simple

Server Ports:

·
tcp/3493 udp/3493

Client Ports:

·
default

Links

·
Homepage (http://www.networkupstools.org/)

service: nxserver

NoMachine NX Server

Example:

server nxserver accept

Service Type:

·
simple

Server Ports:

·
tcp/5000:5200

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/NX_Server)

Notes

Default ports used by NX server for connections without encryption.

Note that nxserver also needs the ssh to be enabled.

This information has been extracted from this The TCP ports used by nxserver are 4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT. DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.

For encrypted nxserver sessions, only ssh is needed.

service: openvpn

OpenVPN

Service Type:

·
simple

Server Ports:

·
tcp/1194 udp/1194

Client Ports:

·
default

Links

·
Homepage (http://openvpn.net/)
·
Wikipedia (http://en.wikipedia.org/wiki/OpenVPN)

service: oracle

Oracle Database

Example:

server oracle accept

Service Type:

·
simple

Server Ports:

·
tcp/1521

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Oracle_db)

service: OSPF

Open Shortest Path First

Example:

server OSPF accept

Service Type:

·
simple

Server Ports:

·
89/any

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ospf)

service: ping

Ping (ICMP echo)

Example:

server ping accept

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Ping)

Notes

This services matches requests of protocol ICMP and type echo-request (TYPE=8) and their replies of type echo-reply (TYPE=0).

The ping service is stateful.

service: pop3

Post Office Protocol

Example:

server pop3 accept

Service Type:

·
simple

Server Ports:

·
tcp/110

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Pop3)

service: pop3s

Secure Post Office Protocol

Example:

server pop3s accept

Service Type:

·
simple

Server Ports:

·
tcp/995

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Pop3)

service: portmap

Open Network Computing Remote Procedure Call - Port Mapper

Example:

server portmap accept

Service Type:

·
simple

Server Ports:

·
udp/111 tcp/111

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Portmap)

service: postgres

PostgreSQL

Example:

server postgres accept

Service Type:

·
simple

Server Ports:

·
tcp/5432

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Postgres)

service: pptp

Point-to-Point Tunneling Protocol

Example:

server pptp accept

Service Type:

·
simple

Server Ports:

·
tcp/1723

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_pptp CONFIG_NF_CONNTRACK_PPTP (http://cateee.net/lkddb/web-lkddb/NF_CO…)
·
nf_conntrack_proto_gre CONFIG_NF_CT_PROTO_GRE (http://cateee.net/lkddb/web-lkddb/NF_CT…)

Netfilter NAT Modules

·
nf_nat_pptp CONFIG_NF_NAT_PPTP (http://cateee.net/lkddb/web-lkddb/NF_NA…)
·
nf_nat_proto_gre CONFIG_NF_NAT_PROTO_GRE (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Pptp)

service: privoxy

Privacy Proxy

Example:

server privoxy accept

Service Type:

·
simple

Server Ports:

·
tcp/8118

Client Ports:

·
default

Links

·
Homepage (http://www.privoxy.org/)

service: radius

Remote Authentication Dial In User Service (RADIUS)

Example:

server radius accept

Service Type:

·
simple

Server Ports:

·
udp/1812 udp/1813

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

service: radiusold

Remote Authentication Dial In User Service (RADIUS)

Example:

server radiusold accept

Service Type:

·
simple

Server Ports:

·
udp/1645 udp/1646

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

service: radiusoldproxy

Remote Authentication Dial In User Service (RADIUS)

Example:

server radiusoldproxy accept

Service Type:

·
simple

Server Ports:

·
udp/1647

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

service: radiusproxy

Remote Authentication Dial In User Service (RADIUS)

Example:

server radiusproxy accept

Service Type:

·
simple

Server Ports:

·
udp/1814

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/RADIUS)

service: rdp

Remote Desktop Protocol

Example:

server rdp accept

Service Type:

·
simple

Server Ports:

·
tcp/3389

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Remote_Des…)

Notes

Remote Desktop Protocol is also known also as Terminal Services.

service: rndc

Remote Name Daemon Control

Example:

server rndc accept

Service Type:

·
simple

Server Ports:

·
tcp/953

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Rndc)

service: rsync

rsync protocol

Example:

server rsync accept

Service Type:

·
simple

Server Ports:

·
tcp/873 udp/873

Client Ports:

·
default

Links

·
Homepage (http://rsync.samba.org/)
·
Wikipedia (http://en.wikipedia.org/wiki/Rsync)

service: rtp

Real-time Transport Protocol

Example:

server rtp accept

Service Type:

·
simple

Server Ports:

·
udp/10000:20000

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Real-time_…)

Notes

RTP ports are generally all the UDP ports. This definition narrows down RTP ports to UDP 10000 to 20000.

service: samba

Samba

Example:

server samba accept

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
default

Links

·
Homepage (http://www.samba.org/)
·
Wikipedia (http://en.wikipedia.org/wiki/Samba_(sof…)

Notes

The samba service automatically sets all the rules for netbios_ns, netbios_dgm, netbios_ssn and microsoft_ds.

Please refer to the notes of the above services for more information.

NETBIOS initiates based on the broadcast address of an interface (request goes to broadcast address) but the server responds from its own IP address. This makes the "server samba accept" statement drop the server reply, because of the way the iptables connection tracker works.

This service definition includes a hack, that allows a Linux samba server to respond correctly in such situations, by allowing new outgoing connections from the well known netbios_ns port to the clients high ports.

However, for clients and routers this hack is not applied because it would open all unprivileged ports to the samba server. The only solution to overcome the problem in such cases (routers or clients) is to build a trust relationship between the samba servers and clients.

service: sane

SANE Scanner service

Service Type:

·
simple

Server Ports:

·
tcp/6566

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_sane CONFIG_NF_CONNTRACK_SANE (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
N/A

Links

·
Homepage (http://www.sane-project.org/)

service: sip

Session Initiation Protocol

Example:

server sip accept

Service Type:

·
simple

Server Ports:

·
udp/5060

Client Ports:

·
5060 default

Netfilter Modules

·
nf_conntrack_sip CONFIG_NF_CONNTRACK_SIP (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_sip CONFIG_NF_NAT_SIP (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Session_In…)

Notes

SIP (http://www.voip-info.org/wiki/view/SIP) is an IETF standard protocol (RFC 2543) for initiating interactive user sessions involving multimedia elements such as video, voice, chat, gaming, etc. SIP works in the application layer of the OSI communications model.

service: smtp

Simple Mail Transport Protocol

Example:

server smtp accept

Service Type:

·
simple

Server Ports:

·
tcp/25

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Simple_Mai…)

service: smtps

Secure Simple Mail Transport Protocol

Example:

server smtps accept

Service Type:

·
simple

Server Ports:

·
tcp/465

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/SMTPS)

service: snmp

Simple Network Management Protocol

Example:

server snmp accept

Service Type:

·
simple

Server Ports:

·
udp/161

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Simple_Net…)

service: snmptrap

SNMP Trap

Example:

server snmptrap accept

Service Type:

·
simple

Server Ports:

·
udp/162

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Simple_Net…)

Notes

An SNMP trap is a notification from an agent to a manager.

service: socks

SOCKet Secure

Example:

server socks accept

Service Type:

·
simple

Server Ports:

·
tcp/1080 udp/1080

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/SOCKS)

Notes

See also RFC 1928 (http://www.ietf.org/rfc/rfc1928.txt).

service: squid

Squid Web Cache

Example:

server squid accept

Service Type:

·
simple

Server Ports:

·
tcp/3128

Client Ports:

·
default

Links

·
Homepage (http://www.squid-cache.org/)
·
Wikipedia (http://en.wikipedia.org/wiki/Squid_(sof…)

service: ssh

Secure Shell Protocol

Example:

server ssh accept

Service Type:

·
simple

Server Ports:

·
tcp/22

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Secure_She…)

service: stun

Session Traversal Utilities for NAT

Example:

server stun accept

Service Type:

·
simple

Server Ports:

·
udp/3478 udp/3479

Client Ports:

·
any

Links

·
Wikipedia (http://en.wikipedia.org/wiki/STUN)

Notes

STUN (http://www.voip-info.org/wiki/view/STUN) is a protocol for assisting devices behind a NAT firewall or router with their packet routing.

service: submission

SMTP over SSL/TLS submission

Example:

server submission accept

Service Type:

·
simple

Server Ports:

·
tcp/587

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Simple_Mai…)

Notes

Submission is essentially normal SMTP with an SSL/TLS negotiation.

service: sunrpc

Open Network Computing Remote Procedure Call - Port Mapper
Alias for portmap

service: swat

Samba Web Administration Tool

Example:

server swat accept

Service Type:

·
simple

Server Ports:

·
tcp/901

Client Ports:

·
default

Links

·
Homepage (http://www.samba.org/samba/docs/man/Sam…)

service: syslog

Syslog Remote Logging Protocol

Example:

server syslog accept

Service Type:

·
simple

Server Ports:

·
udp/514

Client Ports:

·
syslog default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Syslog)

service: telnet

Telnet

Example:

server telnet accept

Service Type:

·
simple

Server Ports:

·
tcp/23

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Telnet)

service: tftp

Trivial File Transfer Protocol

Example:

server tftp accept

Service Type:

·
simple

Server Ports:

·
udp/69

Client Ports:

·
default

Netfilter Modules

·
nf_conntrack_tftp CONFIG_NF_CONNTRACK_TFTP (http://cateee.net/lkddb/web-lkddb/NF_CO…)

Netfilter NAT Modules

·
nf_nat_tftp CONFIG_NF_NAT_TFTP (http://cateee.net/lkddb/web-lkddb/NF_NA…)

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Trivial_Fi…)

service: time

Time Protocol

Example:

server time accept

Service Type:

·
simple

Server Ports:

·
tcp/37 udp/37

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Time_Proto…)

service: timestamp

ICMP Timestamp

Example:

server timestamp accept

Service Type:

·
complex

Server Ports:

·
N/A

Client Ports:

·
N/A

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Internet_C…)

Notes

This services matches requests of protocol ICMP and type timestamp-request (TYPE=13) and their replies of type timestamp-reply (TYPE=14).

The timestamp service is stateful.

service: tomcat

HTTP alternate port
Alias for httpalt

service: upnp

Universal Plug and Play

Example:

server upnp accept

Service Type:

·
simple

Server Ports:

·
udp/1900 tcp/2869

Client Ports:

·
default

Links

·
Homepage (http://upnp.sourceforge.net/)
·
Wikipedia (http://en.wikipedia.org/wiki/Universal_…)

Notes

For a Linux implementation see: Linux IGD (http://linux-igd.sourceforge.net/).

service: uucp

Unix-to-Unix Copy

Example:

server uucp accept

Service Type:

·
simple

Server Ports:

·
tcp/540

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/UUCP)

service: vmware

vmware

Example:

server vmware accept

Service Type:

·
simple

Server Ports:

·
tcp/902

Client Ports:

·
default

Notes

Used from VMWare 1 and up. See the VMWare KnowledgeBase (http://kb.vmware.com/selfservice/micros…).

service: vmwareauth

vmwareauth

Example:

server vmwareauth accept

Service Type:

·
simple

Server Ports:

·
tcp/903

Client Ports:

·
default

Notes

Used from VMWare 1 and up. See the VMWare KnowledgeBase (http://kb.vmware.com/selfservice/micros…).

service: vmwareweb

vmwareweb

Example:

server vmwareweb accept

Service Type:

·
simple

Server Ports:

·
tcp/8222 tcp/8333

Client Ports:

·
default

Notes

Used from VMWare 2 and up. See VMWare Server 2.0 release notes (http://www.vmware.com/support/server2/d…) and the VMWare KnowledgeBase (http://kb.vmware.com/selfservice/micros…).

service: vnc

Virtual Network Computing

Example:

server vnc accept

Service Type:

·
simple

Server Ports:

·
tcp/5900:5903

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Virtual_Ne…)

Notes

VNC is a graphical desktop sharing protocol.

service: webcache

HTTP alternate port
Alias for httpalt

service: webmin

Webmin Administration System

Example:

server webmin accept

Service Type:

·
simple

Server Ports:

·
tcp/10000

Client Ports:

·
default

Links

·
Homepage (http://www.webmin.com/)

service: whois

WHOIS Protocol

Example:

server whois accept

Service Type:

·
simple

Server Ports:

·
tcp/43

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/Whois)

service: xbox

Xbox Live

Example:

client xbox accept

Service Type:

·
complex

Server Ports:

·
many

Client Ports:

·
default

Notes

Definition for the Xbox live service.

See program source for contributor details.

service: xdmcp

X Display Manager Control Protocol

Example:

server xdmcp accept

Service Type:

·
simple

Server Ports:

·
udp/177

Client Ports:

·
default

Links

·
Wikipedia (http://en.wikipedia.org/wiki/X_display_…#X_Display_Manager_Control_Protocol)

Notes

See Gnome Display Manager (http://www.jirka.org/gdm-documentation/…) for a discussion about XDMCP and firewalls (Gnome Display Manager is a replacement for XDM).

Authors

FireHOL Team.

Referenced By

firehol-client(5), firehol-conf(5), firehol-server(5).

Built 15 Feb 2015 FireHOL Reference 2.0.1