 | Appendix G |
| Appendix G |
Table G-1 lists the IP protocols that are commonly used on the Internet. For completeness, it also lists many protocols that are no longer used and are only of historic interest.
You can use this table to help you decide which protocols you do and do not wish to support on your UNIX computers. You can also use this table to help you decide which protocols to pass or block with a screening router, as described in Chapter 21, Firewalls. For example, at most sites you will wish to block protocols such as tftp, sunrpc, printer, rlogin and rexec. Most site administrators will probably wish to allow protocols such as ftp, smtp, domain, and nntp. Other protocols can be problematical.
The "Suggested Firewall Handling" column gives a sample firewall policy that should be sufficient for many sites; in some cases, footnotes provide additional explanation. We generally advise blocking all services that are not absolutely essential. The reason for this suggestion is that even simple services, such as TCP echo, can be used as a means for launching a denial of service attack against your network. These services can also be used by an attacker to learn about your internal network topology. Although these services are occasionally useful for debugging, we feel that their presence is, in general, a liability - an accident waiting to happen. Services which are not listed in this table should be blocked unless you have a specific reason for allowing them to cross your firewall. For detailed information about firewalls policy and filtering, we suggest that you consult Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky (O'Reilly & Associates, 1995).
The "Notes" section in this table contains a brief description of the service. If the word "Sniff" appears, then this protocol may involve programs that require passwords and may be vulnerable to password sniffing; you may wish to disable it on this basis, or only use it with a one-time password system. The word "Spoof" indicates that the usual programs that use the protocol depend on IP-based authentication for its security and can be compromised with a variety of spoofing attacks. The annotation "Obsolete" appears on protocols which may no longer be in general use. Note that the absence of a "Sniff" or "Spoof" annotation does not mean that the protocol is not vulnerable to such attacks.
The "Site Notes" column is a place where you can make your own notes about what you plan to do at your site.
NOTE: This is not a comprehensive list of TCP and UDP services; instead, it is a list of the services that are most commonly found on UNIX-based computers. If you have computers on your network that are running operating systems other than UNIX, you may wish to pass packets that use ports not discussed here. A complete list of all assigned port numbers can be found in RFC 1700 (or its successors)
In addition to the services noted in the table, you should block all IP addresses coming from outside your network which claim to come from inside your network. That is, any packet coming into your network with a source IP address that indicates it is from your network should be discarded.
IP packets with unusual option bits or invalid combinations of option bits should be blocked. This should probably include packets with source routing or record-route options set.
Fragmented packets should be blocked if the offset for reassembly specifies a zero offset (that would cause the reassembly to rewrite the IP header). [1]
[1] The idea for this table is based, in part, on Appendix B, Important Files from the book Firewalls and Internet Security, by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994).
| Port | Protocol | Name | Notes | Suggested Firewall Handling | Site Notes |
|---|---|---|---|---|---|
| 1 | TCP | tcpmux | TCP port multiplexer. Rarely used. | Block | |
| 7 | UDP, TCP | echo | Echos UDP packets and characters sent down TCP streams. | Block[2] | |
| 9 | UDP, TCP | discard | Accepts connections, but discards the data. | Block | |
| 11 | TCP | systat | System status - reports the active users on your system. Some systems connect this to who. | Block | |
| 13 | UDP, TCP | daytime | Time of day in human-readable form. | Block[3] | |
| 15 | TCP | netstat | Network status, human-readable. Obsolete (officially unassigned as of 10/94). | Block | |
| 17 | UDP | qotd | Quote of the day. | Block | |
| 19 | UDP, TCP | chargen | Character generator. | Block | |
| 20 | TCP | ftp-data | Data and command ports for FTP. Sniff. | requires special handling. | |
| 21 | TCP | ftp | |||
| 23 | TCP | telnet | Telnet virtual terminal. Sniff. | Be careful. [4] | |
| 24 | UDP, TCP | For use by private email systems. | Block | ||
| 25 | TCP | smtp | Email. | Allow to your firewall gate or bastion host. | |
| 37 | UDP, TCP | time | Time of day, in machine-readable form. | Block | |
| 38 | UDP, TCP | rap | Route Access Protocol. | Block | |
| 42 | UDP, TCP | name | Host Name Server. Obsolete. | Block | |
| 43 | TCP | whois | Normally only run by NICs. | Outbound only or Block. | |
| 48 | UDP, TCP | auditd | Digital Equipment Corporation audit daemon. | Block | |
| 49 | UDP | tacacs | Sniff. Spoof. | Block. You should place your tacacs authentication servers on the same side of your firewall as your terminal concentrators. | |
| 53 | UDP, TCP | domain | Domain Name Service. Spoof. | Run separate nameservers for internal and external use. If you use firewall proxies, then you only need to provide DNS service on your firewall computer. | |
| 67, 68 | UDP | bootp | Boot protocol. | Block | |
| 69 | UDP | tftp | Trivial FTP. | Block | |
| 70 | TCP | gopher, gopher+ | Text-based information service. Sniff. | Outbound access with proxies. Inbound connections only to an organizational gopher server running on a special host. | |
| 79 | TCP | finger | Return information about a particular user account or machine. | Outbound only. [5] (You may wish to refer inbound finger queries to a particular message.) | |
| 80 | TCP | http | World Wide Web. Sniff. Spoof. | Outbound access with proxies. Inbound connections only to an organizational WWW server running on a special host. | |
| 87 | TCP | link | Block | ||
| 88 | UDP | kerberos | Distributed authentication mechanism. | Block unless you need inter-realm authentication. | |
| 94 | UDP, TCP | objcall | Tivoli Object Dispatcher. | Block | |
| 95 | TCP | supdup | Virtual terminal similar to Telnet, rarely used. Sniff. | Block | |
| 109 | TCP | pop-2 | Post Office Protocol, allows reading mail over Internet. Sniff. | Block unless there is a specific need to access email through firewall. Consider using APOP, which is not susceptible to password sniffing. If you do pass this service, pass inbound connections only to your email host. | |
| 110 | TCP | pop-3 | Better Post Office Protocol. Sniff. | ||
| 111 | UDP, TCP | sunrpc | Sun RPC portmapper. Spoof. [6] | Block | |
| 113 | TCP | auth | TCP authentication service. Identifies the username belonging to a TCP connection.Spoof. | Limit or block incoming requests.[7] | |
| 119 | TCP | nntp | Network News Transport Protocol. | Block with exceptions.[8] | |
| 121 | UDP, TCP | erpc | Encore Expedited Remote Procedure Call. | Block | |
| 123 | UDP, TCP | ntp | Network Time Protocol. Spoof. | Block with exceptions.[9] | |
| 126 | UDP, TCP | unitary | Unisys Unitary Login. | Block | |
| 127 | UDP, TCP | locus-con | Locus PC-Interface Conn Server. | Block | |
| 130 | UDP, TCP | cisco-fna | Cisco FNATIV. | Block with exceptions. | |
| 131 | UDP, TCP | cisco-tna | Cisco TNATIVE. | Block with exceptions. | |
| 132 | UDP, TCP | cisco-sys | Cisco SYSMAINT. | Block with exceptions. | |
| 137 | UDP, TCP | netbios-ns | NETBIOS Name Service. | Block NETBIOS unless there is a specific host with which you need to exchange NETBIOS information. NETBIOS over TCP/IP is best handled with encrypted tunneling. | |
| 138 | UDP, TCP | netbios-dgm | NETBIOS Datagram Service. | ||
| 139 | UDP, TCP | netbios-ssn | NETBIOS Session Service. | ||
| 144 | UDP, TCP | news | Sun NeWS (Network Window System). Possibly Sniff. Spoof. Obsolete. | Block | |
| 156 | UDP, TCP | sqlsrv | SQL Service. Sniff. | Block | |
| 161 | UDP, TCP | snmp | Simple Network Management Protocol agents. Spoof. Sniff. | Block | |
| 162 | UDP, TCP | snmptrap | SNMP traps. | Block under most circumstances, although you may wish to allow traps from an external gateway to reach your internal network monitors. | |
| 177 | UDP, TCP | xdmcp | X Display Manager (XDM) Control Protocol. Sniff.Possibly Spoof. | Block. You may wish to allow outgoing connections in special circumstances. | |
| 178 | UDP, TCP | NSWS | NEXTSTEP Window Server. Possibly Sniff.Spoof. | Block | |
| 194 | UDP, TCP | irc | Internet Relay Chat Protocol. | Block | |
| 199 | UDP, TCP | smux | SMUX (IBM). | Block | |
| 200 | UDP, TCP | src | IBM System Resource Controller. | Block | |
| 201 | UDP, TCP | at-rtmp | AppleTalk Routing Maintenance. | Block AppleTalk unless there is a specific host or network with which you need to exchange AppleTalk information. AppleTalk over TCP/IP is best handled through encrypted tunneling. | |
| 202 | UDP, TCP | at-nbp | AppleTalk Name Binding. | ||
| 203 | UDP, TCP | at-3 | AppleTalk Unused. | ||
| 204 | UDP, TCP | at-echo | AppleTalk Echo. | ||
| 205 | UDP, TCP | at-5 | AppleTalk Unused. | ||
| 206 | UDP, TCP | at-zis | AppleTalk Zone Information. | ||
| 207 | UDP, TCP | at-7 | AppleTalk Unused. | ||
| 208 | UDP, TCP | at-8 | AppleTalk Unused. | ||
| 210 | TCP | wais | WAIS server. Sniff. | Block unless you run a server. | |
| 220 | TCP | imap | POP replacement. Sniff. | Block unless there is a specific need to access email through the firewall. If you do pass this service, pass inbound connections only to your email host. | |
| 387 | TCP | avrp | AppleTalk Routing. | Block | |
| 396 | UDP, TCP | netware-ip | Novell Netware over IP. Sniff. | Block | |
| 411 | UDP, TCP | rmt | Remote Tape. | Block | |
| 512 | UDP | biff | Real-time mail notification. | Block | |
| 512 | TCP | exec | Remote command execution. Sniff.Spoof. | Block | |
| 513 | UDP | rwho | Remote who command. | Block | |
| 513 | TCP | login | Remote login. Sniff. Spoof. | These protocols are vulnerable to problems with "trusted hosts" and .rhost files. Block them if at all possible. | |
| 514 | TCP | shell | rsh. Sniff. Spoof. | ||
| 514 | UDP | syslog | syslog logging. | Block | |
| 515 | TCP | printer | Berkeley lpr system. Spoof. | Block | |
| 517 | UDP | talk | Initiate talk requests. | You should probably block these protocols for incoming and outgoing use. If you wish to permit your users to receive talk requests from outside sites, then you must allow user machines to receive TCP connections on any TCP/IP port over 1024. The protocols further require that both hostnames and usernames of your internal users be made available to outsiders. talk can further be used to harass users. | |
| 518 | UDP | ntalk | Initiate talk requests. | ||
| 520 | UDP | route | Routing control. Spoof. | Block | |
| 523 | UDP, TCP | timed | Time server daemon. Spoof. | Block | |
| 532 | UDP, TCP | netnews | Remote readnews. | Block | |
| 533 | UDP, TCP | netwall | Network Write to all users. | Block | |
| 540 | TCP | uucp | Used mostly for sending batches of Usenet news. Sniff. Spoof. | Block unless there are specific hosts with which you wish to exchange UUCP information. | |
| 550 | UDP, TCP | nrwho | New rwho. | Block | |
| 566 | UDP, TCP | remotefs | RFS remote filesystem. Sniff. Spoof. | Block | |
| 666 | TCP | mdqs | Replacement for Berkeley's printer system. | Block | |
| 666 | UDP, TCP | doom | Doom game. | Block | |
| 744 | TCP | FLEXlm | FLEX license manager. | Block | |
| 754 | TCP | tell | Used by send | Block | |
| 755 | UDP | securid | Security Dynamics ACE/Server. Sniff [10] | Block | |
| 765 | TCP | webster | Dictionary service. | Block | |
| 1025 | TCP | listener | System V Release 3 listener. | Block | |
| 1352 | UDP, TCP | lotusnotes | Lotus Notes mail system. | Block | |
| 1525 | UDP | archie | Tells you where things are on the Internet. | Block, except the specific archie servers you want to use. | |
| 2000 | TCP | OpenWindows | Sun proprietary window system. | Block | |
| 2049 | UDP, TCP | nfs | Sun NFS Server (usually). Spoof. | Block | |
| 2766 | TCP | listen | System V listener. | Block | |
| 3264 | UDP, TCP | ccmail | Lotus cc:Mail. | Block | |
| 5130 | UDP | sgi-dogfight | Silicon Graphics flight simulator. | Block | |
| 5133 | UDP | sgi-bznet | Silicon Graphics tank demo. | Block | |
| 5500 | UDP | securid | Security Dynamics ACE/Server version 2. Sniff. [11] | Block | |
| 5510 | TCP | securidprop | Security Dynamics ACE/Server slave. Sniff. [12] | Block | |
| 5701 | TCP | xtrek | X11 xtrek. | Block | |
6000 thru 6063 | TCP | x-server | X11 server. Sniff. Spoof. | Block | |
| 6667 | TCP | irc | Internet Relay Chat. | Block | |
7000 thru 7009 | UDP, TCP | afs | Andrew File System. Spoof. | Block | |
| 7100 | TCP | font-service | X Server font service. | Block |
[2] Protocols such as echo can be used to probe the internal configuration of your network. They can also be used for creative denial of service attacks.
[3] As some programs use the system's real time clock as the basis of a cryptographic key, revealing this quantity on the Internet can lead to the compromise of some security-related protocols.
[4] Telnet Server. Conventional Telnet may result in passwords being sniffed on the network. You may wish to only allow specially encrypted or authenticated Telnet.
[5] The finger client program can be susceptible to certain kinds of data-driven attacks if you do not use a suitable finger wrapper.
[6] But note that a port scan can still find RPC servers even if portmapper is blocked.
[7] As discussed in the text, the values returned as part of this service are unreliable if the remote machine is not under your control.
[8] Outbound and inbound NNTP connections should only be allowed to the pre-established sites with which you exchange news.
[9] Allowing NTP from outside machines opens your site to time-spoofing attacks. If you must receive your time from outside your site via the Internet, only allow NTP packets from specified hosts.
[10] Traffic may be encrypted, but the administrator may decide not to turn this on. Export versions (non-U.S.) do not have encryption available.
[11] See note 10.
[12] See note 10.
|  | |
| F.3 Emergency Response Organizations |  |