| Port | TCP or UDP | Service or Protocol Name | RFC | /etc/services | Used by / Additional information |
| 7 | TCP/UDP | echo | 792 | echo | - |
| 20 | TCP | File Transport Protocol (FTP) | 959 | ftp-data | - |
| 21 | TCP | FTP control | 959 | ftp | - |
| 22 | TCP | Secure Shell (SSH) | 4250 - 4254 | ssh | - |
| 23 | TCP | Telnet | 854 | telnet | - |
| 25 | TCP | Simple Mail Transfer Protocol (SMTP) | 5321 | smtp |
Mail (for sending email); MobileMe Mail (sending) |
| 53 | TCP/UDP | Domain Name System (DNS) | 1034 | domain | MacDNS, FaceTime |
| 67 | UDP | Bootstrap Protocol Server (BootP, bootps) | 951 | bootps | NetBoot via DHCP |
| 68 | UDP | Bootstrap Protocol Client (bootpc) | 951 | bootpc | NetBoot via DHCP |
| 69 | UDP | Trivial File Transfer Protocol (TFTP) | 1350 | tftp | - |
| 79 | TCP | Finger | 1288 | finger | - |
| 80 | TCP | Hypertext Transfer Protocol (HTTP) | 2616 | http | World Wide Web, MobileMe, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, WebDAV (iDisk), Final Cut Server, AirPlay, OS X Lion Internet Restore, Profile Manager. |
| 88 | TCP | Kerberos | 4120 | kerberos | - |
| 106 | TCP | Password Server (Unregistered Use) |
- | 3com-tsmux | Mac OS X Server Password Server |
| 110 | TCP | Post Office Protocol (POP3) Authenticated Post Office Protocol (APOP) |
1939 | pop3 | Mail (for receiving email) |
| 111 | TCP/UDP | Remote Procedure Call (RPC) | 1057, 1831 | sunrpc | Portmap (sunrpc) |
| 113 | TCP | Identification Protocol | 1413 | ident | - |
| 115 | TCP | Secure File Transfer Program (SFTP) | 913 | sftp | Note: Some authorities reference a "Simple File Transport Protocol" or "Secured File Transport Protocol" on this port. |
| 119 | TCP | Network News Transfer Protocol (NNTP) | 3977 | nntp | Used by applications that read newsgroups. |
| 123 | TCP/UDP | Network Time Protocol (NTP) | 1305 | ntp | Date & Time preferences. Used for network time server synchronization, AppleTV Network Time Server Sync |
| 137 | UDP | Windows Internet Naming Service (WINS) | - | netbios-ns | - |
| 138 | UDP | NETBIOS Datagram Service | - | netbios-dgm | Windows Datagram Service, Windows Network Neighborhood |
| 139 | TCP | Server Message Block (SMB) | - | netbios-ssn | Used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X. |
| 143 | TCP | Internet Message Access Protocol (IMAP) | 3501 | imap | Mail (for receiving email); MobileMe Mail (IMAP) |
| 161 | UDP | Simple Network Management Protocol (SNMP) | 1157 | snmp | - |
| 192 | UDP | OSU Network Monitoring System | - | osu-nms | AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant |
| 311 | TCP | Secure server administration | - | asip-webadmin | Server Admin, Workgroup Manager, Server Monitor, Xsan Admin |
| 389 | TCP | Lightweight Directory Access Protocol (LDAP) | 4511 | ldap | Used by applications that look up addresses, such as Mail and Address Book. |
| 427 | TCP/UDP | Service Location Protocol (SLP) | 2608 | svrloc | Network Browser |
| 443 | TCP | Secure Sockets Layer (SSL, or "HTTPS") | 2818 | https | TLS websites, iTunes Store, FaceTime, Game Center, MobileMe (authentication, iDisk, iDisk Sync, and MobileMe Sync), AirPlay, OS X Lion Internet Restore, Profile Manager. |
| 445 | TCP | Microsoft SMB Domain Server | - | microsoft-ds | - |
| 464 | TCP/UDP | kpasswd | 3244 | kpasswd | - |
| 497 | TCP/UDP | Dantz Retrospect | - | dantz | - |
| 500 | UDP | ISAKMP/IKE | - | isakmp | Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later). |
| 514 | TCP | shell | - | shell | - |
| 514 | UDP | Syslog | - | syslog | - |
| 515 | TCP | Line Printer (LPR), Line Printer Daemon (LPD) | - | printer | Used for printing to a network printer, Printer Sharing in Mac OS X. |
| 532 | TCP | netnews | - | netnews | - |
| 548 | TCP | Apple Filing Protocol (AFP) over TCP | - | afpovertcp | AppleShare, Personal File Sharing, Apple File Service |
| 554 | TCP/UDP | Real Time Streaming Protocol (RTSP) | 2326 | rtsp | QuickTime Streaming Server (QTSS), streaming media players, AirPlay |
| 587 | TCP | Message Submission for Mail (Authenticated SMTP) | 4409 | submission | Mail (for sending mail), MobileMe Mail (SMTP authentication) |
| 600-1023 | TCP/UDP | Mac OS X RPC-based services | - | ipcserver | Used by NetInfo, for example. |
| 623 | UDP | Lights-Out-Monitoring | - | asf-rmcp | Used by Intel Xserves' Lights-Out-Monitoring (LOM) feature; used by Server Monitor |
| 625 | TCP | Directory Service Proxy (DSProxy) (Unregistered Use) | - | dec_dlm | DirectoryService, Open Directory Assistant, Workgroup Manager. Note: This port is registered to DEC DLM. |
| 626 | TCP | AppleShare Imap Admin (ASIA) | - | asia | IMAP Administration (Mac OS X Server 10.2.8 or earlier, AppleShare IP 6) |
| 626 | UDP | serialnumberd (Unregistered Use) | - | asia | Server serial number registration (Xsan, Mac OS X Server v10.3 - v10.6) |
| 631 | TCP | Internet Printing Protocol (IPP) | 2910 | ipp | Mac OS X Printer Sharing, Printing to many common printers |
| 636 | TCP | Secure LDAP | - | ldaps | - |
| 660 | TCP | MacOS Server Admin | - | mac-srvr-admin | Server Admin (both AppleShare IP and Mac OS X Server), Server settings |
| 687 | TCP | Server administration | - | asipregistry | Server app, Server Admin, Workgroup Manager, Server Monitor, Xsan Admin |
| 749 | TCP/UDP | Kerberos 5 admin/changepw | - | kerberos-adm | - |
| 985 | TCP | NetInfo Static Port | - | - | - |
| 993 | TCP | Mail IMAP SSL | - | imaps | MobileMe Mail (SSL IMAP) |
| 995 | TCP/UDP | Mail POP SSL | - | pop3s | - |
| 1085 | TCP/UDP | WebObjects | - | webobjects | - |
| 1099 & 8043 | TCP | Remote RMI and IIOP Acess to JBOSS | - | rmiregistry | - |
| 1220 | TCP | QT Server Admin | - | qt-serveradmin | Used for administration of QuickTime Streaming Server. |
| 1640 | TCP | Certificate Enrollment Server | - | cert-responder | Profile Manager, SCEP |
| 1649 | TCP | IP Failover | - | kermit | - |
| 1701 | UDP | L2TP | - | l2f | Mac OS X Server VPN service |
| 1723 | TCP | PPTP | - | pptp | Mac OS X Server VPN service |
| 2049 | TCP/UDP | Network File System (NFS) (version 3 and 4) | 1094 | nfsd | - |
| 2195 | TCP | Apple Push Notification Service (APNS) | - | - | Push notifications |
| 2196 | TCP | Apple Push Notification Service (APNS) | - | - | Feedback service |
| 2336 | TCP | Mobile account sync | - | appleugcontrol | Home directory synchronization |
| 3004 | TCP | iSync | - | csoftragent | - |
| 3031 | TCP/UDP | Remote AppleEvents | - | eppc | Program Linking, Remote Apple Events |
| 3283 | TCP/UDP | Net Assistant | - | net-assistant | Apple Remote Desktop 2.0 or later (Reporting feature) |
| 3306 | TCP | MySQL | - | mysql | - |
| 3478-3497 | UDP | - | - | nat-stun-port - ipether232port | FaceTime, Game Center |
| 3632 | TCP | Distributed compiler | - | distcc | - |
| 3659 | TCP/UDP | Simple Authentication and Security Layer (SASL) | - | apple-sasl | Mac OS X Server Password Server |
| 3689 | TCP | Digital Audio Access Protocol (DAAP) | - | daap | iTunes Music Sharing, AirPlay |
| 4111 | TCP | XGrid | - | xgrid | - |
| 4398 | UDP | - | - | - | Game Center |
| 4488 | TCP/UDP | Apple Wide Area Connectivity Service | awacs-ice | Back To My Mac | |
| 4500 | UDP | IKE NAT Traversal | - | ipsec-msft | Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later). Note: VPN and MobileMe are mutually exclusive when configured through an Apple access point (such as an AirPort Base Station); MobileMe will take precedence. |
| 5003 | TCP | FileMaker - name binding and transport | - | fmpro-internal | - |
| 5009 | TCP | (Unregistered Use) | - | winfs | AirPort Admin Utility, AirPort Express Assistant |
| 5060 | UDP | Session Initiation Protocol (SIP) | 3261 | sip | iChat |
| 5100 | TCP | - | - | socalia | Mac OS X camera and scanner sharing |
| 5190 | TCP/UDP | America Online (AOL) | - | aol | iChat and AOL Instant Messenger, file transfer |
| 5222 | TCP | XMPP (Jabber) | 3920 | jabber-client | iChat and Jabber messages |
| 5223 | TCP | XMPP over SSL, Apple Push Notification Service | - | - | MobileMe (Automatic sync notifications) (see note 9), APNs, FaceTime, Game Center |
| 5269 | TCP | XMPP server-to-server communication | 3920 | jabber-server | iChat Server |
| 5297 | TCP | - | - | - | iChat (local traffic), Bonjour |
| 5298 | TCP/UDP | - | - | - | iChat (local traffic), Bonjour |
| 5353 | UDP | Multicast DNS (MDNS) | 3927 | mdns | Bonjour (mDNSResponder), AirPlay, Home Sharing, Printer Discovery |
| 5354 | TCP | Multicast DNS Responder | - | mdnsresponder | Back to My Mac |
| 5432 | TCP | PostgreSQL | - | postgresql | May be enabled manually on Lion Server. Previously enabled by default for ARD 2.0 Database. |
| 5678 | UDP | SNATMAP server | - | rrac | The SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat AV features are used, this service will be contacted. Blocking this service may cause issues with iChat AV connections with hosts on networks that use NAT. |
| 5897-5898 | UDP | (Unregistered Use) | - | - | xrdiags |
| 5900 | TCP | Virtual Network Computing (VNC) (Unregistered Use) |
- | vnc-server | Apple Remote Desktop 2.0 or later (Observe/Control feature) Screen Sharing (Mac OS X 10.5 or later) |
| 5988 | TCP | WBEM HTTP | - | wbem-http | Apple Remote Desktop 2.x (see http://www.dmtf.org/about/faq/wbem) |
| 6970-9999 | UDP | - | - | - | QuickTime Streaming Server |
| 7070 | TCP | RTSP (Unregistered Use) Automatic Router Configuration Protocol (ARCP - Registered Use) |
- | arcp | QuickTime Streaming Server (RTSP) |
| 7070 | UDP | RTSP alternate | - | arcp | QuickTime Streaming Server |
| 7777 | TCP | iChat server file transfer proxy (unregistered use) | - | cbt | - |
| 8000-8999 | TCP | - | - | irdmi | Web service, iTunes Radio streams |
| 8005 | TCP | Tomcat remote shutdown | - | - | - |
| 8008 | TCP | iCal service | - | http-alt | Mac OS X Server v10.5 and later |
| 8080 | TCP | Alternate port for Apache web service | - | http-alt | - |
| 8085-8087 | TCP | Wiki service | - | - | Mac OS X Server v10.5 and later |
| 8088 | TCP | Software Update service | - | radan-http | Mac OS X Server v10.4 and later |
| 8089 | TCP | Web email rules | - | - | Mac OS X Server v10.6 and later |
| 8096 | TCP | Web Password Reset | - | - | Mac OS X Server v10.6.3 and later |
| 8170 | TCP | HTTPS (web service/site) | - | - |
Podcast Capture/podcast CLI |
| 8171 | TCP | HTTP (web service/site) | - | - |
Podcast Capture/podcast CLI |
| 8175 | TCP | Pcast Tunnel | - | - | pcastagentd (for control operations, camera and so on) |
| 8443 | TCP | iCal service (SSL) | - | pcsync-https | Mac OS X Server v10.5 and later |
| 8800 | TCP | Address Book service | - | sunwebadmin | Mac OS X Server v10.6 and later |
| 8843 | TCP | Address Book service (SSL) | - | - | Mac OS X Server v10.6 and later |
| 8821, 8826 |
TCP | Stored | - | - | Final Cut Server |
| 8891 | TCP | ldsd | - | - | Final Cut Server (data transfers) |
| 9006, 8080, 8443 | - | HTTP and HTTPS ports for Tomcat Standalone and JBOSS (J2EE) | - | -, http-alt, pcsync-https | - |
| 11211 | - | memcached (unregistered) | - | - | iCal Server |
| 16080 | TCP | - | - | - | Web service with performance cache |
| 16384-16403 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | - | connected, - | iChat AV (Audio RTP, RTCP; Video RTP, RTCP) |
| 16384-16387 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | - | connected, - | FaceTime, Game Center |
| 16393-16402 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | - | - | FaceTime, Game Center |
| 16403-16472 | UDP | Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) | - | - | Game Center |
| 24000-24999 | TCP | - | - | med-ltp | Web service with performance cache |
| 42000-42999 | TCP | - | - | - | iTunes Radio streams |
| 49152-65535 | TCP | Xsan | - | - | Xsan Filesystem Access |
| 50003 | - | FileMaker server service | - | - | - |
| 50006 | - | FileMaker helper service | - | - | - |
/ip firewall connection print
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \ action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1dwhere LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ connection-limit=3,32 action=tarpit
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \ action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \ action=accept comment="" disabled=no /ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \ action=drop comment="" disabled=no"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)
/ip firewall connection tracking set tcp-syncookie=yes
[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \
\... remote-address=10.0.0.2
[admin@Our_GW] interface eoip> enable eoip-remote
[admin@Our_GW] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0
[admin@Our_GW] interface eoip> [admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \
\... remote-address=10.0.0.1
[admin@Remote] interface eoip> enable eoip-main
[admin@Remote] interface eoip> print
Flags: X - disabled, R - running
0 name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0
[admin@Remote] interface eoip>[admin@Our_GW] interface bridge> add
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 eoip-remote bridge1 128 10
1 office-eth bridge1 128 10
[admin@Our_GW] interface bridge>[admin@Remote] interface bridge> add
[admin@Remote] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00
protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s
transmit-hold-count=6 ageing-time=5m
[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether
[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main
[admin@Remote] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST
0 ether bridge1 128 10
1 eoip-main bridge1 128 10
[admin@Remote] interface bridge>
/ interface bridge
add name="bridge1"
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1
/ interface bridge settings
set use-ip-firewall=yes
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
new-packet-mark=other passthrough=no
/ queue simple
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000
add name="http" parent=main packet-marks=http max-limit=240000/500000 priority=1
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000 priority=8
add name="other" parent=main packet-marks=other max-limit=128000/128000 priority=4