The Firewall Ports Page

Updated 02 13 2004

1. Why did you create this page?

2. What router-firewall did you choose for this project?

3. When I try to use Syslinux under a Windows boot disk, I get 'ERROR 440D: Unable to lock drive for exclusive access'

4. What do I configure to allow packets from the outside network to the firewall or internal network

5. I'd like to see some /etc/shorewall/rules examples allowing through various services

6. I've opened some ports in /etc/shorewall/rules but they still appear closed. I need help.

7. I want to use SMB and the native XP firewall (ICF) at the same time. I need help.

8. I am using the native XP firewall (ICF). I need to open a port for Get Device Status or XXX to work

9. What protocols and ports need to be opened to allow various services or applications through the firewall?

1. Why did you create this page?
We recieve several calls regarding which ports to enable to allow a Canon device to work through a firewall
I made this page as a collection of my research notes

2. What router-firewall did you choose for this project?
The firewall-router I chose is from the excellent and free Linux Embedded Appliance Firewall (LEAF) from http://leaf.sourceforge.net/
There are many distributions, modules and packages (LRP's) available
I chose the Bering-uClibc 2.0 distribution since it had all of the packages I needed for this project
DHCP Client (dhcpcd)
Routing (zebra, ospfd, libm)
Firewall (iptables and shorewall)
SSH (dropbear, dbearkey)
Here's a list of the packages I used
root,config,etc,local,modules,iptables,shorwall,dhcpcd,ulogd,dropbear,dbearkey,weblet,libm,libcrpto,zebra,ospfd
The supplied documentation is very good so I need not describe the installation/configuration steps here

3. When I try to use Syslinux under a Windows boot disk, I get 'ERROR 440D: Unable to lock drive for exclusive access'
I could not get syslinux.com past this error under a Windows 98SE boot disk
Under Dos 6.22, it worked fine
Using http://www.knoppix.net/ was another alternative that worked for me
More info on Syslinux here

4. What do I configure to allow packets from the outside network to the firewall or internal network
I cannot go into to much detail here
The Shorewall documentation is excellent
A majority of the configuration is done in the Shorewall exception to policy screen
Choose lrcfg, 3, 4, 6 to edit the /etc/shorewall/rules

5. I'd like to see some /etc/shorewall/rules examples allowing through various services
ACTION     SOURCE     DEST      PROTO   PORT
ACCEPT          net           loc           icmp        8            # Accept pings from external to interal lan
ACCEPT          net           loc           tcp          80          # Accept HTTP requests from external to internal (RUI)
ACCEPT          net           fw            tcp         22         # Allow ssh from external lan to firewall
ACCEPT          net           loc           tcp         515         # LPR/LPD

6. I've opened some ports in /etc/shorewall/rules but they still appear closed. I need help.
I spent a few hours on this one until I read the manual :-)
Is your external network in an RFC 1918 private IP range?
The RFC 1918 reserves several Private IP address ranges
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
By default, Shorewall will reject packets from RFC 1918 private IP's.

Before starting Shorewall, you should look at the IP address of your external interface and if it is one of the above ranges, you should remove the 'norfc1918' option from the external interface's entry in Choose lrcfg, 3, 4, 3 to edit /etc/shorewall/interfaces.
net eth0 detect dhcp,routefilter,norfc1918 (Original)
net eth0 detect dhcp,routefilter (New)

7. I want to use SMB and the native XP firewall (ICF) at the same time. I need help.
I borrowed this from http://www.tek-tips.com/
The following ports are associated with file sharing and server message block (SMB) communications:
Microsoft file sharing SMB:
. User Datagram Protocol (UDP) ports from 135 through 139, and Transmission Control Protocol (TCP) ports from 135 through 139.
. Direct-hosted SMB traffic without network basic input/output system (NetBIOS) uses port 445 (TCP and UPD).
1. Using the native XP firewall (ICF):
To open the preceding ports:
Click Start, point to Connect To, right-click the network connection that is firewall protected, and then click Properties.
or
Right click My Network Places, select properties
Right click your firewall protected adapter, select properties
On the Advanced tab, click Settings.
Click Add in the Service Tab area.
Enter a description for the connection and use the loopback address (127.0.0.1) for the required Internet Protocol (IP) number. You will need to do this 12 times. The description can be anything you like; e.g. LAN UDP 135, LAN UDP 136, etc. for port labels is what I use.
Enter both a port number and type for each port (the external and internal port numbers should be identical). The port ranges may not be specified.
Repeat 12 times so that you have UDP 135, 136, 137, 138, 139 and 445. TCP 135, 136, 137, 138, 139 and 445.
Click OK to exit each window.

8. I am using the native XP firewall (ICF). I need to open a port for Get Device Status or XXX to work
Click Start, point to Connect To, right-click the network connection that is firewall protected, and then click Properties.
or
Right click My Network Places, select properties
Right click your firewall protected adapter, select properties
On the Advanced tab, click Settings.
Click Add in the Service Tab area.
Enter a description for the connection and use the loopback address (127.0.0.1) for the required Internet Protocol (IP) number.
Enter 47545 for both the external and internal port numbers.
Select UDP protocol
Click ok to exit.
Get Device Status should now work
This procedure can be repeated for other Canon services/application.
Be sure to get the port and protocol correct

9. What protocols and ports need to be opened to allow various services or applications through a firewall?
Please note this is a work in progress

Service or Application	Protocol Port	Shorewall Example
Ping the printer	ICMP 8	ACCEPT net loc icmp 8
HTTP (RUI)	TCP 80	ACCEPT net loc tcp 80
Non Canon driver printing (HP Laserjet ...)	TCP 515	ACCEPT net loc tcp 515
Canon Driver printing (CPCA)	TCP 515 UDP 47545	ACCEPT net loc tcp 515 ACCEPT net loc udp 47545
Canon Printer Driver Get Device Status	UDP 47545	ACCEPT net loc udp 47545
Canon ScanGear Tool and Scanning	UDP 47545 TCP 9011 TCP 9014	ACCEPT net loc udp 47545 ACCEPT net loc tcp 9011 ACCEPT net loc tcp 9014
NetSpot Job Monitor	UDP 47545	ACCEPT net loc udp 47545
Standard TCP/IP Printer Port Wizard	UDP 161	ACCEPT net loc udp 161
Standard TCP/IP Printing (LPR) (Need UDP 161 if SNMP status enabled is required)*	UDP 161* TCP 515	ACCEPT net loc udp 161 ACCEPT net loc tcp 515
Standard TCP/IP Printing (9100) (Need UDP 161 if SNMP status enabled is required)*	UDP 161* TCP 9100	ACCEPT net loc udp 161 ACCEPT net loc tcp 9100
IPP Printing If using HTTP proxy on host, add printer's IP to local proxy bypass	UDP 161 TCP 80	ACCEPT net loc udp 161 ACCEPT net loc tcp 80
NetSport Resource Downloader	UDP 161 UDP 47545	ACCEPT net loc udp 161 ACCEPT net loc udp 47545
JBig Viewer	UDP 161 TCP 80	ACCEPT net loc udp 161 ACCEPT net loc tcp 80
Security Agent for Single Signon	TCP 5678	ACCEPT net loc tcp 5678

Home Back

If you find any errors, ommisions or have a better way, please contact me