Firewall

Hi,

I have a question about /etc/services file. If I open ports in firewall, do I need to alter /etc/services file in order for certain apps to work?


kpasswd 464/tcp # kpasswd
kpasswd 464/udp # kpasswd

Theodore Ts’o <tytso&MIT.EDU>

# 465 is illegal used by eMail Server
smtps 465/tcp # eMail Server
#urd 465/tcp # URL Rendesvous Directory for SSM

igmpv3lite 465/udp # IGMP over UDP for SSM

Toerless Eckert <eckert&cisco.com>

digital-vrc 466/tcp # digital-vrc
digital-vrc 466/udp # digital-vrc


Above example shows if 465 tcp isn’t altered, Postfix MTA fails to listen on 465 tcp port.
What if there’s a bigger span 3000:7000 TCP/UDP, is there a need to alter each line by hand?

I do not understand exactly what the computer output means (next time please put computer output between CODE tags: Posting in Code Tags - A Guide), but it is NOT normal to make changes to* /etc/services*. In principle it is only a table for translation back and forward of port numbers into a word that is beter understood by human beings when reading configs and the like. The contents is more or less fixed by a central body (IANA) (especialy the lower numbers). Now wen you use a different port from standard, imho the only thing that can happen is that logings and other reporting tools show the other “word” instead of what realy happens there. You should of course use the number in configurations, else …

I would also not recommend to change there because an update will overwrite such a system file (and mark that that is not only done on a system upgrade, but it could happen when IANA publishees a new version of the list).

Interesting point. On an older server I found that an entry for smtps does exist in /etc/services and postfix works fine with smtps. But on 11.3, that line for 465 has been changed.

I would regard this as a bug in the distro you should report. /etc/services is I believe a compilation, there really isn’t a definitive copy because there is disagreement about the assignment of the port when it has been used independently by different software authors.

Normally you should not edit /etc/services, it is to be regarded as a read-only file, but this could be a case where a mistake has to be corrected. Another way of working around the problem is to replace smtps in /etc/postfix/master.cf with 465.

/etc/services only deals with a port at a time. For a range, there isn’t a way of naming a range of ports in /etc/services. That should not affect the firewall though, you would just write the range in the firewall rule, not a name.