IPAddr

Port Numbers for Port Forwarding

These are common programs and the ports they use for network access.

A complete IANA Ports list can be found here.

The author of any software that requires access through your firewall should have complete information and instructions on the process so consult them if this port information doesn't work!

For a description of port forwarding and configuration instructions for Netgear routers see How is Port Forwarding Configured?

Go to the router's Port Forwarding Menu to enter the port numbers and IP address of the server. The usual default IP range for most routers is 192.168.0.x or 192.168.1.x. and the router's default address is usually 192.168.0.1 or 192.168.1.1 but you can go to a command prompt and type


  IPCONFIG /ALL
  
which will tell you the IP address of your computer and the gateway address which is usually the address of the router.

What is a DMZ

Using a DMZ is a very simple and risky way to forward ports. The DMZ takes an ip address of a computer on your network, and forwards all ports to that computer. This is really nice if you are having problems forwarding ports for some program. It can be a life saver if your router will not allow you to properly forward ports. It also has a huge downfall. The computer that is in the DMZ is now wide open to internet traffic - meaning that it will catch virii, and it will be at risk of being hacked. If you put a computer into the DMZ then please install a software firewall (eg ZoneAlarm or the windows firewall in windows 7 & 8 is also normally sufficient) to help protect it.

Domain Blocking

Domain blocking is very similar to URL blocking. URL blocking allows or prevents computers from accessing certain websites. Domain blocking allows or prevents certain computers from accessing anything from certain domains. A domain may only have one IP address but it may also have many IP addresses liked to the one domain name.

You really have two options with domain blocking. You can allow or deny. If you allow by default you are allowing access to everything. You can then specify certain domains to prevent access to. Most routers use keywords to block domains. The more specific you can make these keywords the better. If you want to block funforless.com, use the funforless keyword. This will block any domain name with funforless in it. So it would block funforless.com. It would also block bobsfunforless.com. The smaller the keywords the more domains that will be blocked. Let's say we chose fun, for, and less for our keywords. That would block funforless.com as well. It would also block sportsfun.com, newsforteens.com, and skatefunpark.net. Keep in mind this is not only blocking access to websites. It also blocks ftp access, p2p access, news, everything to certain domains. So be careful with this tool.

If you deny then by default you are denying access to every domain. This would be a good thing to do, if you wanted your users to only access certain websites. This uses keywords as well. Everything would be denied by default, and then you could specify the domains you want to allow access to. It is as simple as that. Let us say you want to allow your users to view MSN.com. Well just specify msn. Keep in mind that this will allow them to access every domain with msn in it.

Filtering

In order to understand what a IP filtering does, you need to have a general idea of what a network is. I will try to layout the components of a network in a simple yet honest fashion. Once that has been done, I will tell you what IP Filtering does. If you have a good working knowledge of networking or have read this before by all means skip to the end.

Let's start with a very general network.

In the network we have one Router/Firewall and three computers. The router/firewall on this network provides internet access to the three computers below it. Any data(information) that flows to or from your network is referred to as traffic. So when you send an email, traffic is created on your network. The routers primary job is to route the traffic that is flowing to and from your network. We will go over this in more detail later on.

Let's take another look at this general network.

This network is divided up into two parts. The WAN(Wide Area Network) is represented in this figure by a blue circle. The LAN(Local Area Network) is represented by a green circle. These networks are kept separate by your router. Computers on the WAN(internet) can not directly communicate with the computers on the LAN(your network), and computers on the LAN can not directly communicate with computers on the WAN. When a computer on the WAN wants to communicate with a computer on the LAN, the computer on the WAN must send the data your router. The router then passes that data on to the computer in your LAN. The same thing is true for a computer on your LAN. When a computer on your LAN wants to send data to a computer on the WAN, it passes the data to the router. The router then sends that data out on the internet. The router needs to know where it is sending the data before it can send it to the right place.

I'm going to talk about MAC addresses and ip addresses. Every device that can connect to the internet has a MAC(Media Access Control) address. MAC address is sometimes called a physical address. It is called a Physical address because every physical component that connects to the internet has one. This makes the MAC address physical, because you can consider it physically labelled to the device. As far as we are concerned the MAC address never changes. Never changing gives it another property that resembles a physical component.

By itself the MAC address is not all that useful, because computers can not communicate with just a mac address. They need an ip address as well. The ip address is a set of numbers that are bound to the MAC Address. Usually the ip address is bound when the device is turned on. When you boot your computer, it goes on the internet by obtaining an ip address and binding it to the MAC address of your network card. Along with the ip address it also gets the default gateway. The default gateway is the ip address of the router. Now the computer knows how to send information to the internet(through the router), and the router knows how to send information to your computer(to your ip address). One other thing your computer gets when it boots up is a subnet mask. The subnet mask basically tells your computer how many other ip addresses it has in the group of ip addresses it belongs to. If you want to know more about subnets take a look at our Subnetting page. Well lets go ahead and assign ip addresses and MAC addresses on our network. I'm going to leave the subnet's off. The default gateway for all the computers on this network is the internal ip address of the router.

In the picture above the ip addresses are the numbers that have the 10.0.0.x form. The MAC address have the xx-xx-xx-xx-xx-xx form. These are standard forms of MAC address and IP addresses. The numbers will be different for every network, but MAC addresses will always have dashes and IP addresses will always have periods. Take note that your router has two IP addresses and two MAC addresses. One of your routers ip addresses is an external ip address, the other is an internal ip address. You can think of these two addresses as doors. The external ip address is a door into your network from the internet. The internal ip address is a door from your network to the internet. When a computer on your network wants to send data to the internet, it actually sends the data to the internet ip address of your router. The router then passes that data out onto the internet. When a computer on the internet wants to send data to a computer on your network, it sends the data to your routers external ip address. The router then decides whether it should send that data on to a computer on your network.

IP Filtering IP filtering is very simple. You can do two things with ip filtering. First, you can prevent certain ip addresses from accessing the internet. Every ip address is made up of ports. Second, ip filtering can also block certain ports from accessing the internet. I'm going to break this explanation down into two sections, because ip filtering can do two completely separate things.

Preventing an ip address from accessing the internet.

IP filtering allows you to prevent a single ip address or range of ip addresses from accessing the internet. Doing this will prevent them from getting email, viewing web pages, using p2p software, ftping files, basically doing anything internet related. While this sounds pretty powerful, it is actually pretty worthless. Let's say that you prevent someone on the ip address 192.168.1.5 from accessing the internet. It is very easy for them to change their ip address. If the changed it to something like 192.168.1.6 they would have full access to the internet. Blocking a range of ip addresses does not really help out. They would only have to steal an ip address of a computer that had internet access, to regain their internet access. If you want to prevent certain computers from accessing the internet, you would be much better off using a MAC filtering option. With MAC filtering you can specify which MAC addresses you want to allow to connect to the internet. MAC addresses are physical addresses, and very hard to change.

The real power of ip filtering comes with the ability to block ports. Let's say that you want to prevent coworkers from using bittorrent at work. All you would have to do is specify all ip addresses, usually done with an asterisk, and then specify the port range used by bit torrent. You wouldn't even need to specify all the ports, just a couple would probably prevent it from working. Port 6969 is vital to that program. You could do the same thing for many other applications. Afraid coworkers are talking to much at work? Shutdown their icq/aim/yahoo messenger by blocking ports required by those programs. You can do this without effecting certain people, just leave certain ip address out of the blocked range.

Firewalling

In order to understand what a router/firewall does, you need to have a general idea of what a network is. I will try to layout the components of a network in a simple yet honest fashion. Once that has been done, I will try to conceptually break down firewalling.

Let's start with a very general network.

In the network we have one Router/Firewall and three computers. The router/firewall on this network provides internet access to the three computers below it. Any data(information) that flows to or from your network is referred to as traffic. So when you send an email, traffic is created on your network. The routers primary job is to route the traffic that is flowing to and from your network. We will go over this in more detail later on.

Let's take another look at this general network.

This network is divided up into two parts. The WAN(Wide Area Network) is represented in this figure by a blue circle. The LAN(Local Area Network) is represented by a green circle. These networks are kept separate by your router. Computers on the WAN(internet) can not directly communicate with the computers on the LAN(your network), and computers on the LAN can not directly communicate with computers on the WAN. When a computer on the WAN wants to communicate with a computer on the LAN, the computer on the WAN must send the data your router. The router then passes that data on to the computer in your LAN. The same thing is true for a computer on your LAN. When a computer on your LAN wants to send data to a computer on the WAN, it passes the data to the router. The router then sends that data out on the internet. The router needs to know where it is sending the data before it can send it to the right place.

I'm going to talk about MAC addresses and ip addresses. Every device that can connect to the internet has a MAC(Media Access Control) address. MAC address is sometimes called a physical address. It is called a Physical address because every physical component that connects to the internet has one. This makes the MAC address physical, because you can consider it physically labelled to the device. As far as we are concerned the MAC address never changes. Never changing gives it another property that resembles a physical component.

By itself the MAC address is not all that useful, because computers can not communicate with just a mac address. They need an ip address as well. The ip address is a set of numbers that are bound to the MAC Address. Usually the ip address is bound when the device is turned on. When you boot your computer, it goes on the internet by obtaining an ip address and binding it to the MAC address of your network card. Along with the ip address it also gets the default gateway. The default gateway is the ip address of the router. Now the computer knows how to send information to the internet(through the router), and the router knows how to send information to your computer(to your ip address). One other thing your computer gets when it boots up is a subnet mask. The subnet mask basically tells your computer how many other ip addresses it has in the group of ip addresses it belongs to. If you want to know more about subnets take a look at our Subnetting page. Well lets go ahead and assign ip addresses and MAC addresses on our network. I'm going to leave the subnet's off. The default gateway for all the computers on this network is the internal ip address of the router.

In the picture above the ip addresses are the numbers that have the 10.0.0.x form. The MAC address have the xx-xx-xx-xx-xx-xx form. These are standard forms of MAC address and IP addresses. The numbers will be different for every network, but MAC addresses will always have dashes and IP addresses will always have periods. Take note that your router has two IP addresses and two MAC addresses. One of your routers ip addresses is an external ip address, the other is an internal ip address. You can think of these two addresses as doors. The external ip address is a door into your network from the internet. The internal ip address is a door from your network to the internet. When a computer on your network wants to send data to the internet, it actually sends the data to the internet ip address of your router. The router then passes that data out onto the internet. When a computer on the internet wants to send data to a computer on your network, it sends the data to your routers external ip address. The router then decides whether it should send that data on to a computer on your network.

When we setup firewalling we are telling the router which computers(IP addresses) we will allow data to be sent to. We can define rules for data that is coming into our network, and data that is travelling out of our network.

Firewalling (more info)

Generally when you setup a firewall, you want to set it up to block everything coming into your network. Most people don't really care about what is leaving their network, because they are causing the outgoing traffic to be sent. For instance, a virus free network would almost never catch a virus if it was not plugged into the internet. Viruii come from somewhere, usually infected computers on the internet. So if you prevent those computers from sending you information, you protect your computers from viruii. The same is true for hackers. Prevent access to your network from the internet, and unless you know a hacker, you will never be hacked. So after everything is blocked, we can then go back an allow the traffic needs to be allowed into the network. Some traffic needs to be allowed into your network applications that require port forwarding. I'm going to write guides on how to block traffic and allow it through various routers. It has to be done per router, because every router is different. Please keep in mind the concepts presented above. Knowing them will make your configuration go much easier.

ServicesNotesPort Numbers
HTTPOnly required if you are hosting your own web server80
FTPOnly required if you are hosting your own FTP server21
TELNETOnly required if you wish telnet access to a computer23
POP3For email access110
SMTPFor email access25
NTPOnly required if you are hosting your own NEWS server123
PPTP VPNTo allow software VPN access to a server on your LAN1723
IMAPFor Remote email access to an Exchange server143
SQL ServerMicrosoft SQL Server1433
MySQLMySQL Database3306
WTS-RDPWindows Terminal Services (Remote Desktop)3389
PC-AnywherePC-Anywhere (Remote Support)SSH,5631,5632 TCP/UDP
SSHSSH (Security)22
VNCVNC or Tight-VNC (Remote Support)5500,5800,5900
Win F&P SharingNormally only allowed for a specific WAN addressTCP 139,445, UDP 137,138
ApplicationsNotesPort Numbers
AOL 5190 - 5193
AOL Instant Messenger (AIM) 5190
AOL ICQ
ICQ Firewall Settings
 5190, dynamic > 1024
BAYVPN 500
CarbonCopy32 1023 - 1680
CITRIX  1494
Cu-SeeMe Cornell 1.1 As White Pine CuSeeMe uses dedicated ports to transmit and receive, only one local CuSeeMe is allowed in a LAN.7648
.White Pine 3.1.2 and 4.07648
24032  
Direct Connect 375 - 425
FW1VPN 259

ICQ

For file transfer:ICQ ->Preference > Connections >Firewall. Set timeout to 80 seconds.None for chat
IPTVCisco IPTV 2.0.0None
Laplink 1547
Lotus Notes 1352
mIRC None (N)
MSN Messenger (Including Voice)See thisMicrosoft Link for detailed info, including Windows 2000 Problems6901& 6891-6900

NetMeeting
How to Establish NetMeeting Connections Through a Firewall

NetMeeting 2.1 and 2.11
With NAT enabled, NetMeeting users in a LAN cannot connect to one remote NetMeeting user, as the remote user is unable to distinguish between LAN users. But NAT allows one local NetMeeting user to connect to multiple Internet users at a time.
1720
1503
PC AnywhereHost must be on the LAN side and set.22
5631 - 5632
RealPlayerRealPlayer G2None
Remote Anything 3996 - 4000
Shiva VPNSet the mobile option to be your public IP address.2233
VNC (Virtual Network Computing) 5500
5800
5900
VDOLive.None
Vonage VoIP Phone Service 

5060 - 5070
10000 - 25000

GamesNotesPorts
Age of Empires II 23978
Aliens vs. Predator 80
2300 - 2400
8000 - 8999
Asheron's CallMay need to open MSN DX ports.9000 - 9013
Baldur's Gate 15000
Black and White 2611 - 2612
6500
6667
27900
Civilization 3

Consult this page (You'll have to click through an ad.)

Civilization Conquests users should also consult the manual, starting p. 47.

80
6500
6667
13139
27900
28900
29900
29901

Civilization 4

(Running GameSpy)

Consult this forum page

6667 (IRC)
2033 (Civ 4)
2056 (Civ 4)
2300-2400 (DirectPlay - UDP)
3784 (Voice Chat Port)
6500 (Query Port)
6667 (IRC)
27900 (Master Server UDP Heartbeat)
28900 (Master Server List Request)
29900 (GP Connection Manager)
29901 (GP Search Manager)
47624 (Directplay)
13139 (Custom UPD Pings)

Dark Reign 2 26214
Delta Force 3100
3568
3999
Dune 2000  1140 - 1234
4000
Dungeon Siege 19271
Elite Force 26000
27500
27910
27960
Everquest 1024 - 6000
7000
F-22 Lightning 3 4533 - 4660
Fighter Ace II 50000 - 50100
Fighter Ace II (DX) 2300 - 2400
47624
50000 - 50100
Guild Wars 6112
Half Life  27015
Heretic II 28910
Hexen IIEach computer must use a different port number. Add 1 for each player starting with 26900.26900 (+1 for each player)
KALIEach computer must use a different port number. Add 1 for each player starting with 2213.

2213 (+1 for each player)
6666

MSN Game Zone 6667
28800 - 29000
MSN Game Zone (DX) 2300 - 2400
47624
Myth 3453 
Need for Speed  9442
Need for Speed 3 1030
Outlaws 5310
Quake III
Each computer uses a different port number. Add 1 for each player starting with 27660.
Certain Quake servers do not allow multiple users to login using the same unique IP, so only one Quake user will be allowed in this case. In addition, when a Quake server is configured behind NAT, the router will not be able to provide information of that server on the Internet.
27660 (+1 for each player)
Rainbow Six 2346
Rogue Spear 2346
StarCraft 6112
Tiberian Sun 1140 - 1234
4000
Ultima 
5001 - 5010 Game
7775 - 7777 Login
8888, 9999 Patch
8800 - 8900 Messenger
7875 Monitor
Unreal TournamentNeed to modify the [UWeb.WebServer] section of the server.ini file: Set ListenPort to 8080; Set ServerName to the Public IP of your router.7777 (game) 
7778 (server)
7779 - 7783 (UdpLink)
27900 (server query)
8080 (UT Server Admin)
Windows VPN 1723
XBoxThere are known problems with XBox Live Network, see Cannot Log On XBox with Router (XBox incorrectly says 3074 is unnecessary in all cases.)88,3074

Since NAT causes your LAN to appear as a single computer to the Internet, it is normally impossible to configure other servers the using the same port on the same LAN behind NAT. One way to overcome this is to forward traffic on port-X to IP-Addr-1 if the remote IP is IP-Addr-2 but to forward traffic on port-X to IP-Addr-3 if the remote IP is IP-Addr-4.