Back to Table of Contents Back to Troubleshooting
TCP Port Numbers Commonly Used by Macintosh Services
For the latest information on port numbers, see the list on our Web site.
| Port | Usage | Reference | Notes |
| 20 | FTP Data | RFC 959 | Only used as a source port |
| 21 | FTP Control | RFC 959 | |
| 23 | Telnet | RFC 854 | Common port for attacks |
| 25 | SMTP (email) | RFC 821, 822 | |
| 53 | DNS | RFC 1034, 1035 | Mainly uses UDP, not TCP |
| 70 | Gopher | RFC 1436 | |
| 79 | Finger | RFC 1288 | |
| 80 | HTTP (Web) | RFC 1945 | |
| 88 | Kerberos | RFC 1510 | |
| 105 | PH (directory) | ||
| 106 | Poppass (change password) | Wesleyan tech note | |
| 110 | POP3 (email) | RFC 1081, 1082 | |
| 111 | Remote Procedure Call (RPC) | RFC 1057 | Used for Java |
| 113 | AUTH | RFC 931 | |
| 119 | NNTP (News) | RFC 977 | |
| 139 | NETBIOS Session | RFCs 1001, 1002 | Windows access (ASIP 6) |
| 143 | IMAP (new email) | RFC 2060 | |
| 311 | AppleShare Web Admin | ASIP Tech note | ASIP 6.1 and later |
| 384 | ARNS (tunneling) | Univ. of Melbourne | |
| 387 | AURP (tunneling) | RFC 1504 | |
| 389 | LDAP (directory) | RFC 1777, 1778 | |
| 407 | Timbuktu 5.2 or later | Netopia technote | Previous versions use other ports |
| 427 | SLP (service location) | RFC 2165 | Only uses TCP for large responses |
| 443 | SSL (HTTPS) | Draft RFC | |
| 497 | Retrospect | UDP for finding clients | |
| 510 | FirstClass server | SoftArc tech note | |
| 515 | LPR (printing) | RFC 1179 | |
| 548 | AFP (AppleShare) | AFP 2.2 spec | |
| 554 | RTSP (QuickTime server) | Apple tech note | Also uses UDP 6970+ |
| 591 | FileMaker Pro Web | FileMaker tech note | Recommended alternate to 80 |
| 626 | IMAP Admin | Apple extension in ASIP 6 | |
| 660 | ASIP Remote Admin | ASIP 6.3 and later | |
| 666 | Now Contact Server | Eudora tech note | Violates actual port assignment |
| 687 | ASIP Shared U? Port | ASIP Tech note | ASIP 6.2 and later |
| 1080 | WebSTAR Admin | StarNine FAQ | WebSTAR port number plus 1000 |
| 1417 | Timbuktu Control (pre-5.2) | Netopia technote | Login is through UDP Port 407 |
| 1418 | Timbuktu Observe (pre-5.2) | Netopia technote | Login is through UDP Port 407 |
| 1419 | Timbuktu Send Files (pre-5.2) | Netopia technote | Login is through UDP Port 407 |
| 1420 | Timbuktu Exchange (pre-5.2) | Netopia technote | Login is through UDP Port 407 |
| 1443 | WebSTAR/SSL Admin | StarNine FAQ | WebSTAR port number plus 1000 |
| 3031 | Program Linking (Apple Events) | Mac OS 9 and later | |
| 4000 | Now Public Event Server | Eudora tech note | |
| 4199 | EIMS Admin | EIMS Users Guide | |
| 4347 | LANsurveyor Responders | Neon tech note | Uses UDP also |
| 5003 | FileMaker Pro | FileMaker tech note | Direct access, not through Web; UDP for host list |
| 5190 | AOL Instant Messenger | AOL tech note | |
| 5498 | Hotline Tracker | Hotline tech note | UDP port 5499 for finding servers |
| 5500 | Hotline Server | Hotline tech note | |
| 5501 | Hotline Server | Hotline tech note | |
| 6699 | Napster/Macster client | Apparent usage | Used when server is in "firewall mode" |
| 7070 | Real Player | Real tech note | Also UDP ports 6970-7170 |
| 7648 | CuSeeMe (video) | White pine tech note | Client connections; UDP for audio/video |
| 7649 | CuSeeMe (video) | White pine tech note | Connection establishment. |
| 19813 | 4D server | ACI US tech note | Previously 14566 (6.0 and earlier) |
UDP Port Numbers Commonly Used by Macintosh Services
| Port | Usage | Reference | Notes |
| 53 | DNS | Sometimes uses TCP | |
| 68 | Dynamic Host Configuration Protocol (DHCP) | RFC 2131 | Commonly used to obtain a Mac's IP address |
| 69 | Trivial File Transfer Protocol (TFTP) | RFC 783 | |
| 123 | Network Time Protocol | RFC 1305 | |
| 137 | Windows Name Service | RFC 1001 | |
| 138 | Windows Datagram Service | RFC 1001 | |
| 161 | Simple Network Management Protocol (SNMP) | RFC 1157 | |
| 407 | Timbuktu | Netopia technote | Handshaking only, prior to version 5.2 |
| 458 | QuickTime TV | ||
| 497 | Retrospect | Finding clients on the network | |
| 514 | Syslog | ||
| 554 | Real Time Streaming Protocol (QuickTime) | RFC 2326 | |
| 2049 | Network File System (NFS) | RFC 1813 | |
| 3283 | Apple Network Assistant | TIL Note | |
| 5003 | FileMaker Pro | FileMaker tech note | For obtaining host list |
| 6970 and up | QuickTime and RealPlayer | TIL Note | |
| 7070 | RTSP alternate (RealPlayer) | Support Note |
DoorStop's log file is written in an extended WebSTAR log format. WebSTAR log format is a standard tab-delimited text format which can be read by any word processor or spreadsheet application, or by a number of log analyzer applications.
Actions related to DoorStop itself are logged using the standard WebSTAR comment format:
!!LOG_FORMAT DATE TIME RESULT HOSTNAME SERVER_PORT METHOD
!!DoorStop 1.0 ENABLE_LOGGING 05/19/00 16:34:07
!!DoorStop 1.0 DISABLE_LOGGING 05/19/00 16:34:15
!!DoorStop 1.0 ENABLE_FILTERING 05/19/00 16:34:24
!!DoorStop 1.0 DISABLE_FILTERING 05/19/00 16:34:23
Other operations are logged using the following tokens (which are included in the !!LOG_FORMAT line whenever DoorStop starts up or a new log file is written):
Sample Log Lines
| !!LOG_FORMAT DATE TIME RESULT HOSTNAME SERVER_PORT METHOD |
| 05/19/00 | 16:52:19 | ERR! | 192.0.0.2 | 21 | TCP |
| 05/19/00 | 16:52:39 | OK | 192.0.0.2 | 21 | TCP |
| 05/19/00 | 16:52:39 | OK | 192.0.0.2 | 2051 | UDP |
The log file may contain information useful in spotting potential security violations. When reading the log file, there are several kinds of patterns to look for:
Reading the log file into a spreadsheet and sorting the data may make it easier to spot patterns. For example
To get further information on an IP address in the log file (or in a notification alert), refer to DoorStop's Access History window. Double-clicking a line in this window will yield further information on the access attempt. For details, see the section on the Access History window. If the log line is too far back in the log file to appear in the Access History window, you can use Open Door's name lookup page (not all IP addresses will yield further information, but many will).
For more convenient and sophisticated real-time analysis of DoorStop's log file, consider using Open Door's LogDoor Real-time Server Monitor (discussed below). Note that it is normal to see some denied access attempts on a random basis (not all from the same IP address, and not to a sequence of port numbers). In some cases, access attempts are made due to activity on your own machine, such as connecting to an FTP server and sending email. These two situations are discussed further below.
DoorStop can produce real-time logs of accesses and access attempts to all TCP services, and accesses to UDP services, on its machine. For maximum security, it may be desirable to analyze DoorStop's log in real time, to look for break-ins and break-in attempts. Open Door's LogDoor Real-time Server Monitor provides this capability. See the LogDoor Users' Guide for details of using LogDoor to analyze DoorStop logs in real time. LogDoor can also generate usage reports.
Note: Due to the way LogDoor processes errors, LogDoor's display and reports may be much clearer if DoorStop's "All others" service entry is set to deny access. For details, see the LogDoor User's Guide.
DoorStop Interaction with Other Applications
File downloads or software updates from Web sites - If you are having problems downloading files from a Web site, or running an update utility like LiveUpdate, it may be an FTP-related problem. FTP (File Transfer Protocol) is a protocol commonly used for transferring files. See the section on FTP clients below.
Timbuktu - If you are trying to limit "control" access to Timbuktu 5.2 or later, to block access from both old and new versions, you must create and configure a service entry for "Timbuktu (v5.2 or later)" and one for "Timbuktu control (all versions)". To limit "control" access to Timbuktu earlier than version 5.2, you need only create and configure a service entry for "Timbuktu control (all versions)". Similar comments apply to limiting "observe" access to Timbuktu.
Note to advanced users: If you enable UDP protection, you must create and configure a service entry for "Timbuktu (v5.2 or later)", regardless of which version of Timbuktu is being used.
FTP clients - Many features of the FTP protocol work by having the FTP server open a TCP connection back to your machine and then use that connection as a "data port", to get data from your machine. The problem is that a) the port number used for the data port is usually picked more or less at random, and b) the FTP server must have access to the data port it decides to open on your machine. There are a number of options for enabling such access:
FTP servers - If you are running an FTP server on the DoorStop machine, some clients may have trouble connecting to the server, even though you have allowed access to port 21. If a client is using FTP passive mode, the client may dynamically open a second connection to the server for use as a "data port". Either suggest the client not use passive mode, or use Advanced Mode to give the client access to the new port being opened by the server.
Email clients - Some mail servers attempt to establish a connection back to the sender to verify the sender's identity. Sending email to such servers may result in DoorStop notifying you of (and logging) an access attempt to the Authentication service, port 113. There is no harm in this access attempt, since no service should be running on this port. You may wish to use DoorStop's advanced mode to grant your mail server access to port 113 (use the IP address indicated in the notification alert and/or log file), and turn off notification of allowed access attempts. Alternately you may wish to contact your mail server's administrator to see if this feature can be disabled.