home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Practical UNIX & Internet Security

Practical UNIX & Internet SecuritySearch this book
Previous: F.3 Emergency Response Organizations Appendix G  

G. Table of IP Services

Table G-1 lists the IP protocols that are commonly used on the Internet. For completeness, it also lists many protocols that are no longer used and are only of historic interest.

You can use this table to help you decide which protocols you do and do not wish to support on your UNIX computers. You can also use this table to help you decide which protocols to pass or block with a screening router, as described in Chapter 21, Firewalls . For example, at most sites you will wish to block protocols such as tftp , sunrpc , printer , rlogin and rexec . Most site administrators will probably wish to allow protocols such as ftp , smtp , domain , and nntp . Other protocols can be problematical.

The "Suggested Firewall Handling" column gives a sample firewall policy that should be sufficient for many sites; in some cases, footnotes provide additional explanation. We generally advise blocking all services that are not absolutely essential. The reason for this suggestion is that even simple services, such as TCP echo , can be used as a means for launching a denial of service attack against your network. These services can also be used by an attacker to learn about your internal network topology. Although these services are occasionally useful for debugging, we feel that their presence is, in general, a liability - an accident waiting to happen. Services which are not listed in this table should be blocked unless you have a specific reason for allowing them to cross your firewall . For detailed information about firewalls policy and filtering, we suggest that you consult Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky (O'Reilly & Associates, 1995).

The "Notes" section in this table contains a brief description of the service. If the word "Sniff" appears, then this protocol may involve programs that require passwords and may be vulnerable to password sniffing; you may wish to disable it on this basis, or only use it with a one-time password system. The word "Spoof" indicates that the usual programs that use the protocol depend on IP-based authentication for its security and can be compromised with a variety of spoofing attacks. The annotation "Obsolete" appears on protocols which may no longer be in general use. Note that the absence of a "Sniff" or "Spoof" annotation does not mean that the protocol is not vulnerable to such attacks.

The "Site Notes" column is a place where you can make your own notes about what you plan to do at your site.

NOTE: This is not a comprehensive list of TCP and UDP services ; instead, it is a list of the services that are most commonly found on UNIX -based computers. If you have computers on your network that are running operating systems other than UNIX , you may wish to pass packets that use ports not discussed here. A complete list of all assigned port numbers can be found in RFC 1700 (or its successors)

In addition to the services noted in the table, you should block all IP addresses coming from outside your network which claim to come from inside your network. That is, any packet coming into your network with a source IP address that indicates it is from your network should be discarded.

IP packets with unusual option bits or invalid combinations of option bits should be blocked. This should probably include packets with source routing or record-route options set.

Fragmented packets should be blocked if the offset for reassembly specifies a zero offset (that would cause the reassembly to rewrite the IP header). [1]

[1] The idea for this table is based, in part, on Appendix B, Important Files from the book Firewalls and Internet Security , by William R. Cheswick and Steven M. Bellovin (Addison-Wesley, 1994).

Table G.1: Common TCP and UDP Services, by Port
Port Protocol Name Notes Suggested Firewall Handling Site Notes
1 TCP tcpmux TCP port multiplexer. Rarely used. Block
7 UDP, TCP echo

Echos UDP packets and characters sent down TCP streams.

9 UDP, TCP discard

Accepts connections, but discards the data.

11 TCP systat

System status - reports the active users on your system. Some systems connect this to who.

13 UDP, TCP daytime Time of day in human-readable form. Block[3]
15 TCP netstat

Network status, human-readable. Obsolete (officially unassigned as of 10/94).

17 UDP qotd Quote of the day. Block
19 UDP, TCP chargen Character generator. Block
20 TCP ftp-data

Data and command ports for FTP. Sniff .

requires special handling.
21 TCP ftp
23 TCP telnet Telnet virtual terminal. Sniff. Be careful. [4]
24 UDP, TCP For use by private email systems. Block
25 TCP smtp Email.

Allow to your firewall gate or bastion host.

37 UDP, TCP time Time of day, in machine-readable form. Block
38 UDP, TCP rap Route Access Protocol. Block
42 UDP, TCP name Host Name Server. Obsolete. Block
43 TCP whois Normally only run by NICs. Outbound only or Block.
48 UDP, TCP auditd

Digital Equipment Corporation audit daemon.

49 UDP tacacs Sniff. Spoof.

Block. You should place your tacacs authentication servers on the same side of your firewall as your terminal concentrators.

53 UDP, TCP domain Domain Name Service. Spoof.

Run separate nameservers for internal and external use. If you use firewall proxies, then you only need to provide DNS service on your firewall computer.

67, 68 UDP bootp Boot protocol. Block
69 UDP tftp Trivial FTP. Block
70 TCP

gopher, gopher+

Text-based information service. Sniff.

Outbound access with proxies. Inbound connections only to an organizational gopher server running on a special host.

79 TCP finger

Return information about a particular user account or machine.

Outbound only. [5] (You may wish to refer inbound finger queries to a particular message.)

80 TCP http World Wide Web. Sniff. Spoof.

Outbound access with proxies. Inbound connections only to an organizational WWW server running on a special host.

87 TCP link Block
88 UDP kerberos Distributed authentication mechanism.

Block unless you need inter-realm authentication.

94 UDP, TCP objcall Tivoli Object Dispatcher. Block
95 TCP supdup

Virtual terminal similar to Telnet, rarely used. S niff.

109 TCP pop-2

Post Office Protocol, allows reading mail over Internet. Sniff.

Block unless there is a specific need to access email through firewall. Consider using APOP, which is not susceptible to password sniffing. If you do pass this service, pass inbound connections only to your email host.

110 TCP pop-3 Better Post Office Protocol. S niff.
111 UDP, TCP sunrpc Sun RPC portmapper. Spoof. [6] Block
113 TCP auth

TCP authentication service. Identifies the username belonging to a TCP connection. Spoof.

Limit or block incoming requests.[7]
119 TCP nntp Network News Transport Protocol. Block with exceptions.[8]
121 UDP, TCP erpc

Encore Expedited Remote Procedure Call.

123 UDP, TCP ntp Network Time Protocol. Spoof. Block with exceptions.[9]
126 UDP, TCP unitary Unisys Unitary Login. Block
127 UDP, TCP locus-con Locus PC-Interface Conn Server. Block
130 UDP, TCP cisco-fna Cisco FNATIV. Block with exceptions.
131 UDP, TCP cisco-tna Cisco TNATIVE. Block with exceptions.
132 UDP, TCP cisco-sys Cisco SYSMAINT. Block with exceptions.
137 UDP, TCP netbios-ns NETBIOS Name Service.

Block NETBIOS unless there is a specific host with which you need to exchange NETBIOS information. NETBIOS over TCP/IP is best handled with encrypted tunneling.

138 UDP, TCP netbios-dgm NETBIOS Datagram Service.
139 UDP, TCP netbios-ssn NETBIOS Session Service.
144 UDP, TCP news

Sun NeWS (Network Window System). Possibly Sniff. Spoof. Obsolete.

156 UDP, TCP sqlsrv SQL Service. Sniff. Block
161 UDP, TCP snmp

Simple Network Management Protocol agents. Spoof. Sniff.

162 UDP, TCP snmptrap SNMP traps.

Block under most circumstances, although you may wish to allow traps from an external gateway to reach your internal network monitors.

177 UDP, TCP xdmcp

X Display Manager (XDM) Control Protocol. Sniff. Possibly Spoof.

Block. You may wish to allow outgoing connections in special circumstances.


NEXTSTEP Window Server. Possibly Sniff. Spoof.

194 UDP, TCP irc Internet Relay Chat Protocol. Block
199 UDP, TCP smux SMUX (IBM). Block
200 UDP, TCP src IBM System Resource Controller. Block
201 UDP, TCP at-rtmp AppleTalk Routing Maintenance.

Block AppleTalk unless there is a specific host or network with which you need to exchange AppleTalk information. AppleTalk over TCP/IP is best handled through encrypted tunneling.

202 UDP, TCP at-nbp AppleTalk Name Binding.
203 UDP, TCP at-3 AppleTalk Unused.
204 UDP, TCP at-echo AppleTalk Echo.
205 UDP, TCP at-5 AppleTalk Unused.
206 UDP, TCP at-zis AppleTalk Zone Information.
207 UDP, TCP at-7 AppleTalk Unused.
208 UDP, TCP at-8 AppleTalk Unused.
210 TCP wais WAIS server. Sniff. Block unless you run a server.
220 TCP imap POP replacement. Sniff.

Block unless there is a specific need to access email through the firewall. If you do pass this service, pass inbound connections only to your email host.

387 TCP avrp AppleTalk Routing. Block
396 UDP, TCP netware-ip Novell Netware over IP. Sniff. Block
411 UDP, TCP rmt Remote Tape. Block
512 UDP biff Real-time mail notification. Block
512 TCP exec

Remote command execution. Sniff.Spoof.

513 UDP rwho Remote who command. Block
513 TCP login Remote login. Sniff. Spoof.

These protocols are vulnerable to problems with "trusted hosts" and .rhost files. Block them if at all possible.

514 TCP shell rsh . Sniff. Spoof.
514 UDP syslog syslog logging. Block
515 TCP printer Berkeley lpr system. Spoof. Block
517 UDP talk Initiate talk requests.

You should probably block these protocols for incoming and outgoing use. If you wish to permit your users to receive talk requests from outside sites, then you must allow user machines to receive TCP connections on any TCP/IP port over 1024. The protocols further require that both hostnames and usernames of your internal users be made available to outsiders. talk can further be used to harass users.

518 UDP ntalk Initiate talk requests.
520 UDP route Routing control. Spoof. Block
523 UDP, TCP timed Time server daemon. Spoof. Block
532 UDP, TCP netnews Remote readnews. Block
533 UDP, TCP netwall Network Write to all users. Block
540 TCP uucp

Used mostly for sending batches of Usenet news. Sniff. Spoof.

Block unless there are specific hosts with which you wish to exchange UUCP information.

550 UDP, TCP nrwho New rwho. Block
566 UDP, TCP remotefs RFS remote filesystem. Sniff. Spoof. Block
666 TCP mdqs

Replacement for Berkeley's printer system.

666 UDP, TCP doom Doom game. Block
744 TCP FLEXlm FLEX license manager. Block
754 TCP tell Used by send Block
755 UDP securid

Security Dynamics ACE/Server. Sniff [10]

765 TCP webster Dictionary service. Block
1025 TCP listener System V Release 3 listener. Block
1352 UDP, TCP lotusnotes Lotus Notes mail system. Block
1525 UDP archie

Tells you where things are on the Internet.

Block, except the specific archie servers you want to use.

2000 TCP OpenWindows Sun proprietary window system. Block
2049 UDP, TCP nfs Sun NFS Server (usually). Spoof. Block
2766 TCP listen System V listener. Block
3264 UDP, TCP ccmail Lotus cc:Mail. Block
5130 UDP sgi-dogfight Silicon Graphics flight simulator. Block
5133 UDP sgi-bznet Silicon Graphics tank demo. Block
5500 UDP securid

Security Dynamics ACE/Server version 2. Sniff. [11]

5510 TCP securidprop

Security Dynamics ACE/Server slave. Sniff. [12]

5701 TCP xtrek X11 xtrek. Block

6000 thru 6063

TCP x-server X11 server. Sniff. Spoof. Block
6667 TCP irc Internet Relay Chat. Block

7000 thru 7009

UDP, TCP afs Andrew File System. Spoof. Block
7100 TCP font-service X Server font service. Block

[2] Protocols such as echo can be used to probe the internal configuration of your network. They can also be used for creative denial of service attacks.

[3] As some programs use the system's real time clock as the basis of a cryptographic key, revealing this quantity on the Internet can lead to the compromise of some security-related protocols.

[4] Telnet Server. Conventional Telnet may result in passwords being sniffed on the network. You may wish to only allow specially encrypted or authenticated Telnet.

[5] The finger client program can be susceptible to certain kinds of data-driven attacks if you do not use a suitable finger wrapper.

[6] But note that a port scan can still find RPC servers even if portmapper is blocked.

[7] As discussed in the text, the values returned as part of this service are unreliable if the remote machine is not under your control.

[8] Outbound and inbound NNTP connections should only be allowed to the pre-established sites with which you exchange news.

[9] Allowing NTP from outside machines opens your site to time-spoofing attacks. If you must receive your time from outside your site via the Internet, only allow NTP packets from specified hosts.

[10] Traffic may be encrypted, but the administrator may decide not to turn this on. Export versions (non-U.S.) do not have encryption available.

[11] See note 10.

[12] See note 10.