Make your own free website on Tripod.com
Updated 02 13 2004
The Firewall Ports Page


1.  Why did you create this page?
2.  What router-firewall did you choose for this project?
3.  When I try to use Syslinux under a Windows boot disk, I get  'ERROR 440D: Unable to lock drive for exclusive access'
4.  What do I configure to allow packets from the outside network to the firewall or internal network
5.  I'd like to see some /etc/shorewall/rules examples allowing through various services
6.  I've opened some ports in /etc/shorewall/rules but they still appear closed.  I need help.
7.  I want to use SMB and the native XP firewall (ICF) at the same time.  I need help.
8.  I am using the native XP firewall (ICF).  I need to open a port for Get Device Status or XXX to work
9.  What protocols and ports need to be opened to allow various services or applications through the firewall?


1.  Why did you create this page?

We recieve several calls regarding which ports to enable to allow a Canon device to work through a firewall
I made this page as a collection of my research notes


2.  What router-firewall did you choose for this project?
The firewall-router I chose is from the excellent and free Linux Embedded Appliance Firewall (LEAF) from http://leaf.sourceforge.net/
There are many distributions, modules and packages (LRP's) available
I chose the Bering-uClibc 2.0 distribution since it had all of the packages I needed for this project
DHCP Client (dhcpcd)
Routing (zebra, ospfd
, libm)
Firewall (iptables and shorewall)
SSH  (dropbear, dbearkey)
Here's a list of the packages I used
root,config,etc,local,modules,iptables,shorwall,dhcpcd,ulogd,dropbear,dbearkey,weblet,libm,libcrpto,zebra,ospfd
The supplied documentation is very good so I need not describe the installation/configuration steps here


3.  When I try to use Syslinux under a Windows boot disk, I get  'ERROR 440D: Unable to lock drive for exclusive access'
I could not get syslinux.com past this error under a Windows 98SE boot disk
Under Dos 6.22, it worked fine
Using http://www.knoppix.net/ was another alternative that worked for me
More info on Syslinux here


4.  What do I configure to allow packets from the outside network to the firewall or internal network
I cannot go into to much detail here
The Shorewall documentation is excellent
A majority of the configuration is done in the Shorewall exception to policy screen
Choose lrcfg, 3, 4, 6 to edit the /etc/shorewall/rules


5.  I'd like to see some /etc/shorewall/rules examples allowing through various services
ACTION     SOURCE     DEST      PROTO   PORT
ACCEPT          net           loc           icmp        8            # Accept pings from external to interal lan
ACCEPT          net           loc           tcp          80          # Accept HTTP requests from external to internal (RUI) 
ACCEPT          net           fw            tcp         22           # Allow ssh from external lan to firewall
ACCEPT          net           loc           tcp         515         # LPR/LPD


6.  I've opened some ports in /etc/shorewall/rules but they still appear closed.  I need help.
I spent a few hours on this one until I read the manual  :-)
Is your external network in an RFC 1918 private IP range?
The RFC 1918 reserves several Private IP address ranges
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
By default, Shorewall will reject packets from RFC 1918 private IP's.
Before starting Shorewall, you should look at the IP address of your external interface and if it is one of the above ranges, you should remove the 'norfc1918' option from the external interface's entry in Choose lrcfg, 3, 4, 3 to edit /etc/shorewall/interfaces.
net     eth0            detect          dhcp,routefilter,norfc1918   (Original)
net     eth0            detect          dhcp,routefilter                    (New)


7.  I want to use SMB and the native XP firewall (ICF) at the same time.  I need help.
I borrowed this from http://www.tek-tips.com/
The following ports are associated with file sharing and server message block (SMB) communications:
Microsoft file sharing SMB:
. User Datagram Protocol (UDP) ports from 135 through 139, and Transmission Control Protocol (TCP) ports from 135 through 139.
. Direct-hosted SMB traffic without network basic input/output system (NetBIOS) uses port 445 (TCP and UPD).
1. Using the native XP firewall (ICF):
To open the preceding ports:
Click Start, point to Connect To, right-click the network connection that is firewall protected, and then click Properties.
or
Right click My Network Places, select properties
Right click your firewall protected adapter, select properties
On the Advanced tab, click Settings.
Click Add in the Service Tab area.
Enter a description for the connection and use the loopback address (127.0.0.1) for the required Internet Protocol (IP) number. You will need to do this 12 times.  The description can be anything you like; e.g. LAN UDP 135, LAN UDP 136, etc. for port labels is what I use.
Enter both a port number and type for each port (the external and internal port numbers should be identical). The port ranges may not be specified.
Repeat 12 times so that you have UDP 135, 136, 137, 138, 139 and 445. TCP 135, 136, 137, 138, 139 and 445.
Click OK to exit each window.


8.  I am using the native XP firewall (ICF).  I need to open a port for Get Device Status or XXX to work
Click Start, point to Connect To, right-click the network connection that is firewall protected, and then click Properties.
or
Right click My Network Places, select properties
Right click your firewall protected adapter, select properties
On the Advanced tab, click Settings.
Click Add in the Service Tab area.
Enter a description for the connection and use the loopback address (127.0.0.1) for the required Internet Protocol (IP) number.
Enter 47545 for both the external and internal port numbers.
Select UDP protocol
Click ok to exit.
Get Device Status should now work
This procedure can be repeated for other Canon services/application.
Be sure to get the port and protocol correct


9.  What protocols and ports need to be opened to allow various services or applications through a firewall?
Please note this is a work in progress


Service or Application
Protocol Port
 Shorewall Example
Ping the printer
ICMP 8
ACCEPT net loc icmp 8
HTTP (RUI)
TCP 80
ACCEPT net loc tcp 80
Non Canon driver printing (HP Laserjet ...)
TCP 515
ACCEPT net loc tcp 515
Canon Driver printing (CPCA)
TCP 515
UDP 47545
ACCEPT net loc tcp 515
ACCEPT net loc udp 47545
Canon Printer Driver
Get Device Status
UDP 47545
ACCEPT net loc udp 47545
Canon ScanGear Tool and Scanning
UDP 47545
TCP 9011
TCP 9014
ACCEPT net loc udp 47545
ACCEPT net loc tcp 9011
ACCEPT net loc tcp 9014
NetSpot Job Monitor
UDP 47545 ACCEPT net loc udp 47545
Standard TCP/IP Printer Port Wizard
UDP 161
ACCEPT net loc udp 161
Standard TCP/IP Printing (LPR)
(Need UDP 161 if  SNMP status enabled is required)*
UDP 161*
TCP 515
ACCEPT net loc udp 161
ACCEPT net loc tcp 515
Standard TCP/IP Printing (9100)
(Need UDP 161 if  SNMP status enabled is required)*
UDP 161*
TCP 9100
ACCEPT net loc udp 161
ACCEPT net loc tcp 9100
IPP Printing
If using HTTP proxy on host, add printer's IP to local proxy bypass
UDP 161
TCP 80
ACCEPT net loc udp 161
ACCEPT net loc tcp 80
NetSport Resource Downloader
UDP 161
UDP 47545
ACCEPT net loc udp 161
ACCEPT net loc udp 47545
JBig Viewer
UDP 161
TCP 80
ACCEPT net loc udp 161
ACCEPT net loc tcp 80
Security Agent for Single Signon
TCP 5678
ACCEPT net loc tcp 5678



Home     Back

If you find any errors, ommisions or have a better way, please contact me