sad/firehol
1
0
Fork 0
mirror of https://github.com/firehol/firehol.git synced 2024-06-29 18:32:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
master
firehol/doc/services-db.data
Dimitris Apostolou 8e3735fc2a
Fix typos
2022-02-06 10:48:52 +02:00

1364 lines
38 KiB
Plaintext
Raw Permalink Blame History

#
# This service information database is combined with information extracted
# from the FireHOL script to create the services documentation.
#
# Where information is present in this file it will override the information
# extracted from the script (which is useful for e.g. complex protocols).
#
# All services in the script should at the minimum be listed with a NAME
# entry.
#
# The format is:
# SERVICE <name>
# \tNAME <value>
# \tALIAS <alternative-name>
# \tWIKI <wikipedia-link>
# \tCPORT <client-ports>
# \tSPORT <server-ports>
# \tMOD <netfilter-module>
# \tMODNAT <netfilter-nat-module>
# \tEXAMPLE
# \t\tmultiline
# \t\tstrings
# \tNOTES
# \t\tmultiline
# \t\tstrings
#
# CPORT and SPORT may be slightly confusing... SPORT is the destination port
# when defining the server-side of a service.
#
SERVICE AH
NAME IPSec Authentication Header (AH)
WIKI http://en.wikipedia.org/wiki/IPsec#Authentication_Header
EXAMPLE
server AH accept
NOTES
For more information see this
[Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#AH.ipsec)
and [RFC 2402](http://www.ietf.org/rfc/rfc2402.txt).
SERVICE ESP
NAME IPSec Encapsulated Security Payload (ESP)
EXAMPLE
server ESP accept
WIKI http://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload
NOTES
For more information see this
[Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#ESP.ipsec)
[RFC 2406](http://www.ietf.org/rfc/rfc2406.txt).
SERVICE GRE
NAME Generic Routing Encapsulation
WIKI http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
EXAMPLE
server GRE accept
NOTES
Protocol No 47.
-
For more information see RFC [RFC 2784](http://www.ietf.org/rfc/rfc2784.txt).
SERVICE OSPF
NAME Open Shortest Path First
WIKI http://en.wikipedia.org/wiki/Ospf
EXAMPLE
server OSPF accept
SERVICE all
NAME Match all traffic
CPORT all
SPORT all
EXAMPLE
server all accept
NOTES
Matches all traffic (all protocols, ports, etc.). Note that
to provide "connections in one direction with replies"
semantics, the kernel connection tracker is still used:
this will therefore still not match packets if they are
not understood as part of a connection (e.g. some
ICMPv6 packets, requests and replies taking different routes,
complex protocols with no helper loaded).
-
This service may indirectly setup a set of other services,
if they require kernel modules to be loaded.
SERVICE amanda
NAME Advanced Maryland Automatic Network Disk Archiver
HOME http://www.amanda.org/
WIKI http://en.wikipedia.org/wiki/Advanced_Maryland_Automatic_Network_Disk_Archiver
SERVICE any
NAME Match all traffic (without modules or indirect)
CPORT all
SPORT all
EXAMPLE
server any *myname* accept proto 47
NOTES
Matches all traffic (all protocols, ports, etc), but does
not care about kernel modules and does not activate any
other service indirectly. In combination with the
[firehol-params(5)](#firehol-params5)
this service can match unusual traffic (e.g. GRE - protocol 47).
-
Note that you have to supply your own name in addition to
"any".
SERVICE anystateless
NAME Match all traffic statelessly
CPORT all
SPORT all
EXAMPLE
server anystateless *myname* accept proto 47
NOTES
Matches all traffic (all protocols, ports, etc), but does
not care about kernel modules and does not activate any other
service indirectly. In combination with the
[firehol-params(5)](#firehol-params5)
this service can match unusual traffic (e.g. GRE - protocol 47).
-
This service is identical to "any" but does not care about
the state of traffic.
-
Note that you have to supply your own name in addition to
"anystateless".
SERVICE apcupsd
NAME APC UPS Daemon
HOME http://www.apcupsd.com
WIKI http://en.wikipedia.org/wiki/Apcupsd
EXAMPLE
server apcupsd accept
NOTES
This service must be defined as "server apcupsd accept" on
all machines not directly connected to the UPS (i.e. slaves).
-
Note that the port defined here is not the default port (6666)
used if you download and compile APCUPSD, since the default
conflicts with IRC and many distributions (like Debian) have
changed this to 6544.
-
You can define port 6544 in APCUPSD, by changing the value
of NETPORT in its configuration file, or overwrite this
FireHOL service definition using the procedures described
in [Adding Services](#adding-services)
in [firehol.conf(5)](#firehol.conf5).
SERVICE apcupsdnis
NAME APC UPS Daemon Network Information Server
HOME http://www.apcupsd.com
WIKI http://en.wikipedia.org/wiki/Apcupsd
EXAMPLE
server apcupsdnis accept
NOTES
This service allows the remote WEB interfaces of
[APCUPSD](http://www.apcupsd.com/), to connect
and get information from the server directly connected to
the UPS device.
SERVICE aptproxy
NAME Advanced Packaging Tool Proxy
WIKI http://en.wikipedia.org/wiki/Apt-proxy
EXAMPLE
server aptproxy accept
SERVICE asterisk
NAME Asterisk PABX
HOME http://www.asterisk.org
WIKI http://en.wikipedia.org/wiki/Asterisk_PBX
EXAMPLE
server asterisk accept
NOTES
This service refers only to the manager interface of asterisk.
You should normally enable
[sip][keyword-service-sip],
[h323][keyword-service-h323],
[rtp][keyword-service-rtp], etc. at the
firewall level, if you enable the relative channel drivers
of asterisk.
SERVICE cups
NAME Common UNIX Printing System
HOME http://www.cups.org
WIKI http://en.wikipedia.org/wiki/Common_Unix_Printing_System
EXAMPLE
server cups accept
SERVICE custom
NAME Custom definitions
EXAMPLE
server custom myimap tcp/143 default accept
NOTES
The full syntax is:
-
*subcommand* `custom` *name* *svr-proto/ports* *cli-ports* *action* *params*
-
This service is used by FireHOL to allow you create rules
for services which do not have a definition.
-
`subcommand`, *action* and *params* have their usual meanings.
-
A *name* must be supplied along with server
ports in the form *proto/range*
and client ports which takes only a
*range*.
-
To define services with the built-in extension mechanism
to avoid the need for `custom` services,
see [Adding Services](#adding-services)
in [firehol.conf(5)](#firehol.conf5).
SERVICE cvspserver
NAME Concurrent Versions System
HOME http://www.nongnu.org/cvs/
WIKI http://en.wikipedia.org/wiki/Concurrent_Versions_System
EXAMPLE
server cvspserver accept
SERVICE darkstat
NAME Darkstat network traffic analyser
HOME https://unix4lyfe.org/darkstat/
EXAMPLE
server darkstat accept
SERVICE daytime
NAME Daytime Protocol
WIKI http://en.wikipedia.org/wiki/Daytime_Protocol
EXAMPLE
server daytime accept
SERVICE dcc
NAME Distributed Checksum Clearinghouse
EXAMPLE
server dcc accept
WIKI http://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse
NOTES
See also this
[DCC FAQ](http://www.rhyolite.com/dcc/FAQ.html#firewall-ports).
SERVICE dcpp
NAME Direct Connect++ P2P
HOME http://dcplusplus.sourceforge.net
EXAMPLE
server dcpp accept
SERVICE dhcp
NAME Dynamic Host Configuration Protocol
WIKI http://en.wikipedia.org/wiki/Dhcp
CPORT 68
SPORT udp/67
EXAMPLE
server dhcp accept
NOTES
The dhcp service is implemented as stateless rules.
-
DHCP clients broadcast to the network (src 0.0.0.0
dst 255.255.255.255) to find a DHCP server. If the DHCP
service was stateful the iptables connection tracker would
not match the packets and deny to send the reply.
-
Note that this change does not affect the security of either
DHCP servers or clients, since only the specific ports are
allowed (there is no random port at either the server or the
client side).
-
Note also that the "server dhcp accept" or "client dhcp accept"
commands should placed within interfaces that do not
have src and / or dst defined (because of the initial
broadcast).
-
You can overcome this problem by placing the DHCP service on
a separate interface, without a src or dst but with a policy
return. Place this interface before the one that defines the
rest of the services.
-
For example:
-
`interface eth0 dhcp`
-
` policy return`
-
` server dhcp accept`
-
-
`interface eth0 lan src "$mylan" dst "$myip"`
-
` client all accept`
-
For example:
interface eth0 dhcp
policy return
server dhcp accept
interface eth0 lan src "$mylan" dst "$myip"
client all accept
-
This service implicitly sets its client or server to ipv4 mode.
SERVICE dhcprelay
NAME DHCP Relay
EXAMPLE
server dhcprelay accept
WIKI http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol#DHCP_relaying
NOTES
From RFC 1812 section 9.1.2:
-
In many cases, BOOTP clients and their associated BOOTP
server(s) do not reside on the same IP (sub)network. In
such cases, a third-party agent is required to transfer
BOOTP messages between clients and servers. Such an agent
was originally referred to as a BOOTP forwarding agent.
However, to avoid confusion with the IP forwarding function
of a router, the name BOOTP relay agent has been adopted
instead.
-
For more information about DHCP Relay see section 9.1.2 of
[RFC 1812](http://www.ietf.org/rfc/rfc1812.txt)
and section 4 of
[RFC 1542](http://www.ietf.org/rfc/rfc1542.txt)
SERVICE dhcpv6
NAME Dynamic Host Configuration Protocol for IPv6
WIKI https://en.wikipedia.org/wiki/DHCPv6
CPORT udp/546
SPORT udp/547
EXAMPLE
server dhcpv6 accept
client dhcpv6 accept
NOTES
The dhcp service is implemented as stateless rules.
It cannot be stateful as the connection tracker will not
match a unicast reply to a broadcast request. Further,
if you wish to add src/dst rule parameters, you must
account for both the broadcast and link-local network prefixes.
-
Clients broadcast from a link-local address to the
multicast address ff02::1:2 on UDP port 547 to find a
server. The server sends a unicast reply back to the
client which listens on UDP port 546.
-
For a FireHOL interface, creating a client will allow
sending to port 547 and receiving on port 546. Creating
a server allows sending to port 546 and receiving on port 547.
-
Unlike DHCP for IPv4, the source ports to be used are not
defined in DHCPv6 - see section 5.2 of
[RFC3315](http://www.ietf.org/rfc/rfc3315.txt).
Some servers are known to make use of this to send from
arbitrary ports, so FireHOL does not assume a source port.
-
This service implicitly sets its client or server to ipv6 mode.
SERVICE dict
NAME Dictionary Server Protocol
WIKI http://en.wikipedia.org/wiki/DICT
EXAMPLE
server dict accept
NOTES
See
[RFC2229](http://www.ietf.org/rfc/rfc2229.txt).
SERVICE distcc
NAME Distributed CC
HOME https://code.google.com/p/distcc/
WIKI http://en.wikipedia.org/wiki/Distcc
EXAMPLE
server distcc accept
NOTES
For distcc security, please check the
[distcc security design](http://distcc.googlecode.com/svn/trunk/doc/web/security.html).
SERVICE dns
NAME Domain Name System
WIKI http://en.wikipedia.org/wiki/Domain_Name_System
EXAMPLE
server dns accept
NOTES
On very busy DNS servers you may see a few dropped DNS
packets in your logs. This is normal. The iptables
connection tracker will timeout the session and lose
unmatched DNS packets that arrive too late to be useful.
SERVICE echo
NAME Echo Protocol
WIKI http://en.wikipedia.org/wiki/Echo_Protocol
EXAMPLE
server echo accept
SERVICE emule
NAME eMule (Donkey network client)
HOME http://www.emule-project.com
CPORT many
SPORT many
EXAMPLE
client emule accept src 192.0.2.1
NOTES
According to
[eMule Port Definitions](http://www.emule-project.net/home/perl/help.cgi?l=1&rm=show_topic&topic_id=122),
FireHOL defines:
-
* Accept from any client port to the server at tcp/4661
* Accept from any client port to the server at tcp/4662
* Accept from any client port to the server at udp/4665
* Accept from any client port to the server at udp/4672
* Accept from any server port to the client at tcp/4662
* Accept from any server port to the client at udp/4672
-
Use the FireHOL [firehol-client(5)][keyword-firehol-client]
command to match the eMule client.
-
Please note that the eMule client is an HTTP client also.
SERVICE eserver
NAME eDonkey network server
WIKI http://en.wikipedia.org/wiki/Eserver
EXAMPLE
server eserver accept
SERVICE finger
NAME Finger Protocol
WIKI http://en.wikipedia.org/wiki/Finger_protocol
EXAMPLE
server finger accept
SERVICE ftp
NAME File Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Ftp
EXAMPLE
server ftp accept
NOTES
The FTP service matches both active and passive FTP
connections.
SERVICE gift
NAME giFT Internet File Transfer
HOME http://gift.sourceforge.net
WIKI http://en.wikipedia.org/wiki/GiFT
EXAMPLE
server gift accept
NOTES
The gift FireHOL service supports:
-
* Gnutella listening at tcp/4302
* FastTrack listening at tcp/1214
* OpenFT listening at tcp/2182 and tcp/2472
-
The above ports are the defaults given for the corresponding
giFT modules.
-
To allow access to the user interface ports of giFT, use
the [giftui][keyword-service-giftui].
SERVICE giftui
NAME giFT Internet File Transfer User Interface
HOME http://gift.sourceforge.net
WIKI http://en.wikipedia.org/wiki/GiFT
EXAMPLE
server giftui accept
NOTES
This service refers only to the user interface ports offered
by giFT. To allow gift accept P2P requests, use the
[gift][keyword-service-gift].
SERVICE gkrellmd
NAME GKrellM Daemon
HOME http://gkrellm.net/
WIKI http://en.wikipedia.org/wiki/Gkrellm
EXAMPLE
server gkrellmd accept
SERVICE h323
NAME H.323 VoIP
WIKI http://en.wikipedia.org/wiki/H323
EXAMPLE
server h323 accept
SERVICE heartbeat
NAME HeartBeat
HOME http://www.linux-ha.org/
EXAMPLE
server heartbeat accept
NOTES
This FireHOL service has been designed such a way that it
will allow multiple heartbeat clusters on the same LAN.
SERVICE http
NAME Hypertext Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Http
EXAMPLE
server http accept
SERVICE httpalt
WIKI http://en.wikipedia.org/wiki/Http
ALIAS webcache
ALIAS tomcat
NAME HTTP alternate port
EXAMPLE
server httpalt accept
NOTES
This port is commonly used by web servers, web proxies
and caches where the standard [http][keyword-service-http]
port is not available or can or should not be used.
SERVICE https
NAME Secure Hypertext Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Https
EXAMPLE
server https accept
SERVICE hylafax
NAME HylaFAX
HOME http://www.hylafax.org/
WIKI http://en.wikipedia.org/wiki/Hylafax
CPORT many
SPORT many
EXAMPLE
server hylafax accept
NOTES
This service allows incoming requests to server port
tcp/4559 and outgoing from server port tcp/4558.
-
The correct operation of this service has not been verified.
-
USE THIS WITH CARE. A HYLAFAX CLIENT MAY OPEN ALL TCP
UNPRIVILEGED PORTS TO ANYONE (from port tcp/4558).
SERVICE iax
NAME Inter-Asterisk eXchange
HOME http://www.asterisk.org
WIKI http://en.wikipedia.org/wiki/Iax
EXAMPLE
server iax accept
NOTES
This service refers to IAX version 1.
There is also [iax2][keyword-service-iax2].
SERVICE iax2
NAME Inter-Asterisk eXchange v2
HOME http://www.asterisk.org
WIKI http://en.wikipedia.org/wiki/Iax
EXAMPLE
server iax2 accept
NOTES
This service refers to IAX version 2.
There is also [iax][keyword-service-iax].
SERVICE ICMP
ALIAS icmp
NAME Internet Control Message Protocol
WIKI http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
EXAMPLE
server ICMP accept
SERVICE ICMPV6
ALIAS icmpv6
NAME Internet Control Message Protocol v6
WIKI http://en.wikipedia.org/wiki/ICMPv6
EXAMPLE
server ICMPV6 accept
SERVICE icp
NAME Internet Cache Protocol
WIKI http://en.wikipedia.org/wiki/Internet_Cache_Protocol
EXAMPLE
server icp accept
SERVICE ident
NAME Identification Protocol
WIKI http://en.wikipedia.org/wiki/Ident_protocol
EXAMPLE
server ident reject with tcp-reset
SERVICE imap
NAME Internet Message Access Protocol
WIKI http://en.wikipedia.org/wiki/Imap
EXAMPLE
server imap accept
SERVICE imaps
NAME Secure Internet Message Access Protocol
WIKI http://en.wikipedia.org/wiki/Imap
EXAMPLE
server imaps accept
SERVICE ipsecnatt
NAME NAT traversal and IPsec
WIKI http://en.wikipedia.org/wiki/NAT_traversal#IPsec_traversal_across_NAT
SERVICE ipv6error
NAME ICMPv6 Error Handling
EXAMPLE
server ipv6error accept
NOTES
This service is not needed from 3.0.0. It will do nothing
but issue a warning from 3.1.0; it will be removed in 4.0.0.
-
The linux connection tracker ensures that ICMPv6 errors
are marked as RELATED. Since 3.0.0, these are automatically
accepted by FireHOL, making a separate command redundant.
SERVICE ipv6neigh
NAME IPv6 Neighbour discovery
WIKI https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
EXAMPLE
client ipv6neigh accept
server ipv6neigh accept
NOTES
IPv6 uses the Neighbour Discovery Protocol to do automatic
configuration of routes and to replace ARP. To allow this
functionality the network neighbour and router
solicitation/advertisement messages should be enabled on
each interface.
-
These rules are stateless since advertisement can happen
automatically as well as on solicitation.
-
Neighbour discovery (incoming) should always be enabled:
-
`server ipv6neigh accept`
-
Neighbour advertisement (outgoing) should always be enabled:
-
`client ipv6neigh accept`
-
The rules should not be used to pass packets across a
firewall (e.g. in a router definition) unless the firewall
is for a bridge.
-
This service implicitly sets its client or server to ipv6 mode.
SERVICE ipv6router
NAME IPv6 Router discovery
WIKI https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
EXAMPLE
client ipv6router accept
NOTES
IPv6 uses the Neighbour Discovery Protocol to do automatic
configuration of routes and to replace ARP. To allow this
functionality the network neighbour and router
solicitation/advertisement messages should be enabled on
each interface.
-
These rules are stateless since advertisement can happen
automatically as well as on solicitation.
-
Router discovery (incoming) should always be enabled:
-
`client ipv6router accept`
-
Router advertisement (outgoing) should be enabled on
a host that routes:
-
`server ipv6router accept`
-
The rules should not be used to pass packets across a
firewall (e.g. in a router definition) unless the firewall
is for a bridge.
-
This service implicitly sets its client or server to ipv6 mode.
SERVICE ipv6mld
NAME IPv6 Multicast Listener Discovery for IPv6
WIKI https://en.wikipedia.org/wiki/Multicast_Listener_Discovery
EXAMPLE
client ipv6mld accept
NOTES
IPv6 uses Multicast Listener Discovery to discover multicast
listeners and what they are listening for.
-
In practice all IPv6 nodes are multicast listeners since
multicast is used in the neighbour discovery protocol which
replaces ARP in IPv4.
-
These rules are stateless since reports can happen
automatically as well as on query.
-
Unless multicast snooping is disabled across the network, MLD
should be enabled for any clients:
-
`client ipv6mld accept`
-
MLD should also be enabled as a server on any hosts acting as a
router:
-
`server ipv6mld accept`
-
The rules should generally not be used to pass packets across a
firewall (e.g. in a router definition) unless the firewall
is for a bridge.
-
This service implicitly sets its client or server to ipv6 mode.
SERVICE irc
NAME Internet Relay Chat
WIKI http://en.wikipedia.org/wiki/Internet_Relay_Chat
EXAMPLE
server irc accept
SERVICE isakmp
NAME Internet Security Association and Key Management Protocol (IKE)
WIKI http://en.wikipedia.org/wiki/ISAKMP
EXAMPLE
server isakmp accept
NOTES
For more information see the
[Archive of the FreeS/WAN documentation](http://web.archive.org/web/20100918134143/http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/ipsec.html#IKE.ipsec)
SERVICE jabber
NAME Extensible Messaging and Presence Protocol
WIKI http://en.wikipedia.org/wiki/Jabber
EXAMPLE
server jabber accept
NOTES
Allows clear and SSL client-to-server connections.
SERVICE jabberd
NAME Extensible Messaging and Presence Protocol (Server)
WIKI http://en.wikipedia.org/wiki/Jabber
EXAMPLE
server jabberd accept
NOTES
Allows clear and SSL client-to-server and server-to-server
connections.
-
Use this service for a jabberd server. In all other cases,
use the [jabber][keyword-service-jabber].
SERVICE l2tp
NAME Layer 2 Tunneling Protocol
WIKI http://en.wikipedia.org/wiki/L2tp
SERVICE ldap
NAME Lightweight Directory Access Protocol
WIKI http://en.wikipedia.org/wiki/Ldap
EXAMPLE
server ldap accept
SERVICE ldaps
NAME Secure Lightweight Directory Access Protocol
WIKI http://en.wikipedia.org/wiki/Ldap
EXAMPLE
server ldaps accept
SERVICE lpd
NAME Line Printer Daemon Protocol
WIKI http://en.wikipedia.org/wiki/Line_Printer_Daemon_protocol
EXAMPLE
server lpd accept
NOTES
LPD is documented in
[RFC 1179](http://www.ietf.org/rfc/rfc1179.txt).
-
Since many operating systems incorrectly use the non-default
client ports for LPD access, this definition allows any
client port to access the service (in addition to
the RFC defined 721 to 731 inclusive).
SERVICE microsoft_ds
NAME Direct Hosted (NETBIOS-less) SMB
ALIAS ms_ds
EXAMPLE
server microsoft_ds accept
NOTES
Direct Hosted (i.e. NETBIOS-less SMB)
-
This is another NETBIOS Session Service with minor
differences with [netbios_ssn][keyword-service-netbios_ssn].
It is supported only by Windows 2000 and Windows XP and
it offers the advantage of being independent of WINS for
name resolution.
-
It seems that samba supports transparently this protocol
on the [netbios_ssn][keyword-service-netbios_ssn] ports, so
that either direct hosted or traditional SMB can be served
simultaneously.
-
Please refer to the [netbios_ssn][keyword-service-netbios_ssn]
for more information.
SERVICE mms
NAME Microsoft Media Server
WIKI http://en.wikipedia.org/wiki/Microsoft_Media_Server
MOD See [here](http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).
MODNAT See [here](http://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-5.html#ss5.5).
EXAMPLE
server mms accept
NOTES
Microsoft's proprietary network streaming protocol used
to transfer unicast data in Windows Media Services
(previously called NetShow Services).
SERVICE msn
NAME Microsoft MSN Messenger Service
EXAMPLE
server msn accept
NOTES
SERVICE msnp
NAME msnp
EXAMPLE
server msnp accept
SERVICE multicast
NAME Multicast
WIKI http://en.wikipedia.org/wiki/Multicast
CPORT N/A
SPORT N/A
EXAMPLE
server multicast reject with proto-unreach
NOTES
The multicast service matches all packets sent to
the $MULTICAST_IPS addresses using IGMP or UDP.
For IPv4 that means 224.0.0.0/4 and for IPv6 FF00::/16.
SERVICE mysql
NAME MySQL
HOME http://www.mysql.com/
WIKI http://en.wikipedia.org/wiki/Mysql
EXAMPLE
server mysql accept
SERVICE netbackup
NAME Veritas NetBackup service
WIKI http://en.wikipedia.org/wiki/Netbackup
EXAMPLE
server netbackup accept
client netbackup accept
NOTES
To use this service you must define it as both client and
server in NetBackup clients and NetBackup servers.
SERVICE netbios_dgm
NAME NETBIOS Datagram Distribution Service
WIKI http://en.wikipedia.org/wiki/Netbios#Datagram_distribution_service
EXAMPLE
server netbios_dgm accept
NOTES
See also the [samba][keyword-service-samba].
-
Keep in mind that this service broadcasts (to the broadcast
address of your LAN) UDP packets. If you place this service
within an interface that has a dst parameter, remember to
include (in the dst parameter) the broadcast address of your
LAN too.
SERVICE netbios_ns
NAME NETBIOS Name Service
WIKI http://en.wikipedia.org/wiki/Netbios#Name_service
EXAMPLE
server netbios_ns accept
NOTES
See also the [samba][keyword-service-samba].
SERVICE netbios_ssn
NAME NETBIOS Session Service
WIKI http://en.wikipedia.org/wiki/Netbios#Session_service
EXAMPLE
server netbios_ssn accept
NOTES
See also the [samba][keyword-service-samba].
-
Please keep in mind that newer NETBIOS clients prefer to use
port 445 ([microsoft_ds][keyword-service-microsoft_ds]) for the
NETBIOS session service, and when this is not available they
fall back to port 139 (netbios_ssn). Versions of samba above
3.x bind automatically to ports 139 and 445.
-
If you have an older samba version and your policy on an
interface or router is DROP, clients trying to access port
445 will have to timeout before falling back to port 139.
This timeout can be up to several minutes.
-
To overcome this problem you can explicitly REJECT the
[microsoft_ds][keyword-service-microsoft_ds] with a
tcp-reset message:
-
server microsoft_ds reject with tcp-reset
SERVICE nfs
NAME Network File System
WIKI http://en.wikipedia.org/wiki/Network_File_System_%28protocol%29
SPORT many
EXAMPLE
client nfs accept dst 192.0.2.1
NOTES
The NFS service queries the RPC service on the NFS server
host to find out the ports nfsd, mountd, lockd and rquotad
are listening. Then, according to these ports it sets up
rules on all the supported protocols (as reported by RPC)
in order the clients to be able to reach the server.
-
For this reason, the NFS service requires that:
-
* the firewall is restarted if the NFS server is restarted
* the NFS server must be specified on all nfs statements (only if it is not the localhost)
-
Since NFS queries the remote RPC server, it is required to
also be allowed to do so, by allowing the
[portmap][keyword-service-portmap] too. Take care that
this is allowed by the running firewall when FireHOL tries
to query the RPC server. So you might have to setup NFS in
two steps: First add the portmap service and activate the
firewall, then add the NFS service and restart the firewall.
-
To avoid this you can setup your NFS server to listen on
pre-defined ports, as documented in
[NFS Howto][NFS Howto].
If you do this then you will have to define the the ports
using the procedure described
in [Adding Services](#adding-services)
in [firehol.conf(5)](#firehol.conf5).
-
[NFS Howto]: http://nfs.sourceforge.net/nfs-howto/ar01s06.html#nfs_firewalls
SERVICE nis
NAME Network Information Service
WIKI http://en.wikipedia.org/wiki/Network_Information_Service
SPORT many
EXAMPLE
client nis accept dst 192.0.2.1
NOTES
The nis service queries the RPC service on the nis server
host to find out the ports ypserv and yppasswdd are listening.
Then, according to these ports it sets up rules on all the
supported protocols (as reported by RPC) in order the clients
to be able to reach the server.
-
For this reason, the nis service requires that:
-
* the firewall is restarted if the nis server is restarted
* the nis server must be specified on all nis statements (only if it is not the localhost)
-
Since nis queries the remote RPC server, it is required to
also be allowed to do so, by allowing the
[portmap][keyword-service-portmap] too. Take care that
this is allowed by the running firewall when FireHOL tries
to query the RPC server. So you might have to setup nis in
two steps: First add the portmap service and activate the
firewall, then add the nis service and restart the firewall.
-
This service was added to FireHOL by
[Carlos Rodrigues](http://sourceforge.net/p/firehol/feature-requests/20/).
His comments regarding this implementation, are:
-
These rules work for client access only!
-
Pushing changes to slave servers won't work if these rules
are active somewhere between the master and its slaves,
because it is impossible to predict the ports where yppush
will be listening on each push.
-
Pulling changes directly on the slaves will work, and could
be improved performance-wise if these rules are modified to
open fypxfrd. This wasn't done because it doesn't make that
much sense since pushing changes on the master server is
the most common, and recommended, way to replicate maps.
SERVICE nntp
NAME Network News Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Nntp
EXAMPLE
server nntp accept
SERVICE nntps
NAME Secure Network News Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Nntp
EXAMPLE
server nntps accept
SERVICE nrpe
NAME Nagios NRPE
WIKI http://en.wikipedia.org/wiki/Nagios#NRPE
SERVICE ntp
NAME Network Time Protocol
WIKI http://en.wikipedia.org/wiki/Network_Time_Protocol
EXAMPLE
server ntp accept
SERVICE nut
NAME Network UPS Tools
HOME http://www.networkupstools.org/
EXAMPLE
server nut accept
SERVICE nxserver
NAME NoMachine NX Server
WIKI http://en.wikipedia.org/wiki/NX_Server
EXAMPLE
server nxserver accept
NOTES
Default ports used by NX server for connections without
encryption.
-
Note that nxserver also needs the [ssh][keyword-service-ssh]
to be enabled.
-
This information has been extracted from this
The TCP ports used by nxserver are
4000 + DISPLAY_BASE to 4000 + DISPLAY_BASE + DISPLAY_LIMIT.
DISPLAY_BASE and DISPLAY_LIMIT are set in /usr/NX/etc/node.conf
and the defaults are DISPLAY_BASE=1000 and DISPLAY_LIMIT=200.
-
For encrypted nxserver sessions, only
[ssh][keyword-service-ssh] is needed.
SERVICE openvpn
NAME OpenVPN
HOME http://openvpn.net/
WIKI http://en.wikipedia.org/wiki/OpenVPN
SERVICE oracle
NAME Oracle Database
WIKI http://en.wikipedia.org/wiki/Oracle_db
EXAMPLE
server oracle accept
SERVICE ping
NAME Ping (ICMP echo)
WIKI http://en.wikipedia.org/wiki/Ping
CPORT N/A
SPORT N/A
EXAMPLE
server ping accept
NOTES
This services matches requests of protocol ICMP and type
echo-request (TYPE=8) and their replies of type echo-reply
(TYPE=0).
-
The ping service is stateful.
SERVICE pop3
NAME Post Office Protocol
WIKI http://en.wikipedia.org/wiki/Pop3
EXAMPLE
server pop3 accept
SERVICE pop3s
NAME Secure Post Office Protocol
WIKI http://en.wikipedia.org/wiki/Pop3
EXAMPLE
server pop3s accept
SERVICE portmap
ALIAS sunrpc
NAME Open Network Computing Remote Procedure Call - Port Mapper
WIKI http://en.wikipedia.org/wiki/Portmap
EXAMPLE
server portmap accept
SERVICE postgres
NAME PostgreSQL
WIKI http://en.wikipedia.org/wiki/Postgres
EXAMPLE
server postgres accept
SERVICE pptp
NAME Point-to-Point Tunneling Protocol
WIKI http://en.wikipedia.org/wiki/Pptp
EXAMPLE
server pptp accept
SERVICE privoxy
NAME Privacy Proxy
HOME http://www.privoxy.org/
EXAMPLE
server privoxy accept
SERVICE radius
NAME Remote Authentication Dial In User Service (RADIUS)
WIKI http://en.wikipedia.org/wiki/RADIUS
EXAMPLE
server radius accept
SERVICE radiusold
NAME Remote Authentication Dial In User Service (RADIUS)
WIKI http://en.wikipedia.org/wiki/RADIUS
EXAMPLE
server radiusold accept
SERVICE radiusoldproxy
NAME Remote Authentication Dial In User Service (RADIUS)
WIKI http://en.wikipedia.org/wiki/RADIUS
EXAMPLE
server radiusoldproxy accept
SERVICE radiusproxy
NAME Remote Authentication Dial In User Service (RADIUS)
WIKI http://en.wikipedia.org/wiki/RADIUS
EXAMPLE
server radiusproxy accept
SERVICE rdp
NAME Remote Desktop Protocol
WIKI http://en.wikipedia.org/wiki/Remote_Desktop_Protocol
EXAMPLE
server rdp accept
NOTES
Remote Desktop Protocol is also known also as
Terminal Services.
SERVICE rndc
NAME Remote Name Daemon Control
WIKI http://en.wikipedia.org/wiki/Rndc
EXAMPLE
server rndc accept
SERVICE rsync
NAME rsync protocol
HOME http://rsync.samba.org/
WIKI http://en.wikipedia.org/wiki/Rsync
EXAMPLE
server rsync accept
SERVICE rtp
NAME Real-time Transport Protocol
WIKI http://en.wikipedia.org/wiki/Real-time_Transport_Protocol
EXAMPLE
server rtp accept
NOTES
RTP ports are generally all the UDP ports.
This definition narrows down RTP ports to UDP 10000 to 20000.
SERVICE samba
NAME Samba
CPORT default
SPORT many
HOME http://www.samba.org/
WIKI http://en.wikipedia.org/wiki/Samba_(software)
EXAMPLE
server samba accept
NOTES
The samba service automatically sets all the rules for
[netbios_ns][keyword-service-netbios_ns],
[netbios_dgm][keyword-service-netbios_dgm],
[netbios_ssn][keyword-service-netbios_ssn] and
[microsoft_ds][keyword-service-microsoft_ds].
-
Please refer to the notes of the above services for more
information.
-
NETBIOS initiates based on the broadcast address of an
interface (request goes to broadcast address) but the server
responds from its own IP address. This makes the
"server samba accept" statement drop the server reply,
because of the way the iptables connection tracker works.
-
This service definition includes a hack, that allows a
Linux samba server to respond correctly in such situations,
by allowing new outgoing connections from the well known
[netbios_ns][keyword-service-netbios_ns] port to the clients
high ports.
-
However, for clients and routers this hack is not applied
because it would open all unprivileged ports to the samba
server. The only solution to overcome the problem in such
cases (routers or clients) is to build a trust relationship
between the samba servers and clients.
SERVICE sane
NAME SANE Scanner service
HOME http://www.sane-project.org/
MODNAT N/A
SERVICE sip
NAME Session Initiation Protocol
EXAMPLE
server sip accept
WIKI http://en.wikipedia.org/wiki/Session_Initiation_Protocol
NOTES
[SIP](http://www.voip-info.org/wiki/view/SIP) is an IETF
standard protocol (RFC 2543) for initiating interactive user
sessions involving multimedia elements such as video, voice,
chat, gaming, etc. SIP works in the application layer of
the OSI communications model.
SERVICE smtp
NAME Simple Mail Transport Protocol
WIKI http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
EXAMPLE
server smtp accept
SERVICE smtps
NAME Secure Simple Mail Transport Protocol
WIKI http://en.wikipedia.org/wiki/SMTPS
EXAMPLE
server smtps accept
SERVICE snmp
NAME Simple Network Management Protocol
WIKI http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol
EXAMPLE
server snmp accept
SERVICE snmptrap
NAME SNMP Trap
WIKI http://en.wikipedia.org/wiki/Simple_Network_Management_Protocol#Trap
EXAMPLE
server snmptrap accept
NOTES
An SNMP trap is a notification from an agent to a manager.
SERVICE socks
NAME SOCKet Secure
WIKI http://en.wikipedia.org/wiki/SOCKS
EXAMPLE
server socks accept
NOTES
See also [RFC 1928](http://www.ietf.org/rfc/rfc1928.txt).
SERVICE squid
NAME Squid Web Cache
HOME http://www.squid-cache.org/
WIKI http://en.wikipedia.org/wiki/Squid_(software)
EXAMPLE
server squid accept
SERVICE ssh
NAME Secure Shell Protocol
WIKI http://en.wikipedia.org/wiki/Secure_Shell
EXAMPLE
server ssh accept
SERVICE stun
NAME Session Traversal Utilities for NAT
WIKI http://en.wikipedia.org/wiki/STUN
EXAMPLE
server stun accept
NOTES
[STUN](http://www.voip-info.org/wiki/view/STUN)
is a protocol for assisting devices behind a NAT firewall or
router with their packet routing.
SERVICE submission
NAME SMTP over SSL/TLS submission
WIKI http://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol
EXAMPLE
server submission accept
NOTES
Submission is essentially normal SMTP with an SSL/TLS
negotiation.
SERVICE swat
NAME Samba Web Administration Tool
HOME http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/SWAT.html
EXAMPLE
server swat accept
SERVICE syslog
NAME Syslog Remote Logging Protocol
WIKI http://en.wikipedia.org/wiki/Syslog
EXAMPLE
server syslog accept
SERVICE telnet
NAME Telnet
WIKI http://en.wikipedia.org/wiki/Telnet
EXAMPLE
server telnet accept
SERVICE tftp
NAME Trivial File Transfer Protocol
WIKI http://en.wikipedia.org/wiki/Trivial_File_Transfer_Protocol
EXAMPLE
server tftp accept
SERVICE time
NAME Time Protocol
WIKI http://en.wikipedia.org/wiki/Time_Protocol
EXAMPLE
server time accept
SERVICE timestamp
NAME ICMP Timestamp
CPORT N/A
SPORT N/A
WIKI http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Timestamp
EXAMPLE
server timestamp accept
NOTES
This services matches requests of protocol ICMP and type
timestamp-request (TYPE=13) and their replies of type
timestamp-reply (TYPE=14).
-
The timestamp service is stateful.
SERVICE upnp
NAME Universal Plug and Play
EXAMPLE
server upnp accept
HOME http://upnp.sourceforge.net/
WIKI http://en.wikipedia.org/wiki/Universal_Plug_and_Play
NOTES
For a Linux implementation see:
[Linux IGD](http://linux-igd.sourceforge.net/).
SERVICE uucp
NAME Unix-to-Unix Copy
WIKI http://en.wikipedia.org/wiki/UUCP
EXAMPLE
server uucp accept
SERVICE vmware
NAME vmware
EXAMPLE
server vmware accept
NOTES
Used from VMWare 1 and up. See the
[VMWare KnowledgeBase](http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
SERVICE vmwareauth
NAME vmwareauth
EXAMPLE
server vmwareauth accept
NOTES
Used from VMWare 1 and up. See the
[VMWare KnowledgeBase](http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
SERVICE vmwareweb
NAME vmwareweb
EXAMPLE
server vmwareweb accept
NOTES
Used from VMWare 2 and up. See
[VMWare Server 2.0 release notes](http://www.vmware.com/support/server2/doc/releasenotes_vmserver2.html)
and the
[VMWare KnowledgeBase](http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012382).
SERVICE vnc
NAME Virtual Network Computing
WIKI http://en.wikipedia.org/wiki/Virtual_Network_Computing
EXAMPLE
server vnc accept
NOTES
VNC is a graphical desktop sharing protocol.
SERVICE webmin
NAME Webmin Administration System
HOME http://www.webmin.com/
EXAMPLE
server webmin accept
SERVICE whois
NAME WHOIS Protocol
WIKI http://en.wikipedia.org/wiki/Whois
EXAMPLE
server whois accept
SERVICE xbox
CPORT default
SPORT many
NAME Xbox Live
EXAMPLE
client xbox accept
NOTES
Definition for the Xbox live service.
-
See program source for contributor details.
SERVICE xdmcp
NAME X Display Manager Control Protocol
EXAMPLE
server xdmcp accept
WIKI http://en.wikipedia.org/wiki/X_display_manager_(program_type)#X_Display_Manager_Control_Protocol
NOTES
See [Gnome Display Manager](http://www.jirka.org/gdm-documentation/x70.html)
for a discussion about XDMCP and firewalls (Gnome Display
Manager is a replacement for XDM).
Reference in New Issue View Git Blame Copy Permalink