Linnet Solutions Logo

 FIREWALL TCP/UDP PORTS

 

Linnet Solutions Home Services We Provide About Us TCP/IP & Firewalls Pre-press Repro Windows XP FAQ Windows 2000 FAQ Windows 2003 FAQ NT4 FAQ Linux FAQ Virus Issues Glossary Of Networking Terms Linnet Solutions Approved Links

Which Protocols to Filter

The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and what type of accesses to permit.  The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site

  • tftp, port 69, trivial FTP, (which might all be used for booting disk less workstations, terminal servers and routers) can also be used to read any file on the system if set up incorrectly.
  • X Windows, Open Windows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes.
  • RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files
  • rlogin, rsh, and rexec, ports 513, 514, and 512, are all services that if improperly configured can permit unauthorised access to accounts and commands.

Other services, whether inherently dangerous or not, are usually filtered and possibly restricted to only those systems that need them.  These would include: -

  • TELNET, port 23, often restricted to only certain systems.
  • FTP, ports 20 and 21, often restricted to only certain systems.
    See http://slacksite.com/other/ftp.html for a full explanation of Active and Passive FTP and there differnet port usage. Most firewalls have FTP proxies which cope with dynamically opening the approprite ports for Active and Passive FTP so you only need to actually open the TCP port 21, the proxy dynamically opens the rest.
  • SMTP, port 25, often restricted to a central E-mail server.
  • POP3, port 110, Email clients retrieve mail by POP3 from port 110 on the mail server
  • IDENT, port 113, The IDENT protocol is often used by POP mail, FTP, and HTTP servers to identify incoming users. Most users consider the IDENT protocol a security violation, because it could allow an outsider to gain confidential knowledge of your secured network. But for speed it is probably worth enabling inbound from a Email server on a DMZ to the internal network clients, to speed up POP accessing
  • IMAP, port 143, Email clients retrieve mail by IMAP from port 143 on the mail server
  • LDAP, port 389, Lightweight Directory Access Protocol uses port 389 on the directory server
  • RIP, port 520, (routing information protocol) can be spoofed to redirect packet routing.
  • DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed.
  • UUCP, port 540, (UNIX-to-UNIX Copy) if improperly configured can be used for unauthorised access.
  • NNTP, port 119, (Network News Transfer Protocol) for accessing and reading network news.
  • GOPHER, http (for Mosaic), ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.
  • PPTP Microsoft, port 1723 both directions, uses protocol 47 (the GRE protocol Version 2.0).
  • FILEMAKER IP, port 5003, both directions. Port published by Filemaker Pro Server.
  • REAL AUDIO, tcp port 7070, udp ports 6170-7170, Rather than just opening these ports a slightly safer configuration can be achieved by careful configuration of the TCP port connection. The TCP port 7070 is used by the client to initiate a conversation with an external RealServer, to authenticate the player to the server, and to pass control messages during playback (e.g., pausing or stopping the audio stream). Since you do not want incoming connection attempts on this port, you should configure the router's access control list to allow TCP connections on port 7070 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for specifying that the ACK bit must be set varies with the kind of router you own, but for Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation.
  • TIMBUKTU PRO, uses the following ports, UDP port 407 and TCP ports 1417 through 1420 must be open. Timbuktu Pro uses UDP port 407 for connection handshaking and then switches to the TCP ports for Timbuktu Services: Control (1417), Observe(1418), Send (1419), and Exchange (1420). Chat, Notify, and Intercom use Dynamic TCP ports.
  • ICQ Messaging, must be able to communicate with the ICQ server. This was done via port TCP 5190 to login.icq.com (previously 4000 UDP icq.mirabilis.com) and needs a bidirectional connection on this port number. ICQ Client to client connection is done using the TCP protocol, using port range 1024 - 65535. This means that the client needs an open listening ports within the mentioned range - 1024 to 65535. Opening all these ports is obviously impractical. The ICQ client can be configured to work with a firewall or proxy server see www.icq.com, but generally results in reduced ICQ functionality. If your using IP masquerading i.e NAT as most firewalls will, you will need a SOCKS proxy server to implement ICQ connectivity for more than one internal user.
  • pcANYWHERE The default ports for pcAnywhere are 5631 (TCP) and 5632 (UDP) but it can be configured to use another port by editing the registry see www.symantec.com.
  • Windows 2000 Terminal Servicestcp port 3389 inbound and dynamic outbound ports
  • MICROSOFT NETMEETING (H.323) tcp port 522, 389, 1503, 1720 and 1731 plus two secondary dynamically negotiated udp ports in the range 1024-65535 for the H.323 streaming protocol transmission of audio and video. For transmission of audio and video you only have to enable outgoing for these ports. Unfortunately to allow incoming audio and video you need to open up the entire 1024-65536 range as well as tcp 1503, 1720, 1731. Due to the complexity of the H.323 protocol which pre-dates the introduction of network address translation. Unless you have a firewall or proxy that specially supports the H.323 protocol at the application level, and thus supports the virtual opening of dynamic incoming udp ports, you are stuck opening them all up. See Microsoft's Knowledge Base "How to Establish NetMeeting Connections Through a Firewall" Q158623.
  • How to Block Instant Messaging To fully block Instant messaging you need a double edge attack of blocking IP addresses of the servers and the default ports used:-
    AOL IM
    login.oscar.aol.com
    Default Port: 5190
    64.12.161.153
    64.12.161.185
    64.12.200.89
    205.188.179.233

    ICQ
    login.icq.com
    Default Port: 5190
    64.12.162.153
    64.12.162.185
    64.12.200.89
    205.188.179.233

    MSN Messenger
    207.46.104.20 gateway.messenger.hotmail.com
    64.4.13.171 http1.msgr.hotmail.com
    .. .. .. ..
    .. .. .. ..
    64.4.13.190 http20.msgr.hotmail.com
    .. .. .. ..
    		 Yahoo
    cs.yahoo.com
    Default Port: 5050
    216.136.175.145
    216.136.224.213
    216.136.224.214
    216.136.225.11
    216.136.225.12
    216.136.225.35
    216.136.225.36
    216.136.225.83
    216.136.225.84
    216.136.226.117
    216.136.226.118
    216.136.131.93
    216.136.175.142
    216.136.175.143
    216.136.175.144
    216.136.233.128 (latest)

    Note some messaging services like AOL have a tendency to change their servers IP addresses once or twice a year.

TCP/UDP Port Number Tables

PDF version TCP/UDP Port Number Tables

TCP/UDP Port Numbers In Single Searchable Table

ICMP protocol

Certain protocols have problems with Network Address Translation (NAT) see RFC 3027for more details.

Send mail to Andy Gray with any comments about this web site.
Last modified: 15 September 2005

www.linnetsol.co.uk © 2005 Linnet Solutions Ltd
All Rights Reserved