Initial release
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Sun, 13 Apr 2014 22:23:00 +0000 (00:23 +0200)
committerJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Sun, 13 Apr 2014 22:23:00 +0000 (00:23 +0200)
15 files changed:
ChangeLog [new file with mode: 0644]
README [new file with mode: 0644]
cf.d/0-general.cf [new file with mode: 0644]
cf.d/1-zone.cf [new file with mode: 0644]
cf.d/2-policy.cf [new file with mode: 0644]
essence [new file with mode: 0755]
fw [new file with mode: 0755]
icmp-names.txt [new file with mode: 0644]
icmp6-names.txt [new file with mode: 0644]
port-numbers.txt [new file with mode: 0644]
protocol-numbers.txt [new file with mode: 0644]
run/.gitignore [new file with mode: 0644]
src.d/.gitignore [new file with mode: 0644]
sysctl.conf [new file with mode: 0644]
tmp/.gitignore [new file with mode: 0644]

diff --git a/ChangeLog b/ChangeLog
new file mode 100644 (file)
index 0000000..e69de29
diff --git a/README b/README
new file mode 100644 (file)
index 0000000..1025a39
--- /dev/null
+++ b/README
@@ -0,0 +1,22 @@
+Essence is a netfilter firewall configuration utility written in Perl,
+which creates and iptables, ip6tables and ipset based firewall configuration
+from configuration and auxiliary files. The syntax of the config files
+is documented in essence itself, see
+
+       perldoc essence
+
+The goal of the tool was simplicity and efficiency. Custom rules makes
+possible to insert arbitrary non-supported functionality into the 
+ruleset created by essence.
+
+This is also a prototype implementation for an ipset driven firewall :-).
+
+All files can be placed into any directory, the default is /etc/essence.
+The structure and content of the directory:
+
+       cf.d/*.cf       essence configuration files
+       src.d/*.in      external set definition files in restore format
+       run/            runtime files generated by essence
+       sysctl.conf     sysctl settings
+       tmp/            temporary files
+       *.txt           protocol, service, ICMP, ICMPv6 type/code names
diff --git a/cf.d/0-general.cf b/cf.d/0-general.cf
new file mode 100644 (file)
index 0000000..f2a7d7c
--- /dev/null
@@ -0,0 +1,66 @@
+#
+# General settings
+general
+       # TCP/UDP protocols
+       tcpudp = domain, sunrpc, sip
+       # UDP-only protocols
+       udp = ntp, snmp, snmptrap, traceroute, syslog, router, icpv2
+       udp = tftp, radius, radius-acct, amanda, ras
+       # Enable logging
+       logging = yes
+       # Log classes
+       class = spoofed
+               type = nflog
+               prefix = spoofed:
+               limit = hashlimit
+                       rate = 5/second
+                       burst = 10
+                       tablesize = 8192
+                       maxentries = 16384
+       class = banned
+               type = nflog
+               prefix = banned:
+               limit = hashlimit
+                       rate = 5/second
+                       burst = 10
+                       tablesize = 65536
+                       maxentries = 131072
+       class = accepted
+               type = nflog
+               prefix = accepted:
+               ignore = ping
+       class = denied
+               type = nflog
+               prefix = denied:
+       # Default set parameters, external sets
+       set = default4
+               hashsize = 131072
+               maxelem = 262144
+       set = default6
+               hashsize = 65536
+               maxelem = 131072
+       # conntrack helpers
+       helper = ftp
+
+policy = banned
+       # Banned networks, hosts
+       IP = 10.0.0.0/8, 172.16.0.0/12, 100.64.0.0/10
+       # IP = 192.168.0.0/16
+       IP = fc00::/7
+
+policy = localhost
+       # The firewall itself
+       IP = 192.168.0.1
+       service = ssh
+               allow = 192.168.0.10
+       service = ping, traceroute
+
+policy = anyclient
+       # Clients at intranet
+       IP = 192.168.10.0/24
+       client = smtp
+               # allow relay through our mail server
+               allow = 192.168.10.3
+       client = microsoft-ds
+               deny = any
+       client = any
diff --git a/cf.d/1-zone.cf b/cf.d/1-zone.cf
new file mode 100644 (file)
index 0000000..603fd85
--- /dev/null
@@ -0,0 +1,14 @@
+#
+# Network topology
+#
+zone = internet
+       interface = eth0
+       network = 0/0
+
+zone = intranet
+       interface = eth1
+       network = 192.168.10.0/24
+
+zone = dmz
+       interface = eth3
+       network = 192.168.100.0/24
diff --git a/cf.d/2-policy.cf b/cf.d/2-policy.cf
new file mode 100644 (file)
index 0000000..7429d4a
--- /dev/null
@@ -0,0 +1,15 @@
+policy = http server
+       IP = 192.168.100.1
+       service = http, https
+       client = anyclient
+
+policy = ftp server
+       IP = 192.168.100.2
+       service = ftp
+               allow = 192.168.10.0/24
+       client = anyclient
+
+policy = smtp server
+       IP = 192.168.100.3
+       service = smtp, smtps
+       client = any
diff --git a/essence b/essence
new file mode 100755 (executable)
index 0000000..d235acb
--- /dev/null
+++ b/essence
@@ -0,0 +1,4042 @@
+#!/usr/bin/perl -w
+#
+#    essence - A Simple Netfilter Configuration utility
+#
+#    Copyright (C) 2002-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+#
+#    This program is free software; you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation; either version 2 of the License, or
+#    (at your option) any later version.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program; if not, write to the Free Software
+#    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+
+use FileHandle;
+use Data::Dumper;
+use Getopt::Long qw(:config bundling);
+# use List::MoreUtils qw(uniq);
+# use File::Compare;
+use File::Copy;
+use strict;
+
+# Command line options
+my %opts = ( debug => 'none' );
+
+# The loaded in configuration
+my($config) = {};
+
+# Version number of essence
+my $version = "2.0";
+
+# Configuration directory: can be overriden
+$config->{dir} = "/etc/essence";
+$config->{rundir} = "/var/lib/essence";
+
+# Files with IANA assigned numbers
+my %files = (
+    protocols  => 'protocol-numbers.txt',
+    services   => 'port-numbers.txt',
+    icmp       => 'icmp-names.txt',
+    icmp6      => 'icmp6-names.txt',
+);
+# Loaded in IANA assigned numbers
+my $iana = {};
+
+# All possible sets we may use: order is important and used in ruletree()
+my @sets = qw(
+    banned-ip4 banned-ip6 banned-net4 banned-net6
+    deny-service-ipportip4 deny-service-ipportip6
+    allow-service-ipportip4 allow-service-ipportip6
+    service-ipportnet4 service-ipportnet6
+    deny-service-ipport4 deny-service-ipport6
+    allow-service-ipport4 allow-service-ipport6
+    service-netport4 service-netport6
+    deny-service-ip4 deny-service-ip6
+    allow-service-ip4 allow-service-ip6
+    service-net4 service-net6
+    deny-client-ipport4 deny-client-ipport6
+    allow-client-ipport4 allow-client-ipport6
+    client-netport4 client-netport6
+    deny-client-ip4 deny-client-ip6
+    allow-client-ip4 allow-client-ip6
+    client-net4 client-net6
+    networks-netiface4 networks-netiface6
+);
+
+#    deny-client-ipportip4 deny-client-ipportip6
+#    allow-client-ipportip4 allow-client-ipportip6
+#    client-ipportnet4 client-ipportnet6
+# Banned sets
+my(@banned_sets) = qw(
+    banned-ip4 banned-ip6 banned-net4 banned-net6
+);
+
+#
+# Initialize protocols, services, icmp and icmp6 from the auxiliary files
+#
+sub init {
+    my($name, $id, $id2);
+    my($dir) = $config->{dir};
+
+    open(IN, "$dir/$files{protocols}") ||
+       die "Cannot open protocol file $dir/$files{protocols}: $!\n";
+    while (<IN>) {
+       if (/^\s+(\d+)\s+(\S+)/) {
+           ($id, $name) = ($1, lc($2));
+           $iana->{protocols}->{$name} = $id;
+       }
+    }
+    close(IN);
+       
+    open(IN, "$dir/$files{services}") ||
+       die "Cannot open services file $dir/$files{services}: $!\n";
+    while (<IN>) {
+       next if /^#/;
+       if (/^(\S+)\s+(\d+)\/(tcp|udp)/) {
+           ($name, $id) = (lc($1), $2);
+           next if exists $iana->{services}->{$name};
+           $iana->{services}->{$name} = [$id];
+       } elsif (/^(\S+)\s+(\d+)-(\d+)\/(tcp|udp)/) {
+           ($name, $id, $id2) = (lc($1), $2, $3);
+           next if exists $iana->{services}->{$name};
+           $iana->{services}->{$name} = [$id, $id2];
+       }
+    }
+    close(IN); 
+
+    open(IN, "$dir/$files{icmp}") ||
+       die "Cannot open icmp file $dir/$files{icmp}: $!\n";
+    while (<IN>) {
+       next if /^#/;
+       next if /^\s*$/;
+       if (/^\s*(\S+)$/) {
+           $iana->{icmp}->{$1} = $1;
+       }
+    }
+    close(IN);
+
+    open(IN, "$dir/$files{icmp6}") ||
+       die "Cannot open icmp6 file $dir/$files{icmp6}: $!\n";
+    while (<IN>) {
+       next if /^#/;
+       next if /^\s*$/;
+       if (/^\s*(\S+)$/) {
+           $iana->{icmp6}->{$1} = $1;
+       }
+    }
+    close(IN);
+}
+
+#
+# Helper functions for the parser
+#
+
+#
+# Make sure the element exists and it's a reference
+#
+sub is_reference {
+    my $hash = shift;
+    my $elem = shift;
+       
+    return exists($hash->{$elem}) &&
+          defined($hash->{$elem}) &&
+          $hash->{$elem} &&
+          ref($hash->{$elem});
+}
+
+#
+# Report parser error and die
+#
+sub parser_error {
+    my $txt = shift;
+       
+    die "Parser error in $config->{_currfile}:$config->{_currline}:$config->{_currtext}$txt\n";
+}
+
+#
+# Check valid and unique identifiter for network, policy, mangle, nat.
+#
+# Keywords: zone, policy, mangle, nat
+sub valid_id {
+    my($name) = shift;
+    my($id) = shift;
+
+    parser_error("Identifier may not start with underscore: '$id'")
+       if $id =~ /^_/;
+
+    parser_error("Duplicated $name identifier '$id' " .
+                "clashing with identifier '$id' " .
+                "in $config->{_found}->{$name}->{$id}")
+       if exists $config->{_found}->{$name}->{$id};
+
+    return $id;
+}
+
+#
+# Hardcoded "general" identifier
+#
+# Keywords: general:settings
+sub valid_general {
+    return 'settings';
+}
+
+#
+# Arbitrary text
+#
+# Keywords: general:module:modparam, general:class:prefix
+sub valid_txt {
+    shift;
+
+    return shift;
+}
+
+#
+# Arbitrary word
+#
+# Keywords: general:module, general:set
+sub valid_word {
+    my($name) = shift;
+    my($value) = shift;
+
+    parser_error("$value is not a word for $name")
+       if $value =~ /\s/;
+
+    return $value;
+}
+
+#
+# Valid custom rule
+#
+# Keyword: general:custom:iptables, general:custom:ip6tables, nat:iptables,
+# mangle:iptables, mangle:ip6tables
+sub valid_custom {
+    my($name) = shift;
+    my($value) = shift;
+
+    return [ $value ];
+}
+
+#
+# Binary program
+#
+# Keywords: general:ipset, general:iptables, general:ip6tables
+sub valid_binary {
+    my($name) = shift;
+    my($value) = shift;
+
+    parser_error("$value is not an executable for $name")
+       unless -x $value;
+
+    return $value;
+}
+
+#
+# Input value must be a single value from a given set of elements
+#
+# Keywords: general:class:type, general:class:type:level, general:set:family,
+# general:custom, general:custom:table, nat:type, nat:flags, mangle_type,
+# mange:chain
+sub valid_from_set {
+    my($name) = shift;
+    my($value) = shift;
+    my(@set) = @_;
+
+    parser_error("Invalid $name value '$value', " .
+                "must be from the possible values: " .
+                join(' ', @set))
+       unless grep($_ eq $value, @set);
+
+    return $value;
+}
+
+#
+# Input value must be a list from a given set of elements
+#
+# Keywords: general:logging, general:service:logging, general:helper,
+# general:class, nat:proto
+sub valid_multivalue_from_set {
+    my($name) = shift;
+    my($value) = shift;
+    my(@set) = @_;
+    my(@value);
+
+    @value = split(/[\s,]+/, $value);
+    grep($_ = lc, @value);
+    foreach $value (@value) {
+       parser_error("Invalid $name value '$value' " .
+                    "must be from the possible values " .
+                    join(' ', @set))
+           unless grep($_ eq $value, @set);
+    }
+
+    return [ @value ];
+}
+
+#
+# Returns true if the number is in the given range.
+#
+sub is_in_range {
+    my($num) = shift;
+    my($min) = shift;
+    my($max) = shift;
+
+    return $num >= 0 && $num <= $max &&
+          (!$min || ($num >= $min && $min <= $max));
+}
+
+#
+# Input value must be in a given range
+#
+# Keywords: general:class:group, general:class:range, general:class:threshold
+sub valid_range {
+    my($name) = shift;
+    my($value) = shift;
+    my(@range) = @_;
+
+    parser_error("Value of $name: $value is " .
+                "out of range $range[0]-$range[1]")
+       unless is_in_range($value, $range[0], $range[1]);
+       
+    return $value;
+}
+
+#
+# Returns true if pattern corresponds to an any valued IP address
+#
+sub is_anynet {
+    my $ip = shift;
+       
+    return $ip eq '0.0.0.0/0' || $ip eq '::/0' ||
+          $ip eq 'any' || $ip eq 'anynet';
+}
+
+#
+# Returns true if pattern corresponds to the INET family-specific
+# any valued IP address
+#
+sub is_any_inet {
+    my $ip = shift;
+    my $inet = shift;
+       
+    return $ip eq 'any' || $ip eq 'anynet' ||
+          ($inet == 4 && $ip eq '0.0.0.0/0') ||
+          ($inet == 6 && $ip eq '::/0');
+}
+
+#
+# Returns true if string looks like an IPv4 or IPv6 address/mask
+#
+sub is_ipaddr {
+    my($txt) = shift;
+    my $colon;
+       
+    $colon = $txt =~ tr/:/:/;
+       
+    if ($txt eq 'any' || $txt eq 'anynet') {
+       return 1;
+    } elsif ($colon == 0) {
+       # IPv4 address[/mask]
+       $config->{ipv4} = 1;
+       return $txt =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})(\/(\d{1,2}))?$/ &&
+              is_in_range($1, 0, 255) &&
+              is_in_range($2, 0, 255) &&
+              is_in_range($3, 0, 255) &&
+              is_in_range($4, 0, 255) &&
+              (!$6 || is_in_range($6, 0, 32));
+    } else {
+       # IPv6 address[/mask]
+       $config->{ipv6} = 1;
+       my $net;
+       ($txt, $net) = split(/\//, $txt, 2);
+       # Uncompress
+       if ($colon != 7) {
+           $txt =~ s/::/':0' x (8 - $colon) . ':'/e;
+           $txt =~ s/^:/0:/; # ::abcd:....
+           $txt =~ s/:$/:0/; # ...:abcd::
+       }
+       # Standard IPv6 address
+       return $txt =~ /^(?:[0-9a-f]{1,4}:){7}[0-9a-f]{1,4}(?:\/(\d{1,3}))?$/i &&
+              (!$net || is_in_range($net, 0, 128));
+    }
+}
+
+#
+# Returns true if pattern corresponds to a host address
+#
+sub is_hostaddr {
+    my $ip = shift;
+       
+    $ip =~ /([^\/]+)\/(\d+)/;
+    return ($ip =~ /:/ ? (!$2 || $2 == 128) : (!$2 || $2 == 32));
+}
+
+#
+# Check that value is a valid protocol identifier: either it can be found
+# as an IANA identifier, or 'any',
+# or tcp|udp|uplite|sctp:from[..to] or icmp|icmpv6:type[/code]
+#
+# Keywords: general:tcpudp, general:udp, general:service, general:class:reject
+sub valid_proto {
+    my($name) = shift;
+    my($value) = shift;
+    my($inherit) = shift || 0;
+    my($proto, @proto, %sub,  @p);
+
+    %sub = (auth => 'ident',
+           all => 'any');
+
+    @proto = split(/[\s,]+/, $value);
+    grep($_ = lc, @proto);
+    grep($_ = $sub{$_} ? $sub{$_} : $_, @proto);
+
+    foreach $proto (@proto) {
+       parser_error("Unknown service '$proto'")
+           unless exists $iana->{protocols}->{$proto} ||
+                  exists $iana->{services}->{$proto} ||
+                  exists $iana->{icmp}->{$proto} ||
+                  exists $iana->{icmp6}->{$proto} ||
+                  $proto eq 'any' ||
+                  ($inherit && exists $config->{policy}->{$proto}) ||
+                  ($proto =~ /^(tcp|udp|udplite|sctp):(\d+)((?:\.\.|\-)(\d+))?$/ &&
+                   is_in_range($2, 0, 65535) &&
+                   (!$4 || is_in_range($4, $2, 65535))) ||
+                  ($proto =~ /^icmpv?6?:(\d+)(\/(\d+))?$/ &&
+                   is_in_range($1, 0, 255) &&
+                   (!$3 || is_in_range($3, $1, 255)));
+       # parser_error("'any' is not allowed as service")
+       #     if $proto eq 'any' && $name eq 'service';
+       push(@p,
+            $inherit && exists $config->{policy}->{$proto} ? 'inherit' : $proto);
+    }
+    return [ @p ];
+}
+
+#
+# Valid protocol or "inherit" keyword
+#
+# Keyword: policy:client
+sub valid_proto_inherit {
+    my($name) = shift;
+    my($value) = shift;
+
+    return valid_proto($name, $value, 'inherit');
+}
+
+#
+# Check valid TCP/UDP ports
+#
+# Keyword: nat:sport, nat:dport
+sub valid_port {
+    my($name) = shift;
+    my($value) = shift;
+    my($proto, @proto, %sub);
+
+    %sub = (auth => 'ident',
+           all => 'any');
+
+    @proto = split(/[\s,]+/, $value);
+    grep($_ = lc, @proto);
+    grep($_ = $sub{$_} ? $sub{$_} : $_, @proto);
+
+    foreach $proto (@proto) {
+       parser_error("Unknown TCP/UDP/UDPLITE/SCTP port '$proto'")
+           unless exists $iana->{services}->{$proto} ||
+                  ($proto =~ /^(tcp|udp|udplite|sctp):(\d+)((?:\.\.|\-)(\d+))?$/ &&
+                   is_in_range($2, 0, 65535) &&
+                   (!$4 || is_in_range($4, $2, 65535)));
+       parser_error("'any' is not allowed as TCP/UDP/UDPLITE/SCTP port")
+           if $proto eq 'any';
+    }
+    return [ @proto ];
+}
+
+#
+# Check that chain name corresponds to the NAT type
+#
+# Keyword: nat:chain
+sub valid_chain {
+    my($name) = shift;
+    my($value) = shift;
+    my(@chains) = @_;
+
+    return unless $config->{_curr}->{type} eq 'nat';
+
+    parser_error("Syntax error: unknown nat rule $config->{_curr}->{id}")
+       unless is_reference($config->{nat}, $config->{_curr}->{id});
+    parser_error("Syntax error: NAT type definition must precede 'chain' setting")
+       unless $config->{nat}->{$config->{_curr}->{id}}->{type};
+
+    my($type) = $config->{nat}->{$config->{_curr}->{id}}->{type};
+    parser_error("Syntax error: nat type $type is not allowed with chain $value")
+       if ($type =~ /dnat|redirect/ && $value !~ /prerouting|output/) ||
+          ($type =~ /snat|masquerade/ && $value ne 'postrouting') ||
+          ($type eq 'netmap' && $value !~ /(pre|post)routing/);
+
+    return $value;
+}
+
+#
+# Just return the list of the input identifiers, without lowercasing
+#
+# Keywords: zone:interface, nat:in, nat:out, mangle:in, mangle:out
+sub valid_if {
+    my($name) = shift;
+    my($value) = shift;
+    my(@if);
+
+    @if = split(/[\s,]+/, $value);
+
+    return [ @if ];
+}
+
+#
+# Input value must be a list of IPv4/IPv6 address patterns
+# including any valued IP address patterns except 'any'
+#
+# Keywords: zone:network
+sub valid_ip_anynetwork {
+    my($name) = shift;
+    my($value) = shift;
+    my(@ip, $ip, $t, %sub, @net);
+
+    %sub = ('0/0' => '0.0.0.0/0',
+           '::' => '::/0');
+
+    @ip = split(/[\s,]+/, $value);
+    foreach $ip (@ip) {
+        parser_error("Explicit IP addresses, networks required: $ip")
+            if $ip =~ /any/;
+        $ip = $sub{$ip} if exists $sub{$ip};
+       parser_error("Invalid IP address/CIDR '$ip'")
+           unless is_ipaddr($ip);
+       push(@net, $ip);
+    }
+
+    return [ @net ];
+}
+
+#
+# Input value must be a list of IPv4/IPv6 address patterns
+# including any valued IP address patterns
+#
+# Keyword: policy:service:allow, policy:service:deny, policy:client:allow,
+# policy:client:deny
+sub valid_ip_anynet {
+    my($name) = shift;
+    my($value) = shift;
+    my(@ip, $ip, $t, %sub);
+
+    %sub = ('0/0' => '0.0.0.0/0',
+           '::' => '::/0');
+
+    @ip = split(/[\s,]+/, $value);
+    foreach $ip (@ip) {
+       $ip = exists $sub{$ip} ? $sub{$ip} : $ip;
+       parser_error("Invalid IP address/CIDR '$ip'")
+           unless is_ipaddr($ip);
+    }
+
+    return [ @ip ];
+}
+
+#
+# Input value must be a list of IPv4/IPv6 address patterns
+# but not any valued IP address patterns
+#
+# Keyword: policy:ip, nat:srcip, nat:dstip
+sub valid_ip {
+    my($name) = shift;
+    my($value) = shift;
+    my(@ip, $ip, $t, %sub);
+
+    %sub = ('0/0' => '0.0.0.0/0',
+           '::' => '::/0');
+
+    @ip = split(/[\s,]+/, $value);
+    foreach $ip (@ip) {
+       $ip = exists $sub{$ip} ? $sub{$ip} : $ip;
+       parser_error("Any valued IP address pattern " .
+                    "cannot be specified")
+           if is_anynet($ip);
+       parser_error("Invalid IP address/CIDR '$ip'")
+           unless is_ipaddr($ip);
+    }
+
+    return [ @ip ];
+}
+
+#
+# Valid NAT address pattern
+#
+# Keyword: nat:to
+sub valid_nat_addr {
+    my($name) = shift;
+    my($value) = shift;
+
+    return unless $config->{_curr}->{type} eq 'nat';
+
+    # print Dumper $config;
+    parser_error("Syntax error: unknown nat rule $config->{_curr}->{id}")
+       unless is_reference($config->{nat}, $config->{_curr}->{id});
+    parser_error("Syntax error: NAT type definition must precede 'to' setting")
+       unless $config->{nat}->{$config->{_curr}->{id}}->{type};
+
+    my($type) = $config->{nat}->{$config->{_curr}->{id}}->{type};
+    if ($type =~ /^(s|d)nat$/) {
+       if ($value =~ /^([\d\.]+)(-([\d\.]+))?(:([^-]+)(-([^-]+))?)?$/) {
+           my($ip1, $ip2, $port1, $port2) = ($1, $3, $5, $7);
+           parser_error("Invalid NAT to address '$value'")
+               unless valid_ip($name, $ip1) &&
+                      (!$ip2 || valid_ip($name, $ip2)) &&
+                      ((!$port1 && !$port2) || 
+                       (valid_port($name, $port1) &&
+                        (!$port2 || valid_port($name, $port2))));
+       } else {
+           parser_error("Syntax error: to address '$value' not supported with type $type");
+       }
+    } elsif ($type =~ /^(redirect|masquerade)$/) {
+        if ($value =~ /([^-]+)(-([^-]+))?/) {
+           my($port1, $port2) = ($1, $3);
+           parser_error("Invalid NAT to port '$value'")
+               unless valid_port($name, $port1) &&
+                      (!$port2 || valid_port($name, $port2));
+       } else {
+           parser_error("Syntax error: to address '$value' not supported with type $type");
+       }
+    } elsif ($type eq 'netmap') {
+        if ($value =~ /^([\d\.]+)(\/(\d+))?$/) {
+           my($ip, $cidr) = ($1, $3);
+           parser_error("Invalid NAT to address '$value'")
+               unless valid_ip($name, $ip) &&
+                      (!$cidr || is_in_range($cidr, 1, 32));
+       } else {
+           parser_error("Syntax error: to address '$value' not supported with type $type");
+       }
+    }
+    return $value;
+}
+
+#
+# Input value must be a valid limit parameter: n/second|minute|hour|day
+#
+# Keywords: general:class:rate
+sub valid_rate {
+    my($name) = shift;
+    my($value) = shift;
+
+    parser_error("Invalid rate parameter '$value'")
+       unless $value =~ /^\d+\/(second|minute|hour|day)$/;
+
+    return $value;
+}
+
+#
+# Input value must be a positive integer
+#
+# Keywords: general:class:burst, general:set:hashsize, general:set:maxelem
+sub valid_number {
+    my($name) = shift;
+    my($value) = shift;
+
+    parser_error("Invalid $name parameter '$value'")
+       unless $value =~ /^\d+$/;
+
+    return $value;
+}
+
+#
+# Input must be a known setname
+#
+# Keyword: policy:set
+sub valid_setname {
+    my($name) = shift;
+    my($value) = shift;
+
+    parser_error("Unknown set name '$value', define in the general section first.")
+       unless exists $config->{sets}->{$value};
+
+    return $value;
+}
+
+#
+# Input must be a built-in set or a sourced external one
+#
+# Keyword: general:set
+sub valid_setdef {
+    my($name) = shift;
+    my($value) = shift;
+
+    my @setdefs = split(/[\s,]+/, $value);
+    
+    foreach my $s (@setdefs) {
+       next if grep($_ eq $s, (@sets, qw(default4 default6 default)));
+       parser_error("Source file $s.in for set $s is missing from $config->{dir}/src.d/")
+           unless -e "$config->{dir}/src.d/$s.in";
+       open(S, "$config->{dir}/src.d/$s.in")
+           or parser_error("Cannot open $config->{dir}/src.d/$s.in: $!");
+       my $l;
+       while ($l = <S>) {
+           next if $l =~ /^#/;
+           if ($l =~ /^create\s+(\S+)\s+(\S+)((\s+)(-[46]))?/) {
+               $config->{sets}->{$1}->{inet} = $5 ? $5 : "-4";
+               $config->{sets}->{$1}->{external} = 1;
+               $l = $2;
+               parser_error("Set definition in $config->{dir}/src.d/$s.in has got an unknown set type definition $l")
+                   unless $l =~ /^bitmap:(ip|ipmac|port)|hash:(ip|ipport|ipportip|ipportnet|ipmark|net|netport|netportnet|netiface)|list:set$/;
+               last;
+           } else {
+               parser_error("Cannot find set definition in $config->{dir}/src.d/$s.in");
+           }
+       }
+       close(S);
+       copy("$config->{dir}/src.d/$s.in", "$config->{dir}/tmp/$s.in")
+           or parser_error("Cannot copy $config->{dir}/src.d/$s.in to $config->{dir}/tmp/$s.in: $!");
+    }
+
+    return [ @setdefs ];
+}
+
+#
+# Input value must be a valid filename
+#
+# Keyword: nat:source, mangle:source, zone:source
+sub valid_source {
+    my($name) = shift;
+    my($value) = shift;
+
+    my @src = split(/[\s,]+/, $value);
+
+    foreach my $s (@src) {
+       parser_error("Invalid $name parameter '$s': " .
+                    "set is not defined in general/set")
+           unless exists $config->{sets}->{$s};
+       parser_error("Invalid $name parameter '$s': " .
+                    "external sets can be sourced only")
+           unless $config->{sets}->{$s}->{external};
+    }
+
+    return [ @src ];
+}
+
+#
+# Valid TCPMSS value
+#
+# Keyword: mangle:type:mss
+sub valid_mss {
+    my($name) = shift;
+    my($value) = shift;
+    
+    parser_error("Invalid mss value $value")
+        unless uc($value) eq 'PMTU' || $value =~ /^\d+$/;
+    
+    return $value;
+}
+
+#
+# Safe print
+#
+sub safe_print {
+    my $fh = shift;
+    my $what = shift;
+    my $line = shift;
+
+    chomp($line);
+    # print "$what\n";
+    print $fh "$line\n" or die "Cannot print into file for $what: $!\n";
+}    
+
+#
+# Print a set entry into the set file
+#
+sub print_set_entry {
+    my $set = shift;
+    my $line = shift;
+    my $fh = $config->{fh}->{$set};
+
+    # print "$set\n";
+    safe_print($fh, "set $set", $line);
+    $config->{lineno}->{$set}++;
+}
+
+#
+# Print entries to the specified ip,port,ip|net type of set
+#
+sub print_ipportip {
+    my $set = shift;
+    my $ip = shift;
+    my $p = shift;
+    my $proto = shift;
+    my $ip1 = shift;
+    my $nomatch = shift || '';
+
+    if ($set =~ /client/) {
+       $set =~ s/client/service/;
+       ($ip, $ip1) = ($ip1, $ip);
+    }
+
+    if (@{$proto->{port}}) {
+       if ($#{$proto->{port}}) {
+           my $r = $proto->{port}->[0] . '-' . $proto->{port}->[1];
+            print_set_entry($set, "add $set $ip,$p:$r,$ip1$nomatch");
+       } else {
+           print_set_entry($set, "add $set $ip,$p:$proto->{port}->[0],$ip1$nomatch");
+       }
+    } else {
+       print_set_entry($set, "add $set $ip,$p:0,$ip1$nomatch");
+    }
+}
+
+#
+# Print entries to the specified ip|net,port type of set
+#
+sub print_ipport {
+    my $set = shift;
+    my $ip = shift;
+    my $p = shift;
+    my $proto = shift;
+    my $nomatch = shift || '';
+
+    if (@{$proto->{port}}) {
+       if ($#{$proto->{port}}) {
+           my $r = $proto->{port}->[0] . '-' . $proto->{port}->[1];
+            print_set_entry($set, "add $set $ip,$p:$r$nomatch");
+       } else {
+           print_set_entry($set, "add $set $ip,$p:$proto->{port}->[0]$nomatch");
+       }
+    } else {
+       print_set_entry($set, "add $set $ip,$p:0$nomatch");
+    }
+}
+
+#
+# Print entries to the specified ip|net
+#
+sub print_ip {
+    my $set = shift;
+    my $ip = shift;
+    my $nomatch = shift || '';
+
+    print_set_entry($set, "add $set $ip$nomatch");
+}
+
+#
+# Return "net" or "ip" depending on the input IP address
+#
+sub net_or_ip {
+    my $ip = shift;
+    my $in = shift;
+    my $cidr = $in == 4 ? 32 : 128;
+    
+    $ip =~ m,/(\d+), and $cidr = $1;
+   
+    return $in == 4 ? ($cidr == 32 ? "ip" : "net") :
+                     ($cidr == 128 ? "ip" : "net");
+}
+
+#
+# Print banned ipset entries
+#
+sub print_banned {
+    my $policy = shift;
+    my $id = $config->{_curr}->{id};
+    my($ip, $in, $type, $set);
+
+    foreach $ip (@{$policy->{ip}}) {
+       $in = $ip =~ /:/ ? 6 : 4;
+       $type = net_or_ip($ip, $in);
+       $set = "$id-$type$in";
+       print_set_entry($set, "add $set $ip");
+    }
+}
+
+#
+# Return the transport protocol and the port(s) of a given service
+# as an anonymous hash reference: { proto -> [ name, name], port -> [from, to ] }
+# (e.g. { proto -> [ tcp, udp ], port -> [ 53 ] } as domain
+#  or   { proto -> [ tcp ], port -> [ 6000, 6010 ] } as x11)
+# 
+sub proto_and_port {
+    my($service) = shift;
+    my(@proto, @port, $proto);
+
+    $service =~ /^([^:]+)(:(\d+)((\.\.|\/)(\d+))?)?$/;
+    if ($2) {
+        my $p = $1;
+        parser_error "Not supported service $service\n"
+            unless grep($p eq $_, qw(tcp udp udplite sctp));
+       @proto = ($p);
+       @port = $4 ? ($3, $6) : ($3);
+    } elsif (exists $iana->{services}->{$1}) {
+       $proto = $1;
+       if (grep($proto eq $_,
+                @{$config->{general}->{settings}->{tcpudp}})) {
+           @proto = qw(udp tcp);
+       } elsif (grep($proto eq $_,
+                     @{$config->{general}->{settings}->{udp}})) {
+           @proto = qw(udp);
+       } else {
+           @proto = qw(tcp);
+       }
+       @port = @{$iana->{services}->{$1}};
+    } elsif (exists $iana->{protocols}->{$1}) {
+       @proto = ($iana->{protocols}->{$1});
+       @port = ();
+    } elsif (exists $iana->{icmp}->{$1}) {
+       @proto = qw(icmp);
+       @port = ($1);
+    } elsif (exists $iana->{icmp6}->{$1}) {
+       @proto = qw(icmpv6);
+       @port = ($1);
+    } elsif ($service eq 'any') {
+       @proto = qw(any);
+       @port = ();
+    } elsif ($service eq 'inherit') {
+       @proto = qw(inherit);
+       @port = ();
+    } else {
+       parser_error "Cannot interpret service $service\n";
+    }
+
+    if (exists $iana->{icmp6}->{$1} && exists $iana->{icmp}->{$1}) {
+       # ICMPv4, ICMPv6 clashing
+       return { proto => [ qw(icmp icmpv6) ], port => [ @port ] };
+    } else {
+       return { proto => [ @proto ], port => [ @port ] };
+    }
+}
+
+
+#
+# Print policy entry
+#
+sub print_policy {
+    my $policy = shift;
+    my $mode = shift;  # service|client
+    my $id = shift;    # policy id for error reporting
+    my($ip, $s, $p, $proto, $port, $ip1, $in, $in1, $t, $t1);
+    my($fh, $set, $type, $m, $n, $n1, $inherit, $t_any, $nomatch, $default);
+
+    foreach $s (@{$policy->{$mode}->{_order}}) {
+       if ($s eq 'inherit') {
+           $inherit = 1;
+           next;
+        }
+    }
+    foreach $ip (@{$policy->{ip}}) {
+        # ip can't be 'any'
+       $in = $ip =~ /:/ ? 6 : 4;       # 4 | 6
+       $t = net_or_ip($ip, $in);       # net | ip
+       $default = {};
+       foreach $s (@{$policy->{$mode}->{_order}}) {
+           next if $s eq 'inherit';
+           $proto = proto_and_port($s);
+           foreach $p (@{$proto->{proto}}) {
+               next if ($in == 6 && $p eq 'icmp') ||
+                       ($in == 4 && $p eq 'icmpv6');
+                my $flags = { default_allow => 1 };
+               if (exists $policy->{$mode}->{$s}->{deny}) {
+                   # deny for listed service/client
+                   foreach $ip1 (@{$policy->{$mode}->{$s}->{deny}}) {
+                       $t1 = is_any_inet($ip1, $in) ? 'anynet' :
+                             net_or_ip($ip1, $in);
+                       $in1 = $t1 eq 'anynet' ? $in : $ip1 =~ /:/ ? 6 : 4;
+                       next unless $in == $in1;
+                       $flags->{$mode}->{$in}++;
+                       die "Error in policy $id: both ip and deny may not contain network addresses\n"
+                           if $t eq 'net' and $t1 eq 'net';
+                        $nomatch = '';
+                       if ($p eq 'any') {
+                           # Deny any proto, target must be anynet
+                           if ($t1 eq 'anynet') {
+                               die "Error in policy $id: clashing allow and deny rules for any proto\n"
+                                   if $flags->{full_allowed};
+                               $flags->{full_denied} = 1;
+                               $set = "${mode}-$t$in";
+                               if ($t eq 'net') {
+                                   $nomatch = ' nomatch';
+                                } else {
+                                    $set = "deny-$set";
+                                }
+                                $default->{$mode}++;
+                                print_ip($set, $ip, $nomatch);
+                            } else {
+                                die "Error in policy $id: if proto is any, deny rule must refer to anynet\n";
+                            }
+                       } elsif ($t eq 'ip') {
+                           if ($t1 eq 'anynet') {
+                               # ip,port
+                               $set = "deny-${mode}-${t}port$in";
+                               $flags->{default_allow} = 0;
+                               $flags->{default_deny} = 0;
+                               print_ipport($set, $ip, $p, $proto);
+                            } else {
+                               # ip,port,ip/net
+                               $set = "${mode}-${t}port${t1}$in";
+                               if ($t1 eq 'net') {
+                                   $nomatch = ' nomatch';
+                                } else {
+                                    $set = "deny-$set";
+                                }
+                                print_ipportip($set, $ip, $p, $proto, $ip1, $nomatch);
+                            }
+                       } else {
+                           # t == net
+                           if ($t1 eq 'anynet') {
+                               # net,port
+                               $set = "${mode}-${t}port$in";
+                               $flags->{default_allow} = 0;
+                               print_ipport($set, $ip, $p, $proto, ' nomatch');
+                            } else {
+                               # reverse dir
+                               $m = $mode eq 'service' ? 'client' : 'service';
+                               ($n, $n1) = ($t1, $t);
+                               $set = "${m}-${n}port${n1}$in";
+                               # t == net
+                               print_ipportip($set, $ip1, $p, $proto, $ip, ' nomatch');
+                            }
+                       }
+                   }
+               }
+               if (exists $policy->{$mode}->{$s}->{allow}) {
+                   # allow for listed service/client
+                   $flags->{default_deny} = 1;
+                   foreach $ip1 (@{$policy->{$mode}->{$s}->{allow}}) {
+                       $t1 = is_any_inet($ip1, $in) ? 'anynet' :
+                             net_or_ip($ip1, $in);
+                       $in1 = $t1 eq 'anynet' ? $in : $ip1 =~ /:/ ? 6 : 4;
+                       next unless $in == $in1;
+                       $flags->{$mode}->{$in}++;
+                       die "Error in policy $id: both ip and allow may not contain network addresses\n"
+                           if $t eq 'net' and $t1 eq 'net';
+                        if ($p eq 'any') {
+                            # Allow any proto, target must be anynet
+                            if ($t1 eq 'anynet') {
+                                die "Error in policy $id: clashing allow and deny rules for any proto\n"
+                                    if $flags->{full_denied};
+                                $flags->{full_allowed} = 1;
+                                $set = "${mode}-$t$in";
+                                if ($t eq 'net') {
+                                    ;
+                                } else {
+                                    $set = "allow-$set";
+                                }
+                                $default->{$mode}++;
+                                print_ip($set, $ip);
+                            } else {
+                                die "Error in policy $id: if proto is any, allow rule must refer to anynet\n";
+                            }
+                       } elsif ($t eq 'ip') {
+                           if ($t1 eq 'anynet') {
+                               # ip,port
+                               $set = "allow-${mode}-${t}port$in";
+                               $flags->{default_allow} = 0;
+                               $flags->{default_deny} = 0;
+                               print_ipport($set, $ip, $p, $proto);
+                            } else {
+                               # ip,port,ip/net
+                               $set = "${mode}-${t}port${t1}$in";
+                               if ($t1 eq 'net') {
+                                   ;
+                                } else {
+                                   $set = "allow-$set";
+                                }
+                               print_ipportip($set, $ip, $p, $proto, $ip1);
+                            }
+                       } else {
+                           # t == net
+                           if ($t1 eq 'anynet') {
+                               # net,port
+                               $set = "${mode}-${t}port$in";
+                               $flags->{default_deny} = 0;
+                               print_ipport($set, $ip, $p, $proto);
+                            } else {
+                               # reverse dir
+                               $m = $mode eq 'service' ? 'client' : 'service';
+                               ($n, $n1) = ($t1, $t);
+                               $set = "${m}-${n}port${n1}$in";
+                               print_ipportip($set, $ip1, $p, $proto, $ip);
+                            }
+                       }
+                   }
+               }
+               next if $inherit;
+               if ($flags->{default_deny}) {
+                   # Shortcut
+                   next unless $flags->{$mode}->{$in};
+                   # NOTE: default deny
+                   $nomatch = '';
+                   if ($p eq 'any') {
+                       $set = "${mode}-$t$in";
+                       if ($t eq 'net') {
+                           $nomatch = ' nomatch';
+                       } else {
+                           $set = "deny-$set";
+                       }
+                       print_ip($set, $ip, $nomatch);
+                       $default->{$mode}++;
+                   } else {
+                       $set = "${mode}-${t}port$in";
+                       if ($t eq 'net') {
+                           $nomatch = ' nomatch';
+                       } else {
+                           $set = "deny-$set";
+                       }
+                       print_ipport($set, $ip, $p, $proto, $nomatch);
+                   }
+               } elsif ($flags->{default_allow}) {
+                   # Shortcut
+                   next if !$flags->{$mode}->{$in} &&
+                           (exists $policy->{$mode}->{$s}->{deny} ||
+                            exists $policy->{$mode}->{$s}->{allow});
+                   # Either $flags->{default_allow}
+                   # or just protocol
+                   # allow
+                   $n = $t eq 'net' ? '' : 'allow-';
+                   if ($p eq 'any') {
+                       $set = "$n${mode}-$t$in";
+                       print_ip($set, $ip);
+                       $default->{$mode}++;
+                   } else {
+                       $set = "$n${mode}-${t}port$in";
+                       print_ipport($set, $ip, $p, $proto);
+                   }
+               }
+           }
+       }
+       next if $inherit || $default->{$mode};
+       # Default deny
+       $nomatch = '';
+       if ($t eq 'net') {
+           $nomatch = ' nomatch';
+           $n = '';
+       } else {
+           $n = 'deny-';
+       }
+       $set = "$n${mode}-$t$in";
+       print_ip($set, $ip, $nomatch);
+    }
+}
+
+#
+# Evaluate a policy and print the ipset entries
+#
+sub eval_policy {
+    my $id = $config->{_curr}->{id};
+    my $policy = $config->{policy}->{$id};
+    my $network = 0;
+
+    # Because of udp/tcp proto lists we need this:
+    die "General settings must precede policy settings\n"
+       unless $config->{general}->{checked};
+
+    if ($id eq 'banned') {
+       if ((exists $policy->{client} && exists $policy->{client}->{_order}) ||
+           (exists $policy->{service} && exists $policy->{service}->{_order})) {
+           die "Syntax error at policy $id in " .
+               $config->{policy}->{$id}->{found} .
+               ": the special policy $id may not " .
+               "contain service or client constructs.\n";
+       }
+       $policy->{ip} = [] unless is_reference($policy, 'ip');
+       foreach my $s (@{$policy->{'source'}}) {
+           my $inet = $config->{sets}->{$s}->{inet};
+           push(@{$config->{banned}->{$inet}}, $s);
+       }
+    } else {
+       # At least a single IP address must be provided
+       if (!is_reference($policy, 'ip')) {
+           die "Policy $id is defined without IP address\n";
+       }
+    
+       if (is_reference($policy, 'source')) {
+           die "Syntax error at policy $id in " .
+               $config->{policy}->{$id}->{found} .
+               ": source keyword can be used with " .
+               "the special policy 'banned' only\n";
+       }
+    }
+
+    # Check the syntax
+    foreach my $ip (@{$policy->{ip}}) {
+       $network = 1 unless is_hostaddr($ip);
+    }
+    foreach my $p (qw(service client)) {
+       foreach my $e (@{$policy->{$p}->{_order}}) {
+           my $proto = proto_and_port($e);
+           foreach my $t (qw(allow deny)) {
+               next unless exists $policy->{$p}->{$e}->{$t};
+               foreach my $s (@{$policy->{$p}->{$e}->{$t}}) {
+                   if ($t eq 'deny' && $proto->{proto}->[0] eq 'any' &&
+                       !is_anynet($s)) {
+                       die "Syntax error at policy $id in ".
+                           $config->{policy}->{$id}->{found} .
+                           ", deny rule: 'any' protocol can be used with " .
+                           "any network access only\n";
+                    }
+                    die "Syntax error at policy $id in ".
+                        $config->{policy}->{$id}->{found} .
+                        ", $t rule: IP address and access right " .
+                        "cannot be both network addresses\n"
+                        if $network && !(is_hostaddr($s) || is_anynet($s));
+               }
+           }
+       }
+    }
+    if ($opts{debug} eq 'policy') {
+       print ">>>> policy $id: ", Dumper $policy;
+    }
+    if ($id eq 'banned') {
+       print_banned($policy);
+    } else {
+       print_policy($policy, 'service', $id);
+       print_policy($policy, 'client', $id);
+    }
+    # $config->{_policy_seen}->{$id} = $policy;
+    $config->{policy}->{$id} = 1;
+}
+
+sub set_param {
+    my $set = shift;
+    my $what = shift;
+
+    return exists $config->{general}->{settings}->{set} &&
+          exists $config->{general}->{settings}->{set}->{$set} &&
+          exists $config->{general}->{settings}->{set}->{$set}->{$what};
+}
+
+#
+# Evaluate (check) the general settings
+#
+sub eval_general {
+    my($foo, $bar);
+
+    # General
+    foreach (qw(udp tcpudp)) {
+       $config->{general}->{settings}->{$_} = []
+           unless is_reference($config->{general}->{settings}, $_);
+    }
+    foreach $foo (@{$config->{general}->{settings}->{tcpudp}}) {
+       die "Protocol $foo defined both as 'tcpdup' and 'udp' in the general settings\n"
+           if grep($foo eq $_, @{$config->{general}->{settings}->{udp}});
+    }
+    $config->{run} = $config->{general}->{settings}->{run} ?
+       $config->{general}->{settings}->{run} : "$config->{dir}/run";
+    $config->{run} =~ s,/+$,,;
+    ($bar = $config->{run}) =~ s,/+[^/]+,,;
+    if (! -d $config->{run}) {
+       die "Cannot create directory $config->{run}, " .
+           "parent directory does not exist\n" if ! -d $bar;
+       mkdir($config->{run}) or
+           die "Cannot create run directory $config->{run}: $!\n";
+    }
+    foreach (qw(ipset iptables ip6tables)) {
+        my $cmd = '';
+       if (exists $config->{general}->{settings}->{$_}) {
+           $cmd = $config->{general}->{settings}->{$_};
+        } else {
+           $cmd = `which $_`;
+           chomp($cmd);
+       }
+        die "Cannot find binary for $_\n" unless $cmd;
+       die "Cannot find binary $_ as $cmd\n" unless -x $cmd;
+       $config->{general}->{settings}->{$_} = $cmd;
+    }
+    foreach my $class (qw(denied accepted spoofed banned)) {
+       next if exists $config->{general}->{settings}->{class} &&
+               is_reference($config->{general}->{settings}->{class}, $class);
+       $config->{general}->{settings}->{class}->{$class} = {
+           type => 'log',
+           prefix => "$class: ",
+       }
+    }
+    $config->{general}->{checked} = 1;
+    
+    # Default set parameters
+    my $conf = $config->{general}->{settings};
+    my $defset;
+    foreach my $s (@sets) {
+       $s =~ /([46])$/;
+       $config->{sets}->{$s}->{inet} = "-$1";
+       if ($s =~ /banned-(ip|net)/) {
+          $config->{sets}->{$s}->{type} = $1;
+       } else {
+          $s =~ /-([^-]+)[46]$/;
+          my $t = $1;
+          $t =~ s/(ip|port|net)\B/$1,/g;
+          $config->{sets}->{$s}->{type} = $t;
+       }
+       $defset = $s =~ /4$/ ? "default4" : "default6";
+       foreach my $p (qw(hashsize maxelem)) {
+           if (set_param($s, $p)) {
+               $config->{sets}->{$s}->{$p} = $conf->{set}->{$s}->{$p};
+           } elsif (set_param($defset, $p)) {
+               $config->{sets}->{$s}->{$p} = $conf->{set}->{$defset}->{$p};
+           } elsif (set_param('default', $p)) {
+               $config->{sets}->{$s}->{$p} = $conf->{set}->{default}->{$p};
+           }
+       }
+    }
+    foreach my $s (keys %{$config->{sets}}) {
+       if (!exists $config->{sets}->{$s}->{inet}) {
+           die "Missing family definition for set $s\n";
+       }
+       if (!exists $config->{sets}->{$s}->{type}) {
+           die "Missing type definition for set $s\n"
+               unless exists $config->{sets}->{$s}->{external};
+       }
+    }
+    print Dumper $config->{general} if $opts{debug} eq 'general';
+
+    # Do not create modules file at the first parsing
+    return if $config->{_no_files_yet};
+    return unless is_reference($config->{general}->{settings}, 'module') ||
+                 exists $config->{general}->{settings}->{helper};
+    my $fh = $config->{fh}->{modules};
+    foreach my $m (keys %{$config->{general}->{settings}->{module}}) {
+        my $modparam = '';
+        $modparam = ' ' . $config->{general}->{settings}->{module}->{$m}->{modparam}
+            if $config->{general}->{settings}->{module}->{$m}->{modparam};
+        safe_print($fh, "modules", "modprobe $m$modparam");
+        $config->{lineno}->{modules}++;
+    }
+    foreach my $m (@{$config->{general}->{settings}->{helper}}) {
+       safe_print($fh, "modules", "modprobe nf_conntrack_$m");
+       $config->{lineno}->{modules}++;
+    }
+}
+
+#
+# Evaluate (check) a network setting
+#
+sub eval_zone {
+    my($zone) = $config->{zone}->{$config->{_curr}->{id}};
+
+    if (is_reference($zone, 'source')) {
+       die "Invalid zone '$config->{_curr}->{id}': interface " .
+           "and network address must be used in pair\n"
+               if is_reference($zone, 'network') ^
+                  is_reference($zone, 'interface');
+    } else {
+       die "Zone '$config->{_curr}->{id}' defined without interface " .
+           "and network address\n"
+               unless is_reference($zone, 'network') &&
+                       @{$zone->{network}} &&
+                       is_reference($zone, 'interface') &&
+                       @{$zone->{interface}};
+    }
+
+    print Dumper $config->{zone} if $opts{debug} eq 'zone';
+    
+    foreach my $net (@{$zone->{network}}) {
+        my $in = $net =~ /:/ ? 6 : 4;
+        $net =~ s/^(!)?//;
+        my $nomatch = $1 ? ' nomatch' : '';
+        foreach my $if (@{$zone->{interface}}) {
+            my $fh = $config->{fh}->{"networks-netiface$in"};
+            safe_print($fh, "set networks-netiface$in",
+                       "add networks-netiface$in $net,$if$nomatch");
+            $config->{lineno}->{"networks-netiface$in"}++;
+        }
+    }
+    return unless is_reference($zone, 'source') && @{$zone->{source}};
+    foreach my $s (@{$zone->{source}}) {
+       my $inet = $config->{sets}->{$s}->{inet};
+       foreach my $if (@{$zone->{interface}}) {
+           die "Interface $if is already defined with a source set " .
+               "$config->{zones}->{$inet}->{$if}->{source} in zone definition " .
+               "$config->{zones}->{$inet}->{$if}->{zone}\n"
+               if exists $config->{zones}->{$inet} &&
+                  exists $config->{zones}->{$inet}->{$if};
+           $config->{zones}->{$inet}->{$if} = {
+               source => $s,
+               zone => $config->{_curr}->{id},
+           }
+       }
+    }
+}
+
+#
+# Evaluate (check) a NAT rule
+#
+sub eval_nat {
+    # Actually, just check it
+    my($nat) = $config->{nat}->{$config->{_curr}->{id}};
+    my($fh) = $config->{fh}->{nat4};
+    my($type, $chain);
+
+    print "IPv6 NAT does not supported yet, ignoring ip6tables commands\n"
+        if $nat->{ip6tables};
+
+    # FIXME
+    my @chains = qw(PREROUTING POSTROUTING OUTPUT);
+
+    my $rules = $nat->{iptables};
+    my $custom = {};
+    foreach my $r (@$rules) {
+        my $c = $r;
+        $c =~ s/\s*-t\s+nat\s*/ /;
+        die "Invalid custom rule 'iptables $r': must start with '-A' or '-N'\n"
+            unless $c =~ /^-(A|N)\s+(\S+)\s+\S+/;
+        ($type, $chain) = ($1, $2);
+        if ($type eq '-N') {
+            die "Invalid custom rule 'iptables $r': chain $chain is internally defined\n"
+                if grep($chain eq $_, @chains);
+            $custom->{$chain} = 1;
+            next;
+        }
+        next if grep($chain eq $_, @chains) || exists $custom->{$chain};
+        die "Invalid custom rule 'iptables $r': chain $chain is unknown or invalid\n";
+    }
+    foreach my $r (@$rules) {
+        $r =~ s/\s*-t\s+nat\s*/ /;
+        safe_print($fh, "table nat4", $r);
+        $config->{lineno}->{nat4}++;
+    }
+}
+
+#
+# Evaluate (check) a mangle rule
+#
+sub eval_mangle {
+    # Actually, just check it
+    my($mangle) = $config->{mangle}->{$config->{_curr}->{id}};
+    my($type, $chain, $fh, $inet); 
+
+    # FIXME
+    my @chains = qw(PREROUTING POSTROUTING INPUT OUTPUT FORWARD);
+
+    foreach my $iptables (qw(iptables ip6tables)) {
+        next unless $mangle->{$iptables};
+        my $rules = $mangle->{$iptables};
+        my $custom = {};
+        foreach my $r (@$rules) {
+            my $c =~ s/\s*-t\s+mangle\s*/ /;
+            die "Invalid custom rule '$iptables $r': must start with '-A' or '-N'\n"
+                unless $c =~ /^-(A|N)\s+(\S+)\s+\S+/;
+            ($type, $chain) = ($1, $2);
+            if ($type eq '-N') {
+                die "Invalid custom rule '$iptables $r': chain $chain is internally defined\n"
+                    if grep($chain eq $_, @chains);
+                $custom->{$chain} = 1;
+                next;
+            }
+            next if grep($chain eq $_, @chains) || exists $custom->{$chain};
+            die "Invalid custom rule '$iptables $r': chain $chain is unknown or invalid\n";
+        }
+        $inet = $iptables eq 'iptables' ? 4 : 6;
+        $fh = $config->{$fh}->{"mangle$inet"};
+        foreach my $r (@$rules) {
+            $r =~ s/\s*-t\s+mangle\s*/ /;
+            safe_print($fh, "table mangle$inet", $r);
+            $config->{lineno}->{"mangle$inet"}++;
+        }
+    }
+}
+
+#
+# Ignore a deprecated keyword
+#
+sub ignore_keyword {
+    return 0;
+}
+
+#
+# Warn about a deprecated keyword
+#
+sub warn_keyword {
+    my $name = shift;
+    
+    print STDERR "Deprecated keyword $name in $config->{_currfile}:$config->{_currline} IGNORED\n"
+        unless $config->{_suppress_warning};
+    return 0;
+}
+
+#
+# The parser
+#
+# I know it could probably look more attractive with Perl classes,
+# but the point is not attractiveness...
+#
+my $parser = {
+    general => {
+       _check => \&valid_general,
+       _subtree => [ qw(tcpudp udp logging service module helper
+                        class set custom
+                        ipset iptables ip6tables
+                        group sort banned hashsize) ],
+       _eval => \&eval_general,
+       # keyword subtree
+       tcpudp => {
+           _check => \&valid_proto,
+       },
+       udp => {
+           _check => \&valid_proto,
+       },
+       logging => {
+           _check => \&valid_multivalue_from_set,
+           _values => [ qw(yes no denied accepted banned spoofed) ],
+       },
+        module => {
+            _check => \&valid_word,
+            _subtree => [ qw(modparam) ],
+            modparam => {
+                _check => \&valid_txt,
+            },
+        },
+        helper => {
+            _check => \&valid_multivalue_from_set,
+            _values => [ qw(amanda ftp h323 irc pptp sane sip snmp tftp) ],
+        },
+       class => {
+           _check => \&valid_from_set,
+           _values => [ qw(accepted denied spoofed banned
+                           accepted4 denied4 spoofed4 banned4
+                           accepted6 denied6 spoofed6 banned6) ],
+           _subtree => [ qw(type limit prefix reject ignore) ],
+           # keyword subtree
+           type => {
+               _check => \&valid_from_set,
+               _values => [ qw(log nflog none) ],
+               _subtree => [ qw(level group range threshold) ],
+               level => {
+                   _check => \&valid_from_set,
+                   _values => [ qw(debug info notice warning warn
+                                   error err crit alert emerg) ],
+                },
+               group => {
+                   _check => \&valid_range,
+                   _values => [ 0, 65535 ]
+                },
+                range => {
+                   _check => \&valid_range,
+                   _values => [ 0, 65535 ]
+                },
+                threshold => {
+                   _check => \&valid_range,
+                   _values => [ 1, 65535 ]
+                },
+            },
+            limit => {
+               _check => \&valid_from_set,
+               _values => [ qw(plain hashlimit) ],
+               _subtree => [ qw(rate burst mask4 mask6 tablesize maxentries) ],
+               rate => {
+                   _check => \&valid_rate,
+               },
+               burst => {
+                   _check => \&valid_number,
+               },
+               mask4 => {
+                   _check => \&valid_range,
+                   _values => [1, 32],
+               },
+               mask6 => {
+                   _check => \&valid_range,
+                   _values => [1, 128],
+               },
+               tablesize => {
+                   _check => \&valid_number,
+               },
+               maxentries => {
+                   _check => \&valid_number,
+               },
+           },
+           prefix => {
+               _check => \&valid_txt,
+           },
+           reject => {
+               _check => \&valid_proto,
+           },
+           ignore => {
+               _check => \&valid_proto,
+               _subtree => [ qw(from to) ],
+               from => {
+                   _check => \&valid_ip_anynet,
+                },
+               to => {
+                   _check => \&valid_ip_anynet,
+                },
+           },
+       },
+        set => {
+           _check => \&valid_setdef,
+           _subtree => [ qw(hashsize maxelem family) ],
+           # keyword subtree
+           hashsize => {
+               _check => \&valid_number,
+           },
+           maxelem => {
+               _check => \&valid_number,
+           },
+           family => {
+               _check => \&valid_from_set,
+               _values => [ qw(inet inet4 inet6 ipv4 ipv6) ],
+           }
+       },
+       custom => {
+           _check => \&valid_from_set,
+           _values => [ qw(raw filter accepted denied banned spoofed) ],
+           _subtree => [ qw(iptables ip6tables) ],
+           # keyword subtree
+            iptables => {
+                _check => \&valid_custom,
+            },
+            ip6tables => {
+                _check => \&valid_custom,
+            },
+       },
+        ipset => {
+            _check => \&valid_binary,
+        },
+        iptables => {
+            _check => \&valid_binary,
+        },
+        ip6tables => {
+            _check => \&valid_binary,
+        },
+        group => {
+            _check => \&ignore_keyword,
+        },
+        sort => {
+            _check => \&ignore_keyword,
+        },
+        banned => {
+            _check => \&warn_keyword,
+        },
+        hashsize => {
+            _check => \&warn_keyword,
+        },
+        service => {
+            _check => \&warn_keyword,
+        },
+    },
+    zone => {
+       _check => \&valid_id,
+       _subtree => [ qw(interface network source) ],
+       _eval => \&eval_zone,
+       # keyword subtree
+       interface => {
+           _check => \&valid_if,
+       },
+       network => {
+           _check => \&valid_ip_anynetwork,
+       },
+       source => {
+           _check => \&valid_source,
+       },
+    },
+    policy => {
+       _check => \&valid_id,
+       _subtree => [ qw(ip source service client
+                        os location admin comment
+                        logging) ],
+       _eval => \&eval_policy,
+       # keyword subtree
+       ip => {
+           _check => \&valid_ip, 
+       },
+       source => {
+           _check => \&valid_source,
+       },
+       service => {
+           _check => \&valid_proto,
+           _subtree => [ qw(allow deny logging) ],
+           _order => 1,
+           # keyword subtree
+           allow => {
+               _check => \&valid_ip_anynet,
+           },
+           deny => {
+               _check => \&valid_ip_anynet,
+           },
+           logging => {
+               _check => \&warn_keyword,
+           },
+       },
+       client => {
+           _check => \&valid_proto_inherit,
+           _subtree => [ qw(allow deny logging) ],
+           _order => 1,
+           # keyword subtree
+           allow => {
+               _check => \&valid_ip_anynet,
+           },
+           deny => {
+               _check => \&valid_ip_anynet,
+           },
+           logging => {
+               _check => \&warn_keyword,
+           },
+       },
+       os => {
+           _check => \&ignore_keyword, 
+       },
+       location => {
+           _check => \&ignore_keyword, 
+       },
+       admin => {
+           _check => \&ignore_keyword, 
+       },
+       comment => {
+           _check => \&ignore_keyword, 
+       },
+       logging => {
+           _check => \&warn_keyword, 
+       },
+    },
+    nat => {
+       _check => \&valid_id,
+       _subtree => [ qw(type in out srcip dstip proto sport dport to
+                        flags chain
+                        iptables ip6tables) ],
+       _eval => \&eval_nat,
+       # keyword subtree
+       type => {
+           _check => \&valid_from_set,
+           _values => [ qw(snat dnat masquerade redirect netmap accept) ],
+       },
+       in => {
+           _check => \&valid_if,
+       },
+       out => {
+           _check => \&valid_if,
+       },
+       proto => {
+           _check => \&valid_multivalue_from_set,
+           _values => [ qw(tcp sctp udp udplite) ],
+       },
+       srcip => {
+           _check => \&valid_ip,
+       },
+       dstip => {
+           _check => \&valid_ip,
+       },
+       sport => {
+           _check => \&valid_port,
+       },
+       dport => {
+           _check => \&valid_port,
+       },
+       to => {
+           _check => \&valid_nat_addr,
+       },
+       flags => {
+           _check => \&valid_multivalue_from_set,
+           _values => [ qw(random persistent) ],
+       },
+       chain => {
+           _check => \&valid_chain,
+           _values => [ qw(prerouting output postrouting) ],
+       },
+       iptables => {
+           _check => \&valid_custom,
+       },
+       ip6tables => {
+           _check => \&valid_custom,
+       },
+       source => {
+           _check => \&valid_source,
+       },
+    },
+    mangle => {
+       _check => \&valid_id,
+       _subtree => [ qw(type in out proto chain
+                        iptables ip6tables) ],
+       _eval => \&eval_mangle,
+       # keyword subtree
+       type => {
+           _check => \&valid_from_set,
+           _values => [ qw(tcpmss) ],
+           tcpmss => {
+               _subtree => [ qw(mss) ],
+               mss => {
+                   _check => \&valid_mss,
+                }
+            },
+       },
+       in => {
+           _check => \&valid_if,
+       },
+       out => {
+           _check => \&valid_if,
+       },
+       proto => {
+           _check => \&valid_multivalue_from_set,
+           _values => [ qw(tcp) ],
+       },
+       chain => {
+           _check => \&valid_from_set,
+           _values => [ qw(prerouting input output postrouting forward) ],
+       },
+       iptables => {
+           _check => \&valid_custom,
+       },
+       ip6tables => {
+           _check => \&valid_custom,
+       },
+       source => {
+           _check => \&valid_source,
+       },
+    },
+};
+
+#
+# Parse a configuration file
+# 
+# The data loaded from the config file(s) is stored in the $config
+# variable with the following structure:
+#
+# $config = (
+#      general -> settings ->
+#                      tcpudp -> [ proto ]
+#                      udp -> [ proto ]
+#                      logging -> accepted|denied|banned|spoofed ->
+#                              type -> log|nflog
+#                                      level -> warn|err|...
+#                                      group -> n
+#                                      range -> n
+#                                      threshold -> n
+#                              limit -> n/second|minute|hour|day
+#                              burst -> m
+#                              prefix -> txt
+#                              reject -> [ proto ]
+#                      set -> name ->
+#                              hashsize -> n
+#                              maxelem -> n
+#                              source -> file
+#                      custom -> name ->
+#                              source -> file
+#      network -> id -> interface -> [ ]
+#                       address -> [ ]
+#                 _network -> [ ]
+#      template -> id ->
+#                       service -> { proto -> { allow -> [], deny -> [], yes ]
+#                                    _order -> [ ordered_proto ]
+#                                  }
+#                       client  -> { proto -> [ allow-> [], deny->[], yes ]
+#                                    _order -> [ ordered_proto ]
+#                                  }
+#                _template -> [ ]
+#      policy  -> id -> ip -> [ ]
+#                       service -> { proto -> [ allow -> [], deny->[], yes ]
+#                                    _order -> [ ordered_proto ]
+#                                  }
+#                       client  -> { proto -> [ allow -> [], deny->[], yes ]
+#                                    _order -> [ ordered_proto ]
+#                                  }
+#                       merge -> [ templateid ]
+#                       inherit -> [ templateid ]
+#                _policy -> [ ]
+#      nat -> id ->
+#                       type -> snat|dnat|masquerade|redirect|accept|netmap
+#                       in   -> [ iface, ... ]
+#                       out  -> [ iface, ... ]
+#                       srcip -> [ addr, ... ]
+#                       dstip -> [ addr, ... ]
+#                       sport -> [ port, ... ]
+#                       dport -> [ port, ... ]
+#                       to   -> ipaddr[-ipaddr][:port-port]|ipaddr[/cidr]
+#                       flags -> random|permanent
+#
+sub parse {
+    my($file) = shift;
+    my($fh) = shift;
+    my($toplevel) = shift;
+    my($keyword, $value, $id, $type, $s, $curr, @state);
+
+    $config->{_currfile} = $file;
+    $config->{_currline} = 0;
+    $config->{_curr}->{id} = '';
+    $config->{_suppress_warning} = 1 if $toplevel eq 'general';
+
+    while (<$fh>) {
+       $config->{_currtext} = $_;
+       $config->{_currline}++;
+       s/#.*$//;
+       s/^\s*//;
+       next if /^\s*$/;
+       chomp;
+       ($keyword, $value) = split(/\s*=\s*|\s+/, $_, 2);
+       $keyword = lc($keyword);
+       $value = '' unless $value;
+       print ">>> $keyword = $value\n" if $opts{debug} eq 'parser';
+       if ($keyword =~ /^(general|zone|policy|nat|mangle)$/) {
+           # Top level parser stack
+            if ($config->{_curr}->{id}) {
+                # Evaluate previous toplevel block
+                $type = $config->{_curr}->{type};
+                $id = $config->{_curr}->{id};
+                &{$parser->{$type}->{_eval}}($id);
+                print Dumper $config->{$type}->{$id}
+                    if $opts{debug} eq 'parser';
+                push(@{$config->{$type}->{_ids}}, $id);
+
+                return if $type eq $toplevel;
+
+                # Cleanup, except for general
+                delete $config->{$type}->{$id} unless $type eq 'general';
+            }
+           $id = &{$parser->{$keyword}->{_check}}($keyword, $value);
+            $config->{_curr}->{type} = $keyword;
+            $config->{_curr}->{id} = $id;
+            $config->{$keyword}->{$id} = {};
+            $config->{_found}->{$keyword}->{$id} = 
+                "$config->{_currfile}:$config->{_currline}";
+
+           # Stack for the next parser level
+           @state = ( { keywords => $parser->{$keyword}->{_subtree},
+                        config => $config->{$keyword}->{$id},
+                        parser => $parser->{$keyword} } );
+           next;
+       }
+       # Not top level parser stack: find the keyword in the tree
+       while (@state && !grep($keyword eq $_, @{$state[0]->{keywords}})) {
+           shift @state;
+       }
+       parser_error("Invalid syntax") unless @state;
+
+       $s = $state[0];
+       # Check the value of the parameter
+       if (defined $s->{parser}->{$keyword}->{_values}) {
+           $value = &{$s->{parser}->{$keyword}->{_check}}($keyword, $value,
+                               @{$s->{parser}->{$keyword}->{_values}});
+       } else {
+           $value = &{$s->{parser}->{$keyword}->{_check}}($keyword, $value);
+       }
+       $curr = {};
+       if ($s->{parser}->{$keyword}->{_subtree}) {
+           print ">>> subtree\n" if $opts{debug} eq 'parser';
+           $curr->{keywords} = $s->{parser}->{$keyword}->{_subtree};
+           $curr->{parser} = $s->{parser}->{$keyword};
+           # If there's a parser subtree, current state cannot be multivalue
+           if (ref($value) eq 'ARRAY') {
+               # Multivalue: we must take into account at the next level
+               foreach (@$value) {
+                   $s->{config}->{$keyword}->{$_}->{yes}++;
+               }
+               $curr->{config} = $s->{config}->{$keyword};
+               $curr->{multivalue} = $value;
+               if ($s->{parser}->{$keyword}->{_order}) {
+                   push(@{$s->{config}->{$keyword}->{_order}}, @$value);
+               }
+           } else {
+               $s->{config}->{$keyword}->{$value}->{yes}++;
+               $curr->{config} = $s->{config}->{$keyword}->{$value};
+           }
+           if ($opts{debug} eq 'parser') {
+               print "state >>> ", Dumper \@state;
+               print "curr >>>> ", Dumper \$curr;
+            }
+           unshift(@state, $curr);
+       } else {
+           print ">>> no subtree\n" if $opts{debug} eq 'parser';
+           # End of subtree
+           if ($s->{multivalue}) {
+               # Previous level with multivalue
+               if (ref($value) eq 'ARRAY') {
+                   foreach $id (@{$s->{multivalue}}) {
+                       push(@{$s->{config}->{$id}->{$keyword}}, @$value);
+                   }
+               } else {
+                   foreach $id (@{$s->{multivalue}}) {
+                       $s->{config}->{$id}->{$keyword} = $value;
+                   }
+               }
+           } else {
+               if (ref($value) eq 'ARRAY') {
+                   push(@{$s->{config}->{$keyword}}, @$value);
+               } else {
+                   $s->{config}->{$keyword} = $value;
+               }
+           }
+       }
+       if ($opts{debug} eq 'parser') {
+           print "state: ", Dumper \@state;
+           print "config: ", Dumper $config;
+        }
+    }
+    # Last one: constructs cannot overlap in config files :-)
+    if ($config->{_curr}->{id} &&
+        is_reference($parser->{$config->{_curr}->{type}}, '_eval')) {
+        $type = $config->{_curr}->{type};
+        $id = $config->{_curr}->{id};
+       &{$parser->{$type}->{_eval}}($id);
+       $config->{_curr}->{id} = '';
+        push(@{$config->{$type}->{_ids}}, $id);
+    }
+    print "config: ", Dumper $config if $opts{debug} eq 'parser';
+}
+
+#
+# Open the configuration files and call the parser
+#
+sub load {
+    my($toplevel) = shift || '';
+    my($fh, $id);
+
+    # Skip already parsed config file
+    return if $toplevel && exists $config->{$toplevel};
+
+    $config->{_no_files_yet} = $toplevel eq 'general';
+    
+    my @files = glob("$config->{dir}/cf.d/*$toplevel.cf");
+    die "Missing *${toplevel}.cf config file(s) from $config->{dir}/cf.d/\n"
+        unless @files;
+    foreach my $f (@files) {
+       $fh = FileHandle->new($f, "r");
+        die "Cannot open $f for reading: $!\n" unless defined $fh;
+        parse($f, $fh, $toplevel);
+        undef($fh);
+        last if $toplevel eq 'general' &&
+                $config->{general}->{settings}->{checked};
+    }
+}              
+
+#
+# Print an iptables table header
+#
+sub print_table_header {
+    my($fh) = shift;
+    my($table) = shift;
+    my(%hooks, %policy);
+       
+    %hooks = (
+       filter => [ qw(INPUT OUTPUT FORWARD) ],
+       nat => [ qw(PREROUTING OUTPUT POSTROUTING) ],
+       mangle => [ qw(PREROUTING FORWARD POSTROUTING INPUT OUTPUT) ],
+       raw => [ qw(PREROUTING OUTPUT) ],
+    );
+    %policy = (
+       filter => 'ACCEPT',
+       nat => 'ACCEPT',
+       mangle => 'ACCEPT',
+       raw => 'ACCEPT',
+    );
+    safe_print($fh, "table $table", "\*$table");
+    foreach (@{$hooks{$table}}) {
+       safe_print($fh, "table $table", ":$_ $policy{$table} [0:0]");
+    }
+}
+
+#
+# Print an iptables trailer and close the file
+#
+sub print_table_trailer {
+    my $table = shift;
+    my($fh) = $config->{fh}->{$table};
+       
+    safe_print($fh, "table $table", "COMMIT");
+    $fh->close or die "Cannot close file for table $table; $!\n";
+}
+
+#
+# Print an ipset trailer and close the file
+#
+sub print_set_trailer {
+    my $set = shift;
+    my $fh = $config->{fh}->{$set};
+    
+    $fh->close or die "Cannot close file for set $set; $!\n";
+}
+
+#
+# Open output files and print headers where needed
+#
+sub files {
+    my(@files) = glob("$config->{dir}/tmp/*");
+    unlink(@files) if @files;
+    $config->{fh}->{modules} =
+        FileHandle->new("$config->{dir}/tmp/modules", "w+");
+    die "Cannot open $config->{dir}/tmp/modules: $!\n"
+        unless defined $config->{fh}->{modules};
+    foreach my $table (qw(raw filter nat mangle)) {
+       foreach my $inet (qw(4 6)) {
+           $config->{fh}->{"$table$inet"} =
+               FileHandle->new("$config->{dir}/tmp/$table$inet", "w+");
+           die "Cannot open $config->{dir}/tmp/$table$inet: $!\n"
+               unless defined $config->{fh}->{"$table$inet"};
+           print_table_header($config->{fh}->{"$table$inet"}, $table);
+       }
+    }
+    # set files
+    my($opts, $flags, $set, $type, $inet, $fh, $conf, $parms);
+    $conf = $config->{general}->{settings}; 
+    foreach my $s (keys %{$config->{sets}}) {
+       next if exists $config->{sets}->{$s}->{external};
+       $config->{fh}->{$s} = $fh =
+           FileHandle->new("$config->{dir}/tmp/$s", "w+");
+       die "Cannot open $config->{dir}/tmp/$s: $!\n"
+           unless defined $config->{fh}->{$s};
+       $parms = $config->{sets}->{$s};
+       $flags = $parms->{inet};
+       $type = $parms->{type};
+       $opts = "";
+       $opts .= " hashsize $parms->{hashsize}" if exists $parms->{hashsize};
+       $opts .= " maxelem $parms->{maxelem}" if exists $parms->{maxelem};
+       $opts .= " counters" if exists $parms->{counters};
+       safe_print($fh, "set $s", <<TXT);
+create $s hash:$type $flags$opts
+TXT
+    }
+}
+
+#
+# Create individual verdict chains
+#
+sub create_verdict {
+    my($table) = shift;
+    my($verdict) = shift;
+    my($inet) = shift;
+    my($fh) = $config->{fh}->{"$table$inet"};
+    my($v) = "$verdict$inet";
+
+    safe_print($fh, "table $table", <<TXT);
+# Verdict chain $verdict
+-N $verdict
+TXT
+    custom($verdict, $inet);
+    my($logging) = exists $config->{general}->{settings}->{logging}
+                  ? $config->{general}->{settings}->{logging} : [];
+    my $class = exists $config->{general}->{settings}->{class}->{$v} ?
+       $config->{general}->{settings}->{class}->{$v} :
+       exists $config->{general}->{settings}->{class}->{$verdict} ?
+       $config->{general}->{settings}->{class}->{$verdict} : {};
+    if (grep($_ eq 'yes' || $_ eq $verdict || $_ eq $v, @$logging)) {
+       my($target) = $verdict eq 'accepted' ? 'ACCEPT' : 'DROP';
+       if ($class->{ignore}) {
+           foreach my $s (keys %{$class->{ignore}}) {
+               my $proto = proto_and_port($s);
+               foreach my $p (@{$proto->{proto}}) {
+                   next if ($inet == 6 && $p eq 'icmp') ||
+                           ($inet == 4 && $p eq 'icmpv6');
+                   my @src = ();
+                   my @dst = ();
+                   my $ip1;
+                   if (exists $class->{ignore}->{$s}->{from}) {
+                       foreach $ip1 (@{$class->{ignore}->{$s}->{from}}) {
+                           my $in = $ip1 eq 'anynet' ? $inet :
+                                    $ip1 =~ /:/ ? 6 : 4;
+                           next unless $inet == $in;
+                           if ($ip1 eq 'anynet') {
+                               push(@src, "");
+                           } else {
+                               push(@src, " -s $ip1");
+                           }
+                       }
+                   }
+                   if (exists $class->{ignore}->{$s}->{to}) {
+                       foreach $ip1 (@{$class->{ignore}->{$s}->{to}}) {
+                           my $in = $ip1 eq 'anynet' ? $inet :
+                                    $ip1 =~ /:/ ? 6 : 4;
+                           next unless $inet == $in;
+                           if ($ip1 eq 'anynet') {
+                               push(@dst, "");
+                           } else {
+                               push(@dst, " -d $ip1");
+                           }
+                       }
+                   }
+                   my $x = '';
+                   if ($p eq 'inherit') {
+                       die "The keyword 'inherit' is invalid in a logging class\n";
+                   } elsif ($p eq 'any') {
+                       $x = '';
+                   } elsif ($p eq 'icmp') {
+                       $x = " -p icmp";
+                       $x .= " --icmp-type $proto->{port}->[0]"
+                           if @{$proto->{port}};
+                   } elsif ($p eq 'icmpv6') {
+                       $x = " -p icmpv6";
+                       $x .= " --icmpv6-type $proto->{port}->[0]"
+                           if @{$proto->{port}};
+                   } elsif (grep($p eq $_, qw(tcp udp udplite sctp))) {
+                       $x = " -p $p";
+                       $x .= " --destination-port $proto->{port}->[0]"
+                           if @{$proto->{port}};
+                       $x .= ":$proto->{port}->[1]"
+                           if $#{$proto->{port}};
+                   } else {
+                       $x = " -p $p";
+                   }
+                   if (@src) {
+                       foreach $s (@src) {
+                           if (@dst) {
+                               foreach my $d (@dst) {
+                                   safe_print($fh, "table $table",  <<TXT);
+-A $verdict$s$d$x -j $target
+TXT
+                               }
+                           } else {
+                           safe_print($fh, "table $table",  <<TXT);
+-A $verdict$s$x -j $target
+TXT
+                           }
+                       }
+                   } elsif (@dst) {
+                       foreach my $d (@dst) {
+                           safe_print($fh, "table $table",  <<TXT);
+-A $verdict$d$x -j $target
+TXT
+                       }
+                   } else {
+                       safe_print($fh, "table $table",  <<TXT);
+-A $verdict$x -j $target
+TXT
+                   }
+               }
+           }
+       }
+       my($log, $value, @logopt);
+       $log = '';
+       if (exists $class->{limit}) {
+           if (exists $class->{limit}->{hashlimit}) {
+               my $limit = $class->{limit}->{hashlimit};
+               $log = ' -m hashlimit';
+               my $upto = $limit->{rate} ? $limit->{rate} : '3/hour';
+               $log .= " --hashlimit-upto $upto";
+               $log .= " --hashlimit-burst $limit->{burst}"
+                    if $limit->{burst};
+               my $mask = $inet == 4 ?
+                          ($limit->{mask4} ? $limit->{mask4} : 30) :
+                          ($limit->{mask6} ? $limit->{mask6} : 64);
+               $log .= " --hashlimit-mode srcip --hashlimit-srcmask $mask";
+               $log .= " --hashlimit-htable-size $limit->{tablesize}"
+                   if $limit->{tablesize};
+               $log .= " --hashlimit-htable-max $limit->{maxentries}"
+                   if $limit->{maxentries};
+               $log .= " --hashlimit-name $verdict$inet";
+           } elsif (exists $class->{limit}->{plain}) {
+               my $limit = $class->{limit}->{plain};
+               $log = ' -m limit';
+               $log .= " --limit $limit->{rate}" if $limit->{rate};
+               $log .= " --limit-burst $limit->{burst}" if $limit->{burst};
+           }
+        }
+        my $type = exists $class->{type}->{nflog} ? "nflog" : "log";
+       if ($type eq 'nflog') {
+           $log .= " -j NFLOG";
+           @logopt = qw(group range threshold);
+       } else {
+           $log .= " -j LOG";
+           @logopt = qw(level);
+       }
+       foreach (@logopt) {
+           $value = $class->{type}->{$type}->{$_};
+           if ($value) {
+               $value++ if $inet == 6 && $_ eq 'group';
+               $log .= " --${type}-$_ " . $value;
+           }
+       }
+       if ($class->{prefix}) {
+           my($prefix);
+           $prefix = $class->{prefix};
+           if ($type eq 'log') {
+               $prefix .= " " unless $prefix =~ /( |")$/;
+           }
+           $prefix = '"' . $prefix unless $prefix =~ /^"/;
+           $prefix .= '"' unless $prefix =~ /"$/;
+           $log .= " --${type}-prefix $prefix";
+       }
+       safe_print($fh, "table $table", "-A $verdict$log");
+    }
+    if (grep($verdict eq $_, qw(denied banned spoofed))
+        && exists $class->{reject} && @{$class->{reject}}) {
+       my($proto, $cond);
+       if ($table eq 'raw') {
+           safe_print($fh, "table $table", <<TXT);
+# Make sure REJECT packet can go through the rules as UNTRACKED
+-A $verdict -j NOTRACK
+TXT
+       }
+       foreach $proto (@{$class->{reject}}) {
+           if ($proto =~ /^(any|all)$/) {
+               safe_print($fh, "table $table", <<TXT);
+-A $verdict -p tcp -j REJECT --reject-with tcp-reset
+-A $verdict -j REJECT
+TXT
+           } else {
+               my $p = proto_and_port($proto);
+               foreach $cond (@{$p->{proto}}) {
+                   if ($cond eq 'tcp') {
+                       my $port = "";
+                       $port .= " --destination-port $p->{port}->[0]"
+                           if @{$p->{port}};
+                       $port .= ":$p->{port}->[1]"
+                           if $#{$p->{port}};
+                       safe_print($fh, "table $table", <<TXT);
+-A $verdict -p $cond$port -j REJECT --reject-with tcp-reset
+TXT
+                   } else {
+                       safe_print($fh, "table $table", <<TXT);
+-A $verdict -p $cond -j REJECT
+TXT
+                   }
+               }
+           }
+       }
+    }
+    my($target) = $verdict eq 'accepted' ? 'ACCEPT' : 'DROP';
+    safe_print($fh, "table $table",  <<TXT);
+-A $verdict -j $target
+TXT
+}
+
+#
+# Create the custom raw/filter
+#
+sub custom {
+    my($table) = shift;
+    my($inet) = shift;
+    my($fh, $type, $chain, $file);
+    my $prefix;
+    my($iptables) = $inet == 4 ? 'iptables' : 'ip6tables';
+    $fh = $config->{fh}->{"$table$inet"};
+
+    if ($table eq 'raw') {
+       safe_print($fh, "table $table$inet", "-N $table");
+       safe_print($fh, "table $table$inet", '-N custom');
+       safe_print($fh, "table $table$inet", "-A $table -j custom");
+       safe_print($fh, "table $table$inet", "-A $table -j ACCEPT");
+    } elsif ($table eq 'filter') {
+       safe_print($fh, "table $table$inet", '-N custom');
+    }
+    
+    return unless exists $config->{general}->{settings}->{custom} &&
+                 exists $config->{general}->{settings}->{custom}->{$table} &&
+                 exists $config->{general}->{settings}->{custom}->{$table}->{$iptables};
+
+    my $rules = $config->{general}->{settings}->{custom}->{$table}->{$iptables};
+    my $custom = {};
+    # FIXME: nat, mangle
+    if (grep($table eq $_, qw(raw filter))) {
+       $custom->{custom} = 1;
+       $prefix = 'custom-';
+    } elsif (grep($table eq $_, qw(banned spoofed))) {
+       $custom->{$table} = 1;
+       $prefix = "$table-";
+       $table = 'raw';
+       $fh = $config->{fh}->{"$table$inet"};
+    } elsif (grep($table eq $_, qw(accepted denied))) {
+       $custom->{$table} = 1;
+       $prefix = "$table-";
+       $table = 'filter';
+       $fh = $config->{fh}->{"$table$inet"};
+    }
+    foreach my $r (@$rules) {
+       die "Invalid custom rule for table $table: $iptables $r\n"
+           if $r =~ /-t\s+(\S+)/ && $1 ne $table;
+        die "Invalid custom rule '$iptables $r': must start with '-A' or '-N'\n"
+            unless $r =~ /^-(A|N)\s+(\S+)\s+\S+/; 
+        ($type, $chain) = ($1, $2);
+        if ($type eq '-N') {
+            die "Invalid custom rule '$iptables $r': chain $chain is defined\n"
+                if exists $custom->{$chain};
+            die "Invalid custom rule '$iptables $r': new chain must start with $prefix\n"
+                unless $chain =~ /^$prefix/;
+            $custom->{$chain} = 1;
+            next;
+        }
+        next if exists $custom->{$chain};
+        die "Invalid custom rule '$iptables $r': chain $chain is unknown or invalid\n";
+    }
+        
+    foreach my $r (@$rules) {
+       $r =~ s/-t\s+(\S+)//;
+        safe_print($fh, "table $table$inet", $r);
+    }
+}
+
+#
+# Create IPv6 link local rules
+#
+sub ipv6_link_local {
+    my $fh = shift;
+    my $chain = shift;
+
+    # Multicast addresses:             FF00::/8
+    # All nodes node-local address:    FF01::1
+    # All nodes link-local address:    FF02::1
+    # All routers link-local address:  FF02::2
+    # OSPFv3 All SPF routers:          FF02::5
+    # OSPFv3 All DR routers:           FF02::6
+    # All routers node-local address:  FF01::2
+    # All routers site-local address:  FF05::2
+    # Solicited-node address:          FF02::1:FF00:0/104
+    # Link-local address:              FE80::/10
+
+    safe_print($fh, "raw6", <<TXT);
+# RFC4890:
+#
+# Neighbor solicitation and advertisement
+-A $chain -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT
+-A $chain -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT
+# Router solicitation and advertisement
+-A $chain -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
+-A $chain -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
+# Inverse neighbor solicitation and advertisement
+-A $chain -p icmpv6 --icmpv6-type 141 -j ACCEPT
+-A $chain -p icmpv6 --icmpv6-type 142 -j ACCEPT
+# IPv6 link-local multicast
+-A $chain -s fe80::/10 -d ff02::/16 -j ACCEPT
+TXT
+}
+
+#
+# Create the ruletree
+#
+sub ruletree {
+    my($inet) = shift;
+    my($fh);
+    my($icmp) = $inet == 4 ? 'icmp' : 'icmpv6';
+    my(%sdir) = (
+       'ipportip'      => 'dst,dst,src',
+       'ipportnet'     => 'dst,dst,src',
+       'ipport'        => 'dst,dst',
+       'netport'       => 'dst,dst',
+       'ip'            => 'dst',
+       'net'           => 'dst',
+    );
+    my(%cdir) = (
+       'ipportip'      => 'src,dst,dst',
+       'ipportnet'     => 'src,dst,dst',
+       'ipport'        => 'src,dst',
+       'netport'       => 'src,dst',
+       'ip'            => 'src',
+       'net'           => 'src',
+    );
+    my($set, $verdict);
+    my $iptables = $inet == 4 ? 'iptables' : 'ip6tables';
+
+    #  
+    # raw table: spoof protection and banned hosts
+    #
+    $fh = $config->{fh}->{"raw$inet"};
+    # Create logging chains
+    foreach my $chain (qw(spoofed banned)) {
+        create_verdict("raw", $chain, $inet);
+    }
+    # Create custom rules
+    custom('raw', $inet);
+    # Allow IPv6 link local traffic
+    ipv6_link_local($fh, 'PREROUTING') if $inet == 6;
+    # Check banned addresses
+    safe_print($fh, "table raw$inet", "# Check banned addresses");
+    foreach $set (@banned_sets) {
+       next if $config->{sets}->{$set}->{inet} != "-$inet";
+       print_set_trailer($set);
+       if (!exists $config->{lineno}->{$set}) {
+           unlink("$config->{dir}/tmp/$set");
+           next;
+       }
+       safe_print($fh, "raw$inet", <<TXT);
+-A PREROUTING -m set --match-set $set src -j banned
+-A PREROUTING -m set --match-set $set dst -j banned
+TXT
+    }
+    foreach $set (@{$config->{banned}->{"-$inet"}}) {
+       safe_print($fh, "raw$inet", <<TXT);
+-A PREROUTING -m set --match-set $set src -j banned
+-A PREROUTING -m set --match-set $set dst -j banned
+TXT
+    }
+    # Check IP address spoofing
+    safe_print($fh, "raw$inet", <<TXT);
+# Check spoofed addresses
+-A PREROUTING -i lo -j ACCEPT
+TXT
+    if (exists $config->{zones} &&
+        exists $config->{zones}->{$inet}) {
+        foreach my $if (keys %{$config->{zones}->{$inet}}) {
+           safe_print($fh, "raw$inet", <<TXT);
+-A PREROUTING -m set --match-set $config->{zones}->{$inet}->{$if}->{source} src,src -j custom
+TXT
+       }
+    }
+    safe_print($fh, "raw$inet", <<TXT);
+-A PREROUTING -m set --match-set networks-netiface$inet src,src -j raw
+-A PREROUTING -j spoofed
+TXT
+    print_table_trailer("raw$inet");
+
+    # 
+    # Filter table: localhost and forwarding
+    #
+    $fh = $config->{fh}->{"filter$inet"}; 
+
+    # Create logging chains
+    foreach my $chain (qw(accepted denied)) {
+        create_verdict("filter", $chain, $inet);
+    }
+    # Create custom rules
+    custom('filter', $inet);
+    # Services chain
+    safe_print($fh, "filter$inet", <<TXT);
+# Services chain
+-N services
+TXT
+    foreach $set (@sets) {
+       next unless $set =~ /^((allow|deny)-)?service-(\S+)$inet$/;
+       next if $config->{sets}->{$set}->{inet} != "-$inet";
+       print_set_trailer($set);
+       if (!exists $config->{lineno}->{$set}) {
+           unlink("$config->{dir}/tmp/$set");
+           next;
+        }
+       $verdict = $1 ? ($2 eq 'allow' ? 'accepted' : 'denied') : 'both';
+       if ($verdict eq 'both') {
+           safe_print($fh, "filter$inet",  <<TXT);
+-A services -m set --match-set $set $sdir{$3} --return-nomatch -j denied
+-A services -m set --match-set $set $sdir{$3} -j accepted
+TXT
+        } else {
+           safe_print($fh, "filter$inet",  <<TXT);
+-A services -m set --match-set $set $sdir{$3} -j $verdict
+TXT
+        }
+    }
+    
+    # Clients chain
+    safe_print($fh, "filter$inet",  <<TXT);
+# Clients chain
+-N clients
+TXT
+    foreach $set (@sets) {
+       next unless $set =~ /^((allow|deny)-)?client-(\S+)$inet$/;
+       next if $config->{sets}->{$set}->{inet} != "-$inet";
+       print_set_trailer($set);
+       if (!exists $config->{lineno}->{$set}) {
+           unlink("$config->{dir}/tmp/$set");
+           next;
+        }
+       $verdict = $1 ? ($2 eq 'allow' ? 'accepted' : 'denied') : 'both';
+       if ($verdict eq 'both') {
+           safe_print($fh, "filter$inet",  <<TXT);
+-A clients -m set --match-set $set $cdir{$3} --return-nomatch -j denied
+-A clients -m set --match-set $set $cdir{$3} -j accepted
+TXT
+        } else {
+           safe_print($fh, "filter$inet",  <<TXT);
+-A clients -m set --match-set $set $cdir{$3} -j $verdict
+TXT
+        }
+    }
+    safe_print($fh, "filter$inet",  <<TXT);
+# loopback traffic
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+TXT
+    # Allow IPv6 link local traffic
+    if ($inet == 6) {
+       ipv6_link_local($fh, 'INPUT');
+       safe_print($fh, "table filter$inet",  <<TXT);
+# Allow just selected error messages
+-N icmpv6-error-messages
+-A icmpv6-error-messages -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
+-A icmpv6-error-messages -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
+-A icmpv6-error-messages -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
+-A icmpv6-error-messages -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
+-A icmpv6-error-messages -p icmpv6 -j denied
+# Drop packets with hop-by-hop or routing headers
+-A INPUT -m ipv6header --header hop,route --soft -j denied
+# Allow selected ICMPv6 error messages only
+-A INPUT -p icmpv6 -m state --state ESTABLISHED,RELATED -j icmpv6-error-messages
+TXT
+       # ipv6_link_local($fh, 'OUTPUT');
+    }
+    safe_print($fh, "table filter$inet",  <<TXT);
+# localhost: first the common cases
+-A INPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT
+# localhost: check services
+-A INPUT -j services
+# Deny everything else
+-A INPUT -j denied
+-A OUTPUT -m state --state NEW -j accepted
+-A OUTPUT -j denied
+TXT
+    if ($inet == 6) {
+       safe_print($fh, "table filter$inet",  <<TXT);
+# Drop packets with hop-by-hop or routing headers
+-A FORWARD -m ipv6header --header hop,route --soft -j denied
+# Allow selected ICMPv6 error messages only
+-A FORWARD -p icmpv6 -m state --state ESTABLISHED,RELATED -j icmpv6-error-messages
+TXT
+    }
+    safe_print($fh, "table filter$inet",  <<TXT);
+# The common cases
+-A FORWARD -m state --state ESTABLISHED,RELATED,UNTRACKED -j ACCEPT
+# Jump to the custom chain
+-A FORWARD -j custom
+# First services
+-A FORWARD -j services
+# Then the clients
+-A FORWARD -j clients
+# Deny everything else
+-A FORWARD -j denied
+TXT
+    print_table_trailer("filter$inet");
+}
+
+sub usage {
+    print <<TXT;
+$0 version|help|sets
+$0 [-c|--config dir] start|stop|reload|restart|config|create
+$0 [-c|--config dir] add|del setname element
+$0 [-c|--config dir] check srcip dstip proto:port [in-iface]
+TXT
+    exit;
+}
+
+sub cmd {
+    my $cmd = shift;
+    my $cont = shift;
+    
+    print "$cmd\n" if $opts{debug} =~ /cmd/;
+    return if $opts{debug} =~ /dry-run/;
+    
+    print `$cmd`;
+    die "Failed command: $cmd: aborting\n" if $? && !$cont;
+}
+
+sub compare {
+    my $a = shift;
+    my $b = shift;
+
+    return 1 unless -e $a && -e $b;
+    system("cmp --quiet $a $b");
+    
+    return $?;
+}
+
+sub start {
+    my $cmd = {
+        4      => $config->{general}->{settings}->{iptables},
+        6      => $config->{general}->{settings}->{ip6tables},
+        ipset  => $config->{general}->{settings}->{ipset},
+    };
+    my $setlist = `$cmd->{ipset} list -name 2>/dev/null`;
+    if ($setlist) {
+       die "Sets are already defined, cannot start: $setlist\n";
+    }
+    if (-e "$config->{dir}/run/modules") {
+        cmd("sh $config->{dir}/run/modules");
+    }
+    if (-e "$config->{dir}/sysctl.conf") {
+       cmd("sysctl -p $config->{dir}/sysctl.conf");
+    }
+    foreach my $set (keys %{$config->{sets}}) {
+        my $s = $set;
+        $s .= '.in' if $config->{sets}->{$set}->{external};
+        next unless -e "$config->{dir}/run/$s";
+        cmd("$cmd->{ipset} -exist -file $config->{dir}/run/$s restore");
+    }
+    foreach my $inet (qw(4 6)) {
+        foreach my $table (qw(raw filter mangle nat)) {
+            next unless -e "$config->{dir}/run/$table$inet";
+            cmd("$cmd->{$inet}-restore < $config->{dir}/run/$table$inet");
+        }
+    }
+    open(S, ">$config->{dir}/run/success");
+    close(S);
+    exit;
+}
+
+sub stop {
+    my $cmd = {
+        4      => $config->{general}->{settings}->{iptables},
+        6      => $config->{general}->{settings}->{ip6tables},
+        ipset  => $config->{general}->{settings}->{ipset},
+    };
+    my $success = -f "$config->{dir}/run/success";
+    # Destroy rules
+    foreach my $inet (qw(4 6)) {
+        foreach my $table (qw(raw filter mangle nat)) {
+            if (-e "$config->{dir}/run/$table$inet") {
+               cmd("$cmd->{$inet}-save -t $table > $config->{dir}/run/$table$inet", 1)
+                   if $success;
+                cmd("$cmd->{$inet} -t $table -F", 1);
+                cmd("$cmd->{$inet} -t $table -X", 1);
+            }
+        }
+    }
+    # Save set states
+    foreach my $set (keys %{$config->{sets}}) {
+       my $s = $set;
+       $s .= '.in' if $config->{sets}->{$set}->{external};
+        if (-e "$config->{dir}/run/$s" && $success) {
+            cmd("$cmd->{ipset} -file $config->{dir}/run/$s save $set", 1);
+        }
+    }
+    # Destroy sets
+    cmd("$cmd->{ipset} flush", 1);
+    cmd("$cmd->{ipset} destroy");
+}
+
+#
+# Add/del elements to/from sets
+#
+sub add_del {
+    my $what = $ARGV[0];
+    my $set = $ARGV[1] || "";
+    my @ip = @ARGV[2 .. $#ARGV];
+    my($in, $cidr, $cmd);
+
+    usage unless $set && @ip;
+
+    die "Cannot $what to/from $set, $set is not enabled in the general section\n"
+            unless exists $config->{sets}->{$set};
+    $cmd = $config->{general}->{settings}->{ipset};
+    foreach my $ip (@ip) {
+        die "Cannot $what $ip: it is not a supported IP address\n"
+            unless is_ipaddr($ip) && $ip !~ /any/;
+        $in = $ip =~ /:/ ? 6 : 4;
+        $ip =~ /(\/(\d+))?$/;
+        $cidr = $2 ? $2 : $in == 4 ? 32 : 128;
+        die "Cannot $what $ip: /0 is not supported\n" if $cidr == 0;
+        cmd("$cmd -exist $what $set $ip");
+    }
+}
+
+sub check {
+    my $src = shift || "";
+    my $dst = shift || "";
+    my $proto = shift || "";
+    my $iface = shift || "";
+    my $in = $src =~ /:/ ? 6 : 4;
+    my $in2 = $src =~ /:/ ? 6 : 4;
+    my $cmd = $config->{general}->{settings}->{ipset};
+    my $res;
+
+    die "Usage: $0 check srcip dstip proto [in-iface]\n"
+       unless $src && $dst && $proto && $in == $in2;        
+
+    if ($proto =~ /:[a-zA-Z0-9]+-[a-zA-Z0-9]+$/) {
+       $proto =~ s/:(\S+)$/:[$1]/;
+    }
+    open(RAW, "$config->{dir}/run/raw$in")
+       or die "Cannot open $config->{dir}/run/raw$in: $!\n";
+    my %check;
+    while (<RAW>) {
+       if (/^-A PREROUTING -m set --match-set (\S+) (src|dst) -j banned/) {
+           $check{$1}++;
+       }
+    }
+    close(RAW);
+    foreach my $s (keys %check) {
+       $res = `$cmd test $s $src 2>&1`;
+       if ($res =~ /is in set/) {
+           die "BANNED ($s, src): $src $dst $proto\n";
+       }
+       $res = `$cmd test $s $dst 2>&1`;
+       if ($res =~ /is in set/) {
+           die "BANNED ($s, dst): $src $dst $proto\n";
+       }
+       print "PASS BANNED ($s)\n";
+    }
+    if ($iface) {
+       $res = `$cmd test networks-netiface$in $src,$iface 2>&1`;
+       if ($res =~ /is NOT in set/) {
+           die "SPOOFED (networks-netiface$in): $src $dst $proto $iface\n";
+       }
+       print "PASS SPOOFED (networks-netiface$in)\n";
+    }
+    open(FILTER, "$config->{dir}/run/filter$in")
+       or die "Cannot open $config->{dir}/run/filter$in: $!\n";
+    my(@services, @clients);
+    while (<FILTER>) {
+       if (/^-A (services|clients) -m set --match-set (\S+) (\S+)( --return-nomatch)? -j (accepted|denied)/) {
+           my $what = {
+               type => $1,
+               set => $2,
+               args => [ split(/,/, $3) ],
+               match => $4 ? " nomatch" : "",
+               result => uc($5),
+           }; 
+           if ($what->{type} eq 'services') {
+               push(@services, $what);
+           } else {
+               push(@clients, $what);
+           }
+       }
+    }
+    close(FILTER);
+    foreach my $what (@services, @clients) {
+       my $arg = $what->{args}->[0] eq 'src' ? $src : $dst;
+       if (exists $what->{args}->[1]) {
+          $arg .= ',' . $proto;
+       }
+       if (exists $what->{args}->[2]) {
+          $arg .= ',' . ($what->{args}->[2] eq 'src' ? $src : $dst);
+       }
+       $res = `$cmd test $what->{set} $arg$what->{match} 2>&1`;
+       if ($res =~ /is in set/) {
+           die "$what->{result} (in $what->{set}): $src $dst $proto\n";
+       }
+       print "PASS FILTER ($what->{set})\n";
+    }
+    die "DENIED (default): $src $dst $proto\n";
+}
+
+#
+# Returns true if saved run config is more recent than source files
+#
+sub may_faststart {
+    # Check config and source files
+    my $cf = 0;
+    my @tmp;
+
+    return 0 unless -f "$config->{dir}/run/success";
+
+    foreach (glob("$config->{dir}/cf.d/*.cf $config->{dir}/src.d/*.in")) {
+       @tmp = stat;
+       $cf = $tmp[9] if $tmp[9] > $cf;
+    }
+
+    # Check saved run config
+    my $saved = 0;
+    foreach (glob("$config->{dir}/run/*")) {
+       @tmp = stat;
+       $saved = $tmp[9] if $tmp[9] > $saved;
+    }
+    return $saved > $cf;
+}
+
+# Start the show
+GetOptions(\%opts, 'debug|d=s', 'config|c=s', 'rundir|r=s')
+    or usage;
+
+usage unless $ARGV[0] &&
+            $ARGV[0] =~ /^(start|stop|restart|reload|config|create|version|sets|help|add|del|check)$/;
+
+if ($ARGV[0] eq 'help') {
+    usage;
+} elsif ($ARGV[0] eq 'version') {
+    print STDERR "essence version $version\n";
+    exit;
+} elsif ($ARGV[0] eq 'sets') {
+    # print "Builtin sets:\n";
+    foreach (sort @sets) {
+       print "$_\n";
+    }
+    exit;
+}
+
+if ($opts{config}) {
+    die "Parameter '$opts{config}' is not a directory\n"
+        unless -d $opts{config};
+    $config->{dir} = $opts{config};
+}
+
+# FIXME
+if ($opts{rundir}) {
+    die "Parameter '$opts{rundir}' is not a directory\n"
+        unless -d $opts{rundir};
+    $config->{rundir} = $opts{rundir};
+}
+
+#
+# Directory structure and file:        /etc/essence
+#
+#      cf.d/*.cf               input config files
+#      src.d/*.in              sourced in files
+#      run/                    saved run config
+#      tmp/                    temporary files
+#
+
+init;                  # Initialize settings
+load('general');       # Load general settings: ipset, iptables, etc.
+                        # Needed for stop too!
+
+if ($ARGV[0] eq 'add' || $ARGV[0] eq 'del') {
+    # Add element to set
+    add_del;
+    exit;
+} elsif ($ARGV[0] eq 'check') {
+    check(@ARGV[1..$#ARGV]);
+    exit;
+} elsif ($ARGV[0] eq 'stop') {
+    # Stop firewall
+    stop;
+    exit;
+} elsif ($ARGV[0] eq 'restart') {
+    # Restart: stop and start
+    stop;
+} elsif ($ARGV[0] eq 'start' && may_faststart) {
+    # Start: if we can, we skip creating new runtime files
+    start;
+}
+
+files;                 # Open output files
+load;          # Load, parse the config files and print the rules, sets
+
+if ($opts{debug} eq 'config') {
+    print "config: ", Dumper $config;
+    exit;
+}
+
+# Add trailers, close files and delete ones which are not required
+foreach my $in (qw(4 6)) {
+    if (!$config->{"ipv$in"}) {
+       # Unused IPv4 or IPv6
+        foreach my $table (qw(raw filter nat mangle)) {
+            print_table_trailer("$table$in");
+            unlink("$config->{dir}/tmp/$table$in");
+        }
+        foreach my $set (keys %{$config->{sets}}) {
+            next if $set !~ /$in$/;
+            print_set_trailer($set);
+            unlink("$config->{dir}/tmp/$set");
+        }
+        next;
+    }
+    # Mangle and nat tables
+    foreach my $table (qw(nat mangle)) {
+        print_table_trailer("$table$in");
+        unlink("$config->{dir}/tmp/$table$in")
+            unless $config->{lineno}->{"$table$in"};    
+    }
+
+    # Print ipset based ruletrees: raw and filter table
+    ruletree($in);
+}
+
+if ($ARGV[0] eq 'config' || $ARGV[0] eq 'create') {
+    # Just create tmp config
+    exit;
+}
+
+if ($ARGV[0] =~ /^(re)?start$/) {
+    # Start or restart
+
+    # Cleanup run dir
+    unlink(glob("$config->{dir}/run/*"));
+    # Move tmp to run
+    foreach (glob("$config->{dir}/tmp/*")) {
+       move($_, "$config->{dir}/run") or
+           die "Cannot move $_ to $config->{dir}/run: $!\n";
+    }
+
+    start;
+}
+
+if ($ARGV[0] eq 'reload') {
+    # Compare tmp and run dir, load just what changed
+
+    my $cmp;
+    # modules
+    if (! -e "$config->{dir}/run/modules") {
+        if (-e "$config->{dir}/tmp/modules") {
+            cmd("sh $config->{dir}/tmp/modules");
+            rename("$config->{dir}/tmp/modules", "$config->{dir}/run/modules")
+                or die "Aborting, cannot move $config->{dir}/tmp/modules to $config->{dir}/run: $!\n";
+        }
+    } elsif (-e "$config->{dir}/tmp/modules") {
+        $cmp = compare("$config->{dir}/run/modules", "$config->{dir}/tmp/modules");
+        if ($cmp > 0) {
+            cmd("sh $config->{dir}/tmp/modules");
+            rename("$config->{dir}/tmp/modules", "$config->{dir}/run/modules")
+                or die "Aborting, cannot move $config->{dir}/tmp/modules to $config->{dir}/run: $!\n";
+        } elsif ($cmp < 0) {
+            die "Aborting, cannot compare $config->{dir}/tmp/modules and $config->{dir}/run/modules: $!\n";
+        }
+    }
+
+    unlink("$config->{dir}/run/success");
+    # Check sets:
+    #  skip: does not exists
+    #  none: no change
+    #  swap: exists, changed
+    #  load: new, load in
+    #  delete: not used anymore, delete
+    my $sets = {};
+    my @allsets = @sets;
+    foreach my $s (keys %{$config->{sets}}) {
+       # next if $config->{sets}->{$s}->{external};
+       my $f = $s;
+       if ($config->{sets}->{$s}->{external}) {
+           $f .= '.in';
+           push(@allsets, $s);
+       }
+        if (-e "$config->{dir}/run/$f") {
+            if (-e "$config->{dir}/tmp/$f") {
+                $cmp = compare("$config->{dir}/run/$f", "$config->{dir}/tmp/$f");
+                if ($cmp > 0) {
+                    $sets->{$s} = 'swap';
+                } elsif ($cmp < 0) {
+                    die "Aborting, cannot compare $config->{dir}/tmp/$f and $config->{dir}/run/$f: $!\n";
+                } else {
+                    $sets->{$s} = 'none';
+                }
+            } else {
+                $sets->{$s} = 'delete';
+            }
+        } elsif (-e "$config->{dir}/tmp/$f") {
+            $sets->{$s} = 'load';
+        } else {
+            $sets->{$s} = 'skip';
+        }
+    }
+    # Load in the changes and new sets: don't purge yet
+    my $cmd = $config->{general}->{settings}->{ipset};
+    foreach my $s (@allsets) {
+       next unless $config->{sets}->{$s};
+       # next if $config->{sets}->{$s}->{external};
+       my $f = $s;
+       $f .= '.in' if $config->{sets}->{$s}->{external};
+        if ($sets->{$s} eq 'skip' or $sets->{$s} eq 'none') {
+            next;
+        } elsif ($sets->{$s} eq 'swap') {
+           cmd("sed \"s/$s/tmp-$s/\" $config->{dir}/tmp/$f | $cmd -exist restore");
+            cmd("$cmd swap $s tmp-$s");
+            cmd("$cmd destroy tmp-$s");
+            rename("$config->{dir}/tmp/$f", "$config->{dir}/run/$f")
+                or die "Aborting, cannot move $config->{dir}/tmp/$f to $config->{dir}/run/$f: $!\n";
+        } elsif ($sets->{$s} eq 'load') {
+            cmd("$cmd -exist -file $config->{dir}/tmp/$f restore");
+            rename("$config->{dir}/tmp/$f", "$config->{dir}/run/$f")
+                or die "Aborting, cannot move $config->{dir}/tmp/$f to $config->{dir}/run/$f: $!\n";
+        }
+    }
+    # Check tables:
+    #  skip: does not exists
+    #  none: no change
+    #  swap: exists, changed
+    #  load: new, load in
+    #  delete: not used anymore, delete
+    my $tables = {};
+    foreach my $in (qw(4 6)) {
+        $cmd = $in == 4 ? $config->{general}->{settings}->{iptables} :
+               $config->{general}->{settings}->{ip6tables};
+        foreach my $table (qw(raw filter nat mangle)) {
+            my $t = "$table$in";
+            if (-e "$config->{dir}/run/$t") {
+                if (-e "$config->{dir}/tmp/$t") {
+                    $cmp = compare("$config->{dir}/run/$t", "$config->{dir}/tmp/$t");
+                    if ($cmp > 0) {
+                        $tables->{$t}->{todo} = 'swap';
+                        $tables->{$t}->{cmd} = $cmd;
+                    } elsif ($cmp < 0) {
+                        die "Aborting, cannot compare $config->{dir}/tmp/$t and $config->{dir}/run/$t: $!\n";
+                    } else {
+                        $tables->{$t}->{todo} = 'none';
+                    }
+                } else {
+                    $tables->{$t}->{todo} = 'delete';
+                }
+            } elsif (-e "$config->{dir}/tmp/$t") {
+                $tables->{$t}->{todo} = 'load';
+                $tables->{$t}->{cmd} = $cmd;
+            } else {
+                $tables->{$t}->{todo} = 'skip';
+            }
+        }
+    }
+    # Load in the changes and new tables, delete unnecessary ones
+    foreach my $t (keys %$tables) {
+        if ($tables->{$t}->{todo} eq 'skip' or $tables->{$t}->{todo} eq 'none') {
+            next;
+        } elsif ($tables->{$t}->{todo} eq 'swap' or
+                 $tables->{$t}->{todo} eq 'load') {
+            $cmd = $tables->{$t}->{cmd};
+            cmd("${cmd}-restore < $config->{dir}/tmp/$t");
+            rename("$config->{dir}/tmp/$t", "$config->{dir}/run/$t")
+               or die "Aborting, cannot move $config->{dir}/tmp/$t to $config->{dir}/run/$t: $!\n";
+        } elsif ($tables->{$t}->{todo} eq 'delete') {
+            $cmd = $tables->{$t}->{cmd};
+            unlink("$config->{dir}/run/$t")
+                or die "Aborting, cannot delete $config->{dir}/run/$t: $!\n";
+            $t =~ s/4|6$//;
+            cmd("$cmd -F $t");
+            cmd("$cmd -X $t");
+        }
+    }
+    # Destroy unnecessary sets
+    $cmd = $config->{general}->{settings}->{ipset};
+    foreach my $s (keys %{$config->{sets}}) {
+       # next if $config->{sets}->{$s}->{external};
+        next unless $sets->{$s} eq 'delete';
+       my $f = $s;
+       $f .= '.in' if $config->{sets}->{$s}->{external};
+        cmd("$cmd destroy $s");
+        unlink("$config->{dir}/run/$f");
+        #    or die "Aborting, cannot delete $config->{dir}/run/$s: $!\n";
+    }
+    open(S, ">$config->{dir}/run/success");
+    close(S);
+
+    exit;
+}
+
+exit;
+
+=pod
+
+=head1 NAME
+
+essence - A Simple Netfilter Configuration utility
+
+=head1 SYNOPSIS
+
+B<essence> version|help|sets
+
+B<essence> [-c|--config dir] start|stop|reload|restart|config
+
+B<essence> [-c|--config dir] add|del setname element
+
+B<essence> [-c|--config dir] check srcip dstip proto:port [in-iface]
+
+=head1 DESCRIPTION
+
+I<essence> is a simple netfilter firewall configuration utility. I<essence>
+interprets configuration files from which it creates an I<iptables>, I<ip6tables>
+and I<ipset> based firewall configuration and manages that configuration
+(i.e. start, stop, etc.).
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-c|--config> directory
+
+The directory of the configuration files, default F</etc/essence/>.
+
+=back
+
+=head1 COMMANDS
+
+=over 4
+
+=item B<start>
+
+Create new runtime configuration files if required and start
+the firewall configuration from the runtime files.
+
+=item B<stop>
+
+Save the in-kernel configuration into runtime files and stop
+the running firewall configuration.
+
+=item B<reload>
+
+Create new runtime configuration files if required and
+load just the changes into the kernel.
+
+=item B<restart>
+
+It is equivalent with a B<stop>, then B<start>.
+
+=item B<config>
+
+Create new runtime configuration from the configuration files.
+
+=item B<add> setname element
+
+Add the given element to the named set.
+
+=item B<del> setname element
+
+Delete the given element from the named set.
+
+=item B<check> srcip dstip proto:port [in-iface]
+
+Check what would be the fate of a packet with the specified source
+and destination IP address, the given protocol and destination port,
+and optionally the incoming interface name.
+
+=item B<sets>
+
+Print the built-in setnames.
+
+=item B<help>
+
+Print the help text of I<essence>.
+
+=item B<version>
+
+Print the version of I<essence>.
+
+=back
+
+=head1 SYNTAX
+
+The lines of the configuration file of I<essence> consist C<keyword = value> entries 
+(except in the case of I<general>), where C<=> can be left out. These entries
+are evaluated sequentially. 
+
+The keywords I<general>, I<zone>, I<policy>, I<nat> and I<mangle> specify (named)
+entities, which are followed by speficications for the given entity. The
+specifications last to the next entity (or end-of-file). Empty lines and
+comments (lines starting with '#' or 'whitespaces #') are ignored.
+
+=over 4
+
+=item B<entity => identifier
+
+=over 4
+
+=item B<keyword => single-value
+
+=item B<keyword => multivalue [, ...]
+
+Every keyword may appear multiple times with different values. If a
+keyword is multivalued, then the new values are appended to the existing ones,
+otherwise the previous value for the given entity is
+overwritten. The keywords have a hierarchy, which specifies where a given
+keyword may be used.
+
+It is a good idea to indent the entries belonging to the same entity/keyword
+for more readability, even knowing that the parser gracefully ignores 
+the indentation.
+
+=back
+
+=back
+
+=head1 The hierarchy of all entities and keywords, summary
+
+=over 4
+
+=item B<general>
+
+=over 4
+
+=item B<tcpudp => I<protocol> [, ... ]
+
+=item B<udp => I<protocol> [, ... ]
+
+=item B<logging => B<yes|no|denied|accepted|banned|spoofed> [, ...]
+
+=item B<module => I<module name>
+
+=over 4 
+
+=item B<modparam => I<module parameter>
+
+=back
+
+=item B<helper => B<amanda|ftp|h323|irc|pptp|sane|sip|snmp|tftp> [, ...]
+
+=item B<class => B<accepted[|4|6]|denied[|4|6]|spoofed[|4|6]|banned[|4|6]> [, ...]
+
+=over 4 
+
+=item B<type => B<log|nflog|none>
+
+=over 4
+
+=item B<level => B<debug|info|notice|warn|err|crit|alert|emerg>
+
+=item B<group => I<integer in range 0-65535>
+
+=item B<range => I<integer in range 0-65535>
+
+=item B<threshold => I<integer in range 0-65535>
+
+=back
+
+=item B<limit => B<plain|hashlimit>
+
+=over 4
+
+=item B<rate => I<integer[/second|minute|hour|day]>
+
+=item B<burst => I<integer>
+
+=item B<mask4 => I<integer in range 1-32>
+
+=item B<mask6 => I<integer in range 1-128>
+
+=item B<tablesize => I<integer>
+
+=item B<maxentries => I<integer>
+
+=back
+
+=item B<prefix => I<loggin prefix text>
+
+=item B<reject => I<protocol> [, ... ]
+
+=item B<ignore => I<protocol> [, ... ]
+
+=over 4
+
+=item B<from => I<IP[/CIDR]> [, ... ]
+
+=item B<to => I<IP[/CIDR]> [, ... ]
+
+=back
+
+=back
+
+=item B<set => I<setname> [, ... ]
+
+=over 4
+
+=item B<family => B<inet|inet4|inet6|ipv4|ipv6>
+
+=item B<hashsize => I<number>
+
+=item B<maxelem => I<number>
+
+=back
+
+=item B<custom => B<raw|filter>
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+=item B<ipset => I</path/to/ipset>
+
+=item B<iptables => I</path/to/iptables>
+
+=item B<ip6tables => I</path/to/ip6tables>
+
+=back
+
+=item B<zone => I<identifier>
+
+=over 4 
+
+=item B<interface => I<interface identifier> [, ... ]
+
+=item B<network => I<IP[/CIDR]> [, ... ]
+
+=back
+
+=item B<nat => I<identifier>
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+=item B<mangle => I<identifier>
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+=item B<policy => I<identifier>
+
+=over 4
+
+=item B<ip => I<IP[/CIDR]> [, ... ]
+
+=item B<source => I<setname> [, ... ]
+
+=item B<service => I<protocol> [, ... ]
+
+=over 4
+
+=item B<deny => I<IP[/CIDR]> [, ... ]
+
+=item B<allow => I<IP[/CIDR]> [, ... ]
+
+=back
+
+=item B<client => I<protocol> [, ... ]
+
+=over 4
+
+=item B<deny => I<IP[/CIDR]> [, ... ]
+
+=item B<allow => I<IP[/CIDR]> [, ... ]
+
+=back
+
+=back
+
+=back
+
+=head2 Entities and keywords in details
+
+=over 4
+
+=item B<general>
+
+The only built in keyword without a value. The general entity holds the 
+default settings for the configuration.
+
+=over 4
+
+=item B<tcpudp => I<protocol> [, ...]
+
+Protocol identifiers, which use both TCP and UDP transport protocols.
+
+       tcpudp = domain, sunrpc, sip
+
+=item B<udp => I<protocol> [ ,...]
+
+Protocol identifiers, which use UDP only as transport protocol. Protocols
+which are not listed under I<tcpudp> or I<udp> are assumed to use TCP only
+as transport protocol.
+
+       udp = ntp, snmp, snmptrap, traceroute, syslog, router
+
+=item B<logging => I<yes|no|denied|accepted|banned|spoofed>
+
+The default settings for what to log: everything, nothing, denied, allowed,
+banned or spoofed packets.
+
+       logging = yes
+
+=item B<module => I<module name> [, ...]
+
+=over 4
+
+=item B<modparam => I<module parameters>
+
+=back
+
+Kernel modules which you want to be loaded in with the given
+module parameters:
+
+       module = nf_conntrack
+               modparam = acct=1
+       module = ip_set
+               modparam = max_sets=1024
+
+=item B<helper => B<amanda|ftp|h323|irc|pptp|sane|sip|snmp|tftp> [, ...]
+
+Netfilter protocol helper kernel modules to be loaded in automatically
+for connection tracking and NAT (if NAT is used).
+
+       helper = ftp, irc
+
+=item B<class => B<accepted[|4|6]|denied[|4|6]|spoofed[|4|6]|banned[|4|6]> [, ...]
+
+The B<class> keyword makes possible to define different logging classes
+for both IPv4, IPv6 (B<accepted, denied, spoofed, banned>), just for IPv4
+(B<accepted4, denied4, spoofed4, banned4>) or for IPv6
+(B<accepted6, denied6, spoofed6, banned6>). The meaning of the different
+loggin class names are
+
+=over 4
+
+=item B<accepted[|4|6]>
+
+Loggin rule for packets which are accepted by the policy rules.
+
+=item B<denied[|4|6]>
+
+Loggin rule for packets which are denied by the policy rules.
+
+=item B<spoofed[|4|6]>
+
+Loggin rule for packets which fail to satisfy the egress-ingress filtering which
+correspond to the rules defined by the B<zone> settings.
+
+=item B<banned[|4|6]>
+
+Loggin rule for packets which are denied by the special policy rule named B<banned>.
+
+=back
+
+With the next logging class specific keywords one can tune the given logging
+class.
+
+=over 4
+
+=item B<type => B<log|nflog|none>
+
+Define the logging method or disable the logging for the given class.
+Depending on the logging method, different sub-keywords are possible:
+
+=back
+
+=over 4
+
+=item B<type => B<log>
+
+=over 4
+
+=item B<level => B<debug|info|notice|warn|err|crit|alert|emerg>
+
+=back
+
+If the B<log> logging method is used, one can set the syslog
+loglevel to use (default B<notice>):
+
+       class = accepted
+           type = log
+               level = warn
+
+=back
+
+=over 4
+
+=item B<type => B<nflog>
+
+=over 4
+
+=item B<group => I<integer in range 0-65535>
+
+=item B<range => I<integer in range 0-65535>
+
+=item B<threshold => I<integer in range 0-65535>
+
+=back
+
+If the B<nflog> loggin method is used, one can define the B<group>,
+B<range> and B<threshold> options of the B<NFLOG> target:
+
+       class = accepted4
+           type = nflog
+               group = 1
+               range = 128
+               threshold = 5
+
+=back
+
+=over 4
+
+=item B<limit => B<plain|hashlimit>
+
+One can configure different logging rate limit settings for the given
+logging class.
+
+=back
+
+=over 4
+
+=item B<limit => B<plain>
+
+=over 4
+
+=item B<rate => I<integer[/second|minute|hour|day]>
+
+=item B<burst => I<integer>
+
+=back
+
+The B<plain> method uses the B<limit> match, where the B<rate>
+and B<burst> can be specified:
+
+       class = denied
+           type = log
+               level = warn
+           limit = plain
+               rate = 3/minute
+               burst = 4
+
+=back
+
+=over 4
+
+=item B<limit => B<hashlimit>
+
+=over 4
+
+=item B<rate => I<integer[/second|minute|hour|day]>
+
+=item B<burst => I<integer>
+
+=item B<mask4 => I<integer in range 1-32>
+
+=item B<mask6 => I<integer in range 1-128>
+
+=item B<tablesize => I<integer>
+
+=item B<maxentries => I<integer>
+
+=back
+
+The B<hashlimit> method uses the B<hashlimit> match, where the B<rate>
+keyword spefifies the B<hashlimit-upto> setting and the B<burst> corresponds
+to B<hashlimit-burst>. B<mask4> and B<mask6> correspond to B<hashlimit-srcmask>
+for IPv4 and IPv6 respectively, with the defaults B<32> and B<128>. The mode
+is set to B<hashlimit-mode srcip>. The tablesize and maxentries defines
+the B<hashlimit-htable-size> and B<hashlimit-htable-max> parameters.
+
+       class = banned
+           type = log
+               level = warn
+           limit = hashlimit
+               mask4 = 24
+               mask6 = 64
+
+=item B<prefix => I<loggin prefix text>
+
+With the B<prefix> keyword one can define log text for the given class:
+
+       class = banned
+           type = log
+           prefix = BANNED TRAFFIC
+
+=item B<reject => I<protocol> [, ... ]
+
+In the case of denied, banned and spoofed rules, it is possible
+to reject the packet for the listed protocols with the B<REJECT> target
+instead of simply dropping it.
+
+       class = denied
+           type = log
+           reject = ssh, smtp
+
+=item B<ignore => I<protocol> [, ... ]
+
+=over 4
+
+=item B<from => I<IP[/CIDR]> [, ... ]
+
+=item B<to => I<IP[/CIDR]> [, ... ]
+
+=back
+
+One can ignore the logging for the given protocols, optionally coming from or
+addressed to the listed IP addresses, networks:
+
+       class = denied
+           type = log
+           ignore = http, https, ping
+               from = 192.168.0.0/24
+               to = 10.0.0.0/16
+
+=back
+
+=item B<set => I<setname> [, ... ]
+
+=over 4
+
+=item B<family => B<inet|inet4|inet6|ipv4|ipv6>
+
+=item B<hashsize => I<number>
+
+=item B<maxelem => I<number>
+
+=back
+
+The B<set> keyword makes possible to tune the hash parameters of
+the built-in sets (which names can be listed with the C<essence sets>
+command), or you can name external sets which then can be referred to
+in B<policy> settings. With B<default>, B<default4> and
+B<default6> one can configure the default settings for all, the IPv4
+or IPv6 type of sets:
+
+       set = default4
+           hashsize = 65550
+       set = default
+           hashsize = 16000
+       set = banned-timeout-ip4
+
+=item B<custom => B<raw|filter>
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+With the B<custom> keyword one can define custom rules, which then
+inserted into well defined places in the given iptables/ip6tables
+tables:
+
+=over 4
+
+=item raw
+
+The custom rules must be placed into a B<custom> chain (or may define
+new chains which then can be used from a rule in a B<custom> chain)
+and jumped to after checking the egress-ingress filtering rules.
+
+=item filter
+
+The custom rules must be placed into a B<custom> chain (or may define
+new chains which then can be used from a rule in a B<custom> chain)
+and jumped to after handling the connection tracked non NEW packets.
+
+=back
+
+       custom = raw
+           iptables -A custom -j -LOG --log-prefix "test"
+           ip6tables -A custom -j LOG --log-prefix "test6"
+
+=item B<ipset => I</path/to/ipset>
+
+=item B<iptables => I</path/to/iptables>
+
+=item B<ip6tables => I</path/to/ip6tables>
+
+If the binaries are placed into non-usual places and cannot be
+find according to the B<PATH> variable of the environment, then
+you can specify them:
+
+       iptables = /opt/bin/iptables 
+
+=back
+
+=item B<zone => I<identifier>
+
+A B<zone> is a definition of address blocks in topological sense. Zone
+definitions are used to set up protection against IP address spoofing, e.g
+egress and ingress filtering.
+
+=over 4
+
+=item B<interface => I<interface id> [, ...]
+
+Interfaces, which connects the firewall to the given address blocks. Interface
+ids are the device names without the /dev/ path element, like C<eth0>,
+C<ppp0>, etc.
+
+=item B<address => I<[!]IP[/CIDR>] [, ... ]
+
+The address blocks of the zone behind the interfaces.
+
+Address block may be negated with B<!> in front of them to express
+exceptions. However, if this address block belongs to another zone,
+then there's no need to exclude it from the other ones as that
+is taken into account automatically.
+
+As address block, the networks 0/0 and ::/0 can be used as well: packets with
+any other source address not listed in the very this or
+all other zone definitions may come from these interfaces only - i.e this
+zone corresponds to the word wild Internet.
+
+The zone definitions
+
+       zone = intranet
+           interface = eth2, eth3
+           address = 192.168.0.0/24, 192.168.3.0/24
+           
+       zone = internet
+           interface = eth0
+           address = 192.168.0.0/30, 0/0
+
+are equivalent with these ones:
+
+       zone = intranet
+           interface = eth2, eth3
+           address = 192.168.0.0/24, 192.168.3.0/24, !192.168.0.0/30
+           
+       zone = internet
+           interface = eth0
+           address = 0/0
+
+=back
+
+=item B<nat => I<identifier>
+
+A named entry for a given NAT (Network Address Translation) rule.
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+The custom IPv4 or IPv6 NAT rules.
+
+=item B<mangle => I<identifier>
+
+A named entry for a given mangle table rule.
+
+=over 4
+
+=item B<iptables => I<custom rule>
+
+=item B<ip6tables => I<custom rule>
+
+=back
+
+The custom IPv4 or IPv6 mangle table rules.
+
+=item B<policy => I<identifier>
+
+A policy is a named firewall policy for an entity, which usually can be 
+identified uniquely with one or more IP addresses.
+
+If a network node has multiple IP addresses and it serves
+different services on those addresses, then the node can
+be described with multiple policy entries. If it serves the same
+services on all addresses, then one policy entry can be used with
+multiple IP addresses listed.
+
+Of course you can describe a whole netblock with a policy,
+if all restrictions are identical for the whole netblock :-).
+
+The policy name B<localhost> is reserved for the localhost, i.e
+the firewall itself.
+
+The policy name B<banned> is reserved for banned hosts and
+networks.
+
+=over 4
+
+=item B<IP => I<IP[/CIDR]> [, ... ]
+
+The IP(v4/v6) address(es) for which the policy is defined.
+IPv4 and IPv6 addresses can freely be mixed.
+
+=item B<source => I<setname> [, ... ]
+
+External setnames defined in the B<general>, B<set> section.
+Restricted to the special B<banned> policy.
+
+=item B<service => I<protocol> [, ...]
+
+Services served from the IP address(es) as server(s).
+
+=over 4
+
+=item B<allow => I<IP[/CIDR]> [, ... ]
+
+=item B<deny => I<IP[/CIDR]> [, ... ]
+
+Policy setting for the given protocol(s): for which IP addresses
+the services are allowed or denied. If there are only B<deny>
+policy settings, then for anybody else the service is allowed.
+If there are only B<allow> (or mixed B<allow>, B<deny>) policy
+settings, then for anybody else the service is denied.
+
+=back
+
+=item B<client => I<protocol> [, ...]
+
+Service used from the IP address(es) as client.
+
+=over 4
+
+=item B<allow => I<IP[/CIDR]> [, ... ]
+
+=item B<deny => I<IP[/CIDR]> [, ... ]
+
+Policy setting for the given protocol(s): which IP addresses may be
+accessed as servers for the given services. If there are only B<deny>
+policy settings, then to anybody else the service is allowed.
+If there are only B<allow> (or mixed B<allow>, B<deny>) policy
+settings, then to anybody else the service is denied.
+
+
+=back
+
+=back
+
+=back
+
+Rules for service/client lines:
+
+=over 4
+
+=item * 
+
+missing service and client line in a policy definition:
+
+=over 4 
+
+=item *
+
+implicit deny for any service and client request to/from the IP address(es)
+
+=back
+
+=item *
+
+service/client line with missing allow/deny entries:
+
+=over 4
+
+=item *
+
+allow the service for any client/to any server
+
+=back
+
+=item *
+
+service/client line with allow/deny entries
+
+=over 4
+
+=item *
+
+First allow/deny wins and implicit deny at the end. Order of allow/deny lines 
+are ignored:
+
+       service = ...
+           allow = 192.168.0.0/16
+           deny = 192.168.0.1/24
+           allow = 192.168.0.1/30
+
+which means: allow the service for the 192.168.0.0/16 network only, except
+the 192.168.0.1/24 subnet, but allow for 192.168.0.1/30 from 192.168.0.1/24.
+
+=back
+
+=back
+
+The protocol identifiers I<protocol> above can be expressed as
+
+=over 4
+
+=item *
+
+transport-protocol (from /etc/essence/protocol-numbers.txt file)
+
+=item *
+
+TCP/UDP protocols (from /etc/essence/port-numbers.txt file), taking into
+account the B<tcpdup> and B<udp> settings in the B<general> section.
+
+=item *
+
+icmp type or code name (from /etc/essence/icmp-names.txt file)
+
+=item *
+
+icmpv6 type or code name (from /etc/essence/icmp6-names.txt file)
+
+=item *
+
+I<tcp|udp|sctp|udplite>:port[..port]
+
+=item *
+
+I<icmp>:type[/code]
+
+=item *
+
+I<icmp6>:type[/code]
+
+=item *
+
+I<any> (it can be used in client context only)
+
+=back
+
+Examples:
+
+       ospf
+       ftp
+       tcp:2240
+       tcp:2240..2244
+
+=head2 The generated chain structure
+
+I<essence> generates the chain structure according to the configuration settings and its
+internal logic:
+
+=over 4
+
+=item raw table
+
+PREROUTING chain:
+
+    allow link local traffic according to RFC 4890
+    check banned addresses
+    check egress-ingress filtering
+    jump to custom chain
+    accept packets
+
+=item filter table
+
+FORWARD chain:
+
+    drop packets with hop-by-hop or routing extension headers for IPv6
+    allow selected ICMPv6 error messages only (RFC 4890)
+    allow ESTABLISHED, RELATED or UNTRACKED packets
+    jump to custom chain
+    check service requests in the sets
+    check client requests in the sets
+    drop packets
+    
+INPUT chain:
+
+    drop packets with hop-by-hop or routing extension headers for IPv6
+    allow selected ICMPv6 error messages only (RFC 4890)
+    allow ESTABLISHED, RELATED or UNTRACKED packets
+    check service requests in the sets
+    drop packets
+
+OUTPUT chain:
+
+    allow ESTABLISHED, RELATED or UNTRACKED packets
+    allow service requests
+    drop packets
+
+=back
+
+For the localhost (i.e the firewall itself) we assume tight access control at
+in the service settings, so the rules are created only from what you specified
+explicitly.
+
+Please note port-ranges are exploded into so many B<ipset> entries in
+the correspondig set.
+
+=head1 FILES
+
+=over 4
+
+=item F</etc/essence>
+
+Configuration directory
+
+=item F</etc/essence/icmp-names.txt>
+
+=item F</etc/essence/icmp6-names.txt>
+
+=item F</etc/essence/port-numbers.txt>
+
+=item F</etc/essence/protocol-numbers.txt>
+
+Transport rotocol, TCP/UDP protocol and ICMP/ICMPv6 type/code names.
+
+=item F</etc/essence/cf.d/*.cf>
+
+<essence> configuration files.
+
+=item F</etc/essence/src.d/*.in>
+
+External set files in B<ipset> restore mode format. The filename without
+the extension must be the setname used in the B<general>, B<set> section
+and the B<source> sections.
+
+=item F</etc/essence/sysctl.conf>
+
+Kernel sysctl settings which are loaded in at I<start>.
+
+=item F</etc/essence/fw>
+
+Shell script wrapper around B<essence> to use as an init script.
+
+=item F</etc/essence/run/>
+
+Directory for the generated runtime configuration files.
+
+=item F</etc/essence/tmp/>
+
+Temporary directory for B<essence>.
+
+=back
+
+=head1 SEE ALSO
+
+L<iptables>, L<ip6tables>, L<ipset>
+
+=head1 AUTHOR
+
+Jozsef Kadlecsik E<lt>kadlec@blackhole.kfki.huE<gt>
diff --git a/fw b/fw
new file mode 100755 (executable)
index 0000000..c136d98
--- /dev/null
+++ b/fw
@@ -0,0 +1,89 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          fw
+# Required-Start:    $local_fs
+# Required-Stop:     $local_fs
+# X-Start-Before:    $network
+# X-Stop-After:      $network
+# Default-Start:     S
+# Default-Stop:      0 6
+# Short-Description: essence init script
+# Description:       essence init script
+### END INIT INFO
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="essence init script"
+NAME=fw
+DAEMON=/etc/fw/essence
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+# [ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+fw_status() {
+     test -e /proc/net/$1_tables_matches && \
+     grep -q -w set /proc/net/$1_tables_matches && echo "yes" || echo "NO"
+}
+
+case "$1" in
+  start)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+       $DAEMON start
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  stop)
+       [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+       $DAEMON stop
+       case "$?" in
+               0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+               2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+       esac
+       ;;
+  status)
+       echo "IPv4 firewall rules loaded in:" `fw_status ip`
+       echo "IPv6 firewall rules loaded in:" `fw_status ip6`
+       exit 0
+       ;;
+  reload)
+       #
+       # If do_reload() is not implemented then leave this commented out
+       # and leave 'force-reload' as an alias for 'restart'.
+       #
+       log_daemon_msg "Reloading $DESC" "$NAME"
+       $DAEMON reload
+       log_end_msg $?
+       ;;
+  restart|force-reload)
+       #
+       # If the "reload" option is implemented then remove the
+       # 'force-reload' alias
+       #
+       log_daemon_msg "Restarting $DESC" "$NAME"
+       $DAEMON restart
+       log_end_msg $?
+       ;;
+  *)
+       #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+       echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload}" >&2
+       exit 3
+       ;;
+esac
+
+:
diff --git a/icmp-names.txt b/icmp-names.txt
new file mode 100644 (file)
index 0000000..4670003
--- /dev/null
@@ -0,0 +1,47 @@
+# ICMP types/codes from libipt_icmp.c of iptables
+#
+# ICMP type
+#      ICMP code
+#
+echo-reply
+# alias
+pong
+destination-unreachable
+       network-unreachable
+       host-unreachable
+       protocol-unreachable
+       port-unreachable
+       fragmentation-needed
+       source-route-failed
+       network-unknown
+       host-unknown
+       network-prohibited
+       host-prohibited
+       TOS-network-unreachable
+       TOS-host-unreachable
+       communication-prohibited
+       host-precedence-violation
+       precedence-cutoff
+source-quench
+redirect
+       network-redirect
+       host-redirect
+       TOS-network-redirect
+       TOS-host-redirect
+echo-request
+# alias
+ping
+router-advertisement
+router-solicitation
+time-exceeded
+# alias
+ttl-exceeded
+       ttl-zero-during-transit
+       ttl-zero-during-reassembly
+parameter-problem
+       ip-header-bad
+       required-option-missing
+timestamp-request
+timestamp-reply
+address-mask-request
+address-mask-reply
diff --git a/icmp6-names.txt b/icmp6-names.txt
new file mode 100644 (file)
index 0000000..35fcc88
--- /dev/null
@@ -0,0 +1,36 @@
+# ICMP6 types/codes from libip6t_icmp6.c of iptables
+#
+# ICMP6 type
+#      ICMP6 code
+#
+destination-unreachable
+       no-route
+       communication-prohibited
+       address-unreachable
+       port-unreachable
+packet-too-big
+time-exceeded
+# alias
+ttl-exceeded
+       ttl-zero-during-transit
+       ttl-zero-during-reassembly
+parameter-problem
+       bad-header
+       unknown-header-type
+       unknown-option
+#
+echo-request
+# alias
+ping
+echo-reply
+# alias
+pong
+router-solicitation
+router-advertisement
+neighbour-solicitation
+# alias
+neighbor-solicitation
+neighbour-advertisement
+# alias
+neighbor-advertisement
+redirect
diff --git a/port-numbers.txt b/port-numbers.txt
new file mode 100644 (file)
index 0000000..b61c947
--- /dev/null
@@ -0,0 +1,9540 @@
+
+PORT NUMBERS
+
+The port numbers are divided into three ranges: the Well Known Ports,
+the Registered Ports, and the Dynamic and/or Private Ports.
+
+The Well Known Ports are those from 0 through 1023.
+
+The Registered Ports are those from 1024 through 49151
+
+The Dynamic and/or Private Ports are those from 49152 through 65535
+
+       
+WELL KNOWN PORT NUMBERS
+
+The Well Known Ports are assigned by the IANA and on most systems can
+only be used by system (or root) processes or by programs executed by
+privileged users.
+
+Ports are used in the TCP [RFC793] to name the ends of logical
+connections which carry long term conversations.  For the purpose of
+providing services to unknown callers, a service contact port is
+defined.  This list specifies the port used by the server process as
+its contact port.  The contact port is sometimes called the
+"well-known port".
+
+To the extent possible, these same port assignments are used with the
+UDP [RFC768].
+
+The range for assigned ports managed by the IANA is 0-1023.
+
+Port Assignments:
+
+Keyword         Decimal    Description                     Refrences
+-------         -------    -----------                     ----------
+                  0/tcp    Reserved
+                  0/udp    Reserved
+#                          Jon Postel <postel@isi.edu>
+tcpmux            1/tcp    TCP Port Service Multiplexer
+tcpmux            1/udp    TCP Port Service Multiplexer
+#                          Mark Lottor <MKL@nisc.sri.com>
+compressnet       2/tcp    Management Utility
+compressnet       2/udp    Management Utility
+compressnet       3/tcp    Compression Process
+compressnet       3/udp    Compression Process
+#                          Bernie Volz <VOLZ@PROCESS.COM>
+#                 4/tcp    Unassigned
+#                 4/udp    Unassigned
+rje               5/tcp    Remote Job Entry
+rje               5/udp    Remote Job Entry
+#                          Jon Postel <postel@isi.edu>
+#                 6/tcp    Unassigned
+#                 6/udp    Unassigned
+echo              7/tcp    Echo
+echo              7/udp    Echo
+#                          Jon Postel <postel@isi.edu>
+#                 8/tcp    Unassigned
+#                 8/udp    Unassigned
+discard           9/tcp    Discard
+discard           9/udp    Discard
+#                          Jon Postel <postel@isi.edu>
+#                10/tcp    Unassigned
+#                10/udp    Unassigned
+systat           11/tcp    Active Users
+systat           11/udp    Active Users
+#                          Jon Postel <postel@isi.edu>
+#                12/tcp    Unassigned
+#                12/udp    Unassigned
+daytime          13/tcp    Daytime (RFC 867)
+daytime          13/udp    Daytime (RFC 867)
+#                          Jon Postel <postel@isi.edu>
+#                14/tcp    Unassigned
+#                14/udp    Unassigned
+#                15/tcp    Unassigned [was netstat]
+#                15/udp    Unassigned
+#                16/tcp    Unassigned
+#                16/udp    Unassigned
+qotd             17/tcp    Quote of the Day
+qotd             17/udp    Quote of the Day
+#                          Jon Postel <postel@isi.edu>
+msp              18/tcp    Message Send Protocol
+msp              18/udp    Message Send Protocol
+#                          Rina Nethaniel <---none--->
+chargen          19/tcp    Character Generator
+chargen          19/udp    Character Generator
+ftp-data         20/tcp    File Transfer [Default Data]
+ftp-data         20/udp    File Transfer [Default Data]
+ftp              21/tcp    File Transfer [Control]
+ftp              21/udp    File Transfer [Control]
+#                          Jon Postel <postel@isi.edu>
+ssh              22/tcp    SSH Remote Login Protocol
+ssh/pcanywhere   22/udp    SSH Remote Login Protocol
+#                          Tatu Ylonen <ylo@cs.hut.fi>
+telnet           23/tcp    Telnet
+telnet           23/udp    Telnet
+#                          Jon Postel <postel@isi.edu>
+                 24/tcp    any private mail system
+                 24/udp    any private mail system
+#                          Rick Adams <rick@UUNET.UU.NET>
+smtp             25/tcp    Simple Mail Transfer
+smtp             25/udp    Simple Mail Transfer
+#                          Jon Postel <postel@isi.edu>
+#                26/tcp    Unassigned
+#                26/udp    Unassigned
+nsw-fe           27/tcp    NSW User System FE
+nsw-fe           27/udp    NSW User System FE
+#                          Robert Thomas <BThomas@F.BBN.COM>
+#                28/tcp    Unassigned
+#                28/udp    Unassigned
+msg-icp          29/tcp    MSG ICP
+msg-icp          29/udp    MSG ICP
+#                          Robert Thomas <BThomas@F.BBN.COM>
+#                30/tcp    Unassigned
+#                30/udp    Unassigned
+msg-auth         31/tcp    MSG Authentication
+msg-auth         31/udp    MSG Authentication
+#                          Robert Thomas <BThomas@F.BBN.COM>
+#                32/tcp    Unassigned
+#                32/udp    Unassigned
+dsp              33/tcp    Display Support Protocol
+dsp              33/udp    Display Support Protocol
+#                          Ed Cain <cain@edn-unix.dca.mil>
+#                34/tcp    Unassigned
+#                34/udp    Unassigned
+                 35/tcp    any private printer server
+                 35/udp    any private printer server
+#                          Jon Postel <postel@isi.edu>
+#                36/tcp    Unassigned
+#                36/udp    Unassigned
+time             37/tcp    Time
+time             37/udp    Time
+#                          Jon Postel <postel@isi.edu>
+rap              38/tcp    Route Access Protocol
+rap              38/udp    Route Access Protocol
+#                          Robert Ullmann <ariel@world.std.com>
+rlp              39/tcp    Resource Location Protocol
+rlp              39/udp    Resource Location Protocol
+#                          Mike Accetta <MIKE.ACCETTA@CMU-CS-A.EDU>
+#                40/tcp    Unassigned
+#                40/udp    Unassigned
+graphics         41/tcp    Graphics
+graphics         41/udp    Graphics
+name             42/tcp    Host Name Server
+name             42/udp    Host Name Server
+nameserver       42/tcp    Host Name Server
+nameserver       42/udp    Host Name Server
+nicname          43/tcp    Who Is
+nicname          43/udp    Who Is
+mpm-flags        44/tcp    MPM FLAGS Protocol
+mpm-flags        44/udp    MPM FLAGS Protocol
+mpm              45/tcp    Message Processing Module [recv]
+mpm              45/udp    Message Processing Module [recv]
+mpm-snd          46/tcp    MPM [default send]
+mpm-snd          46/udp    MPM [default send]
+#                          Jon Postel <postel@isi.edu>
+ni-ftp           47/tcp    NI FTP
+ni-ftp           47/udp    NI FTP
+#                          Steve Kille <S.Kille@isode.com>
+auditd           48/tcp    Digital Audit Daemon
+auditd           48/udp    Digital Audit Daemon
+#                          Larry Scott <scott@zk3.dec.com>
+tacacs           49/tcp    Login Host Protocol (TACACS)
+tacacs           49/udp    Login Host Protocol (TACACS)
+#                          Pieter Ditmars <pditmars@BBN.COM>
+re-mail-ck       50/tcp    Remote Mail Checking Protocol
+re-mail-ck       50/udp    Remote Mail Checking Protocol
+#                          Steve Dorner <s-dorner@UIUC.EDU>
+la-maint         51/tcp    IMP Logical Address Maintenance
+la-maint         51/udp    IMP Logical Address Maintenance
+#                          Andy Malis <malis_a@timeplex.com>
+xns-time         52/tcp    XNS Time Protocol
+xns-time         52/udp    XNS Time Protocol
+#                          Susie Armstrong <Armstrong.wbst128@XEROX>
+domain           53/tcp    Domain Name Server
+domain           53/udp    Domain Name Server
+#                          Paul Mockapetris <PVM@ISI.EDU>
+xns-ch           54/tcp    XNS Clearinghouse
+xns-ch           54/udp    XNS Clearinghouse
+#                          Susie Armstrong <Armstrong.wbst128@XEROX>
+isi-gl           55/tcp    ISI Graphics Language
+isi-gl           55/udp    ISI Graphics Language
+xns-auth         56/tcp    XNS Authentication
+xns-auth         56/udp    XNS Authentication
+#                          Susie Armstrong <Armstrong.wbst128@XEROX>
+                 57/tcp    any private terminal access
+                 57/udp    any private terminal access
+#                          Jon Postel <postel@isi.edu>
+xns-mail         58/tcp    XNS Mail
+xns-mail         58/udp    XNS Mail
+#                          Susie Armstrong <Armstrong.wbst128@XEROX>
+                 59/tcp    any private file service
+                 59/udp    any private file service
+#                          Jon Postel <postel@isi.edu>
+                 60/tcp    Unassigned
+                 60/udp    Unassigned
+ni-mail          61/tcp    NI MAIL
+ni-mail          61/udp    NI MAIL
+#                          Steve Kille <S.Kille@isode.com>
+acas             62/tcp    ACA Services
+acas             62/udp    ACA Services
+#                          E. Wald <ewald@via.enet.dec.com>
+whois++          63/tcp    whois++
+whois++          63/udp    whois++
+#                          Rickard Schoultz <schoultz@sunet.se>
+covia            64/tcp    Communications Integrator (CI)
+covia            64/udp    Communications Integrator (CI)
+#                          Dan Smith <dan.smith@den.galileo.com>
+tacacs-ds        65/tcp    TACACS-Database Service
+tacacs-ds        65/udp    TACACS-Database Service
+#                          Kathy Huber <khuber@bbn.com>
+sql*net          66/tcp    Oracle SQL*NET
+sql*net          66/udp    Oracle SQL*NET
+#                          Jack Haverty <jhaverty@ORACLE.COM>
+bootps           67/tcp    Bootstrap Protocol Server
+bootps           67/udp    Bootstrap Protocol Server
+bootpc           68/tcp    Bootstrap Protocol Client
+bootpc           68/udp    Bootstrap Protocol Client
+#                          Bill Croft <Croft@SUMEX-AIM.STANFORD.EDU>
+tftp             69/tcp    Trivial File Transfer
+tftp             69/udp    Trivial File Transfer
+#                          David Clark <ddc@LCS.MIT.EDU>
+gopher           70/tcp    Gopher
+gopher           70/udp    Gopher
+#                          Mark McCahill <mpm@boombox.micro.umn.edu>
+netrjs-1         71/tcp    Remote Job Service
+netrjs-1         71/udp    Remote Job Service
+netrjs-2         72/tcp    Remote Job Service
+netrjs-2         72/udp    Remote Job Service
+netrjs-3         73/tcp    Remote Job Service
+netrjs-3         73/udp    Remote Job Service
+netrjs-4         74/tcp    Remote Job Service
+netrjs-4         74/udp    Remote Job Service
+#                          Bob Braden <Braden@ISI.EDU>
+                 75/tcp    any private dial out service
+                 75/udp    any private dial out service
+#                          Jon Postel <postel@isi.edu>
+deos             76/tcp    Distributed External Object Store
+deos             76/udp    Distributed External Object Store
+#                          Robert Ullmann <ariel@world.std.com>
+                 77/tcp    any private RJE service
+                 77/udp    any private RJE service
+#                          Jon Postel <postel@isi.edu>
+vettcp           78/tcp    vettcp
+vettcp           78/udp    vettcp
+#                          Christopher Leong <leong@kolmod.mlo.dec.com>
+finger           79/tcp    Finger
+finger           79/udp    Finger
+#                          David Zimmerman <dpz@RUTGERS.EDU>
+http             80/tcp    World Wide Web HTTP
+http             80/udp    World Wide Web HTTP
+www              80/tcp    World Wide Web HTTP
+www              80/udp    World Wide Web HTTP
+www-http         80/tcp    World Wide Web HTTP
+www-http         80/udp    World Wide Web HTTP
+#                          Tim Berners-Lee <timbl@W3.org>
+hosts2-ns        81/tcp    HOSTS2 Name Server
+hosts2-ns        81/udp    HOSTS2 Name Server
+#                          Earl Killian <EAK@MORDOR.S1.GOV>
+xfer             82/tcp    XFER Utility
+xfer             82/udp    XFER Utility
+#                          Thomas M. Smith <Thomas.M.Smith@lmco.com>
+mit-ml-dev       83/tcp    MIT ML Device
+mit-ml-dev       83/udp    MIT ML Device
+#                          David Reed <--none--->
+ctf              84/tcp    Common Trace Facility
+ctf              84/udp    Common Trace Facility
+#                          Hugh Thomas <thomas@oils.enet.dec.com>
+mit-ml-dev       85/tcp    MIT ML Device
+mit-ml-dev       85/udp    MIT ML Device
+#                          David Reed <--none--->
+mfcobol          86/tcp    Micro Focus Cobol
+mfcobol          86/udp    Micro Focus Cobol
+#                          Simon Edwards <--none--->
+                 87/tcp    any private terminal link
+                 87/udp    any private terminal link
+#                          Jon Postel <postel@isi.edu>
+kerberos         88/tcp    Kerberos
+kerberos         88/udp    Kerberos
+#                          B. Clifford Neuman <bcn@isi.edu>
+su-mit-tg        89/tcp    SU/MIT Telnet Gateway
+su-mit-tg        89/udp    SU/MIT Telnet Gateway
+#                          Mark Crispin <MRC@PANDA.COM>
+########### PORT 90 also being used unofficially by Pointcast #########
+dnsix            90/tcp    DNSIX Securit Attribute Token Map
+dnsix            90/udp    DNSIX Securit Attribute Token Map
+#                          Charles Watt <watt@sware.com>
+mit-dov          91/tcp    MIT Dover Spooler
+mit-dov          91/udp    MIT Dover Spooler
+#                          Eliot Moss <EBM@XX.LCS.MIT.EDU>
+npp              92/tcp    Network Printing Protocol
+npp              92/udp    Network Printing Protocol
+#                          Louis Mamakos <louie@sayshell.umd.edu>
+dcp              93/tcp    Device Control Protocol
+dcp              93/udp    Device Control Protocol
+#                          Daniel Tappan <Tappan@BBN.COM>
+objcall          94/tcp    Tivoli Object Dispatcher
+objcall          94/udp    Tivoli Object Dispatcher
+#                          Tom Bereiter <--none--->
+supdup           95/tcp    SUPDUP
+supdup           95/udp    SUPDUP
+#                          Mark Crispin <MRC@PANDA.COM>
+dixie            96/tcp    DIXIE Protocol Specification
+dixie            96/udp    DIXIE Protocol Specification
+#                Tim Howes <Tim.Howes@terminator.cc.umich.edu>
+swift-rvf        97/tcp    Swift Remote Virtural File Protocol
+swift-rvf        97/udp    Swift Remote Virtural File Protocol
+#                          Maurice R. Turcotte
+#                <mailrus!uflorida!rm1!dnmrt%rmatl@uunet.UU.NET> 
+linuxconf/tacnews 98/tcp    TAC News
+linuxconf/tacnews 98/udp    TAC News
+#                          Jon Postel <postel@isi.edu>
+metagram         99/tcp    Metagram Relay
+metagram         99/udp    Metagram Relay
+#                          Geoff Goodfellow <Geoff@FERNWOOD.MPK.CA.US>
+newacct         100/tcp    [unauthorized use]
+hostname        101/tcp    NIC Host Name Server
+hostname        101/udp    NIC Host Name Server
+#                          Jon Postel <postel@isi.edu>
+iso-tsap        102/tcp    ISO-TSAP Class 0
+iso-tsap        102/udp    ISO-TSAP Class 0
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+gppitnp         103/tcp    Genesis Point-to-Point Trans Net
+gppitnp         103/udp    Genesis Point-to-Point Trans Net
+acr-nema        104/tcp    ACR-NEMA Digital Imag. & Comm. 300
+acr-nema        104/udp    ACR-NEMA Digital Imag. & Comm. 300
+#                          Patrick McNamee <--none--->
+cso             105/tcp    CCSO name server protocol
+cso             105/udp    CCSO name server protocol
+#                          Martin Hamilton <martin@mrrl.lut.as.uk>           
+csnet-ns        105/tcp    Mailbox Name Nameserver
+csnet-ns        105/udp    Mailbox Name Nameserver
+#                          Marvin Solomon <solomon@CS.WISC.EDU>
+3com-tsmux      106/tcp    3COM-TSMUX
+3com-tsmux      106/udp    3COM-TSMUX
+#                          Jeremy Siegel <jzs@NSD.3Com.COM>
+##########      106        Unauthorized use by insecure poppassd protocol
+rtelnet         107/tcp    Remote Telnet Service
+rtelnet         107/udp    Remote Telnet Service
+#                          Jon Postel <postel@isi.edu>
+snagas          108/tcp    SNA Gateway Access Server
+snagas          108/udp    SNA Gateway Access Server
+#                          Kevin Murphy <murphy@sevens.lkg.dec.com>
+pop2            109/tcp    Post Office Protocol - Version 2
+pop2            109/udp    Post Office Protocol - Version 2
+#                          Joyce K. Reynolds <jkrey@isi.edu>
+pop3            110/tcp    Post Office Protocol - Version 3
+pop3            110/udp    Post Office Protocol - Version 3
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+sunrpc          111/tcp    SUN Remote Procedure Call
+sunrpc          111/udp    SUN Remote Procedure Call
+#                          Chuck McManis <cmcmanis@freegate.net>
+mcidas          112/tcp    McIDAS Data Transmission Protocol
+mcidas          112/udp    McIDAS Data Transmission Protocol
+#                          Glenn Davis <support@unidata.ucar.edu>
+ident           113/tcp    
+auth            113/tcp    Authentication Service
+auth            113/udp    Authentication Service
+#                          Mike St. Johns <stjohns@arpa.mil>
+audionews       114/tcp    Audio News Multicast
+audionews       114/udp    Audio News Multicast
+#                          Martin Forssen <maf@dtek.chalmers.se>
+sftp            115/tcp    Simple File Transfer Protocol
+sftp            115/udp    Simple File Transfer Protocol
+#                          Mark Lottor <MKL@nisc.sri.com>
+ansanotify      116/tcp    ANSA REX Notify
+ansanotify      116/udp    ANSA REX Notify
+#                          Nicola J. Howarth <njh@ansa.co.uk>
+uucp-path       117/tcp    UUCP Path Service
+uucp-path       117/udp    UUCP Path Service
+sqlserv         118/tcp    SQL Services
+sqlserv         118/udp    SQL Services
+#                          Larry Barnes <barnes@broke.enet.dec.com>
+nntp            119/tcp    Network News Transfer Protocol
+nntp            119/udp    Network News Transfer Protocol
+#                          Phil Lapsley <phil@UCBARPA.BERKELEY.EDU>
+cfdptkt         120/tcp    CFDPTKT
+cfdptkt         120/udp    CFDPTKT
+#                          John Ioannidis <ji@close.cs.columbia.ed>
+erpc            121/tcp    Encore Expedited Remote Pro.Call
+erpc            121/udp    Encore Expedited Remote Pro.Call
+#                          Jack O'Neil <---none--->
+smakynet        122/tcp    SMAKYNET
+smakynet        122/udp    SMAKYNET
+#                          Pierre Arnaud <pierre.arnaud@iname.com>
+ntp             123/tcp    Network Time Protocol
+ntp             123/udp    Network Time Protocol
+#                          Dave Mills <Mills@HUEY.UDEL.EDU>
+ansatrader      124/tcp    ANSA REX Trader
+ansatrader      124/udp    ANSA REX Trader
+#                          Nicola J. Howarth <njh@ansa.co.uk>
+locus-map       125/tcp    Locus PC-Interface Net Map Ser
+locus-map       125/udp    Locus PC-Interface Net Map Ser
+#                          Eric Peterson <lcc.eric@SEAS.UCLA.EDU>
+nxedit         126/tcp    NXEdit
+nxedit         126/udp    NXEdit
+#                         Don Payette <Don.Payette@unisys.com>
+###########Port 126 Previously assigned to application below#######
+#unitary         126/tcp    Unisys Unitary Login
+#unitary         126/udp    Unisys Unitary Login
+#                          <feil@kronos.nisd.cam.unisys.com>
+###########Port 126 Previously assigned to application above#######
+locus-con       127/tcp    Locus PC-Interface Conn Server
+locus-con       127/udp    Locus PC-Interface Conn Server
+#                          Eric Peterson <lcc.eric@SEAS.UCLA.EDU>
+gss-xlicen      128/tcp    GSS X License Verification
+gss-xlicen      128/udp    GSS X License Verification
+#                          John Light <johnl@gssc.gss.com>
+pwdgen          129/tcp    Password Generator Protocol
+pwdgen          129/udp    Password Generator Protocol
+#                          Frank J. Wacho <WANCHO@WSMR-SIMTEL20.ARMY.MIL>
+cisco-fna       130/tcp    cisco FNATIVE
+cisco-fna       130/udp    cisco FNATIVE
+cisco-tna       131/tcp    cisco TNATIVE
+cisco-tna       131/udp    cisco TNATIVE
+cisco-sys       132/tcp    cisco SYSMAINT
+cisco-sys       132/udp    cisco SYSMAINT
+statsrv         133/tcp    Statistics Service
+statsrv         133/udp    Statistics Service
+#                          Dave Mills <Mills@HUEY.UDEL.EDU>
+ingres-net      134/tcp    INGRES-NET Service
+ingres-net      134/udp    INGRES-NET Service
+#                          Mike Berrow <---none--->
+ms-rpc/epmap    135/tcp    DCE endpoint resolution
+ms-rpc/epmap    135/udp    DCE endpoint resolution
+#                          Joe Pato <pato@apollo.hp.com>
+profile         136/tcp    PROFILE Naming System           
+profile         136/udp    PROFILE Naming System           
+#                          Larry Peterson <llp@ARIZONA.EDU>
+netbios-ns      137/tcp    NETBIOS Name Service    
+netbios-ns      137/udp    NETBIOS Name Service    
+netbios-dgm     138/tcp    NETBIOS Datagram Service
+netbios-dgm     138/udp    NETBIOS Datagram Service
+netbios-ssn     139/tcp    NETBIOS Session Service
+netbios-ssn     139/udp    NETBIOS Session Service
+#                          Jon Postel <postel@isi.edu>
+emfis-data      140/tcp    EMFIS Data Service
+emfis-data      140/udp    EMFIS Data Service
+emfis-cntl      141/tcp    EMFIS Control Service
+emfis-cntl      141/udp    EMFIS Control Service
+#                          Gerd Beling <GBELING@ISI.EDU>
+bl-idm          142/tcp    Britton-Lee IDM           
+bl-idm          142/udp    Britton-Lee IDM           
+#                          Susie Snitzer <---none--->
+imap            143/tcp    Internet Message Access Protocol
+imap            143/udp    Internet Message Access Protocol
+#                          Mark Crispin <MRC@CAC.Washington.EDU>
+uma            144/tcp    Universal Management Architecture
+uma            144/udp    Universal Management Architecture
+#                         Jay Whitney <jw@powercenter.com>
+uaac            145/tcp    UAAC Protocol             
+uaac            145/udp    UAAC Protocol             
+#                          David A. Gomberg <gomberg@GATEWAY.MITRE.ORG>
+iso-tp0         146/tcp    ISO-IP0
+iso-tp0         146/udp    ISO-IP0
+iso-ip          147/tcp    ISO-IP
+iso-ip          147/udp    ISO-IP
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+jargon          148/tcp    Jargon
+jargon          148/udp    Jargon
+#                         Bill Weinman <wew@bearnet.com>
+aed-512         149/tcp    AED 512 Emulation Service           
+aed-512         149/udp    AED 512 Emulation Service           
+#                          Albert G. Broscius <broscius@DSL.CIS.UPENN.EDU>
+sql-net         150/tcp    SQL-NET                    
+sql-net         150/udp    SQL-NET                    
+#                          Martin Picard <<---none--->
+hems            151/tcp    HEMS                              
+hems            151/udp    HEMS                              
+bftp            152/tcp    Background File Transfer Program 
+bftp            152/udp    Background File Transfer Program 
+#                          Annette DeSchon <DESCHON@ISI.EDU>
+sgmp            153/tcp    SGMP                    
+sgmp            153/udp    SGMP                    
+#                          Marty Schoffstahl <schoff@NISC.NYSER.NET>
+netsc-prod      154/tcp    NETSC                             
+netsc-prod      154/udp    NETSC                             
+netsc-dev       155/tcp    NETSC                             
+netsc-dev       155/udp    NETSC                             
+#                          Sergio Heker <heker@JVNCC.CSC.ORG>
+sqlsrv          156/tcp    SQL Service                  
+sqlsrv          156/udp    SQL Service                  
+#                          Craig Rogers <Rogers@ISI.EDU>
+knet-cmp        157/tcp    KNET/VM Command/Message Protocol
+knet-cmp        157/udp    KNET/VM Command/Message Protocol
+#                          Gary S. Malkin <GMALKIN@XYLOGICS.COM>
+pcmail-srv      158/tcp    PCMail Server                 
+pcmail-srv      158/udp    PCMail Server                 
+#                          Mark L. Lambert <markl@PTT.LCS.MIT.EDU>
+nss-routing     159/tcp    NSS-Routing                  
+nss-routing     159/udp    NSS-Routing                  
+#                          Yakov Rekhter <Yakov@IBM.COM>
+sgmp-traps      160/tcp    SGMP-TRAPS                
+sgmp-traps      160/udp    SGMP-TRAPS                
+#                          Marty Schoffstahl <schoff@NISC.NYSER.NET>
+snmp            161/tcp    SNMP
+snmp            161/udp    SNMP
+snmptrap        162/tcp    SNMPTRAP
+snmptrap        162/udp    SNMPTRAP
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+cmip-man        163/tcp    CMIP/TCP Manager   
+cmip-man        163/udp    CMIP/TCP Manager   
+cmip-agent      164/tcp    CMIP/TCP Agent     
+smip-agent      164/udp    CMIP/TCP Agent     
+#                          Amatzia Ben-Artzi <---none--->
+xns-courier     165/tcp    Xerox                          
+xns-courier     165/udp    Xerox                          
+#                          Susie Armstrong <Armstrong.wbst128@XEROX.COM>
+s-net           166/tcp    Sirius Systems          
+s-net           166/udp    Sirius Systems          
+#                          Brian Lloyd <brian@lloyd.com>
+namp            167/tcp    NAMP                    
+namp            167/udp    NAMP                    
+#                          Marty Schoffstahl <schoff@NISC.NYSER.NET>
+rsvd            168/tcp    RSVD                              
+rsvd            168/udp    RSVD                              
+#                          Neil Todd <mcvax!ist.co.uk!neil@UUNET.UU.NET>
+send            169/tcp    SEND                              
+send            169/udp    SEND                              
+#                          William D. Wisner <wisner@HAYES.FAI.ALASKA.EDU>
+print-srv       170/tcp    Network PostScript              
+print-srv       170/udp    Network PostScript              
+#                          Brian Reid <reid@DECWRL.DEC.COM>
+multiplex       171/tcp    Network Innovations Multiplex
+multiplex       171/udp    Network Innovations Multiplex
+cl/1            172/tcp    Network Innovations CL/1     
+cl/1            172/udp    Network Innovations CL/1     
+#                          Kevin DeVault <<---none--->
+xyplex-mux      173/tcp    Xyplex                          
+xyplex-mux      173/udp    Xyplex                          
+#                          Bob Stewart <STEWART@XYPLEX.COM>
+mailq           174/tcp    MAILQ                               
+mailq           174/udp    MAILQ                               
+#                          Rayan Zachariassen <rayan@AI.TORONTO.EDU>
+vmnet           175/tcp    VMNET                                
+vmnet           175/udp    VMNET  
+#                          Christopher Tengi <tengi@Princeton.EDU>
+genrad-mux      176/tcp    GENRAD-MUX                      
+genrad-mux      176/udp    GENRAD-MUX                      
+#                          Ron Thornton <thornton@qm7501.genrad.com>
+xdmcp           177/tcp    X Display Manager Control Protocol  
+xdmcp           177/udp    X Display Manager Control Protocol  
+#                          Robert W. Scheifler <RWS@XX.LCS.MIT.EDU>
+nextstep        178/tcp    NextStep Window Server     
+nextstep        178/udp    NextStep Window Server     
+#                          Leo Hourvitz <leo@NEXT.COM>
+bgp             179/tcp    Border Gateway Protocol             
+bgp             179/udp    Border Gateway Protocol             
+#                          Kirk Lougheed <LOUGHEED@MATHOM.CISCO.COM>
+ris             180/tcp    Intergraph                         
+ris             180/udp    Intergraph                         
+#                          Dave Buehmann <ingr!daveb@UUNET.UU.NET>
+unify           181/tcp    Unify                  
+unify           181/udp    Unify                  
+#                          Vinod Singh <--none--->
+audit           182/tcp    Unisys Audit SITP                  
+audit           182/udp    Unisys Audit SITP                  
+#                          Gil Greenbaum <gcole@nisd.cam.unisys.com>
+ocbinder        183/tcp    OCBinder                     
+ocbinder        183/udp    OCBinder                     
+ocserver        184/tcp    OCServer                     
+ocserver        184/udp    OCServer                     
+#                          Jerrilynn Okamura <--none--->
+remote-kis      185/tcp    Remote-KIS                        
+remote-kis      185/udp    Remote-KIS                        
+kis             186/tcp    KIS Protocol                      
+kis             186/udp    KIS Protocol                      
+#                          Ralph Droms <rdroms@NRI.RESTON.VA.US>
+aci             187/tcp    Application Communication Interface
+aci             187/udp    Application Communication Interface
+#                          Rick Carlos <rick.ticipa.csc.ti.com>
+mumps           188/tcp    Plus Five's MUMPS            
+mumps           188/udp    Plus Five's MUMPS            
+#                          Hokey Stenn <hokey@PLUS5.COM>
+qft             189/tcp    Queued File Transport        
+qft             189/udp    Queued File Transport        
+#                          Wayne Schroeder <schroeder@SDS.SDSC.EDU>
+gacp            190/tcp    Gateway Access Control Protocol
+gacp            190/udp    Gateway Access Control Protocol
+#                          C. Philip Wood <cpw@LANL.GOV>
+prospero        191/tcp    Prospero Directory Service      
+prospero        191/udp    Prospero Directory Service      
+#                          B. Clifford Neuman <bcn@isi.edu>
+osu-nms         192/tcp    OSU Network Monitoring System       
+osu-nms         192/udp    OSU Network Monitoring System       
+#                          Doug Karl <KARL-D@OSU-20.IRCC.OHIO-STATE.EDU>
+srmp            193/tcp    Spider Remote Monitoring Protocol 
+srmp            193/udp    Spider Remote Monitoring Protocol 
+#                          Ted J. Socolofsky <Teds@SPIDER.CO.UK>
+irc             194/tcp    Internet Relay Chat Protocol        
+irc             194/udp    Internet Relay Chat Protocol        
+#                          Jarkko Oikarinen <jto@TOLSUN.OULU.FI>
+dn6-nlm-aud     195/tcp    DNSIX Network Level Module Audit    
+dn6-nlm-aud     195/udp    DNSIX Network Level Module Audit    
+dn6-smm-red     196/tcp    DNSIX Session Mgt Module Audit Redir
+dn6-smm-red     196/udp    DNSIX Session Mgt Module Audit Redir
+#                          Lawrence Lebahn <DIA3@PAXRV-NES.NAVY.MIL>
+dls             197/tcp    Directory Location Service        
+dls             197/udp    Directory Location Service        
+dls-mon         198/tcp    Directory Location Service Monitor
+dls-mon         198/udp    Directory Location Service Monitor
+#                          Scott Bellew <smb@cs.purdue.edu>
+smux            199/tcp    SMUX
+smux            199/udp    SMUX
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+src             200/tcp    IBM System Resource Controller
+src             200/udp    IBM System Resource Controller
+#                          Gerald McBrearty <---none--->
+at-rtmp         201/tcp    AppleTalk Routing Maintenance       
+at-rtmp         201/udp    AppleTalk Routing Maintenance       
+at-nbp          202/tcp    AppleTalk Name Binding              
+at-nbp          202/udp    AppleTalk Name Binding              
+at-3            203/tcp    AppleTalk Unused                    
+at-3            203/udp    AppleTalk Unused                    
+at-echo         204/tcp    AppleTalk Echo                      
+at-echo         204/udp    AppleTalk Echo                      
+at-5            205/tcp    AppleTalk Unused                    
+at-5            205/udp    AppleTalk Unused                    
+at-zis          206/tcp    AppleTalk Zone Information          
+at-zis          206/udp    AppleTalk Zone Information          
+at-7            207/tcp    AppleTalk Unused                    
+at-7            207/udp    AppleTalk Unused                    
+at-8            208/tcp    AppleTalk Unused                    
+at-8            208/udp    AppleTalk Unused                    
+#                          Rob Chandhok <chandhok@gnome.cs.cmu.edu>
+qmtp            209/tcp    The Quick Mail Transfer Protocol
+qmtp            209/udp    The Quick Mail Transfer Protocol
+#                          Dan Bernstein <djb@silverton.berkeley.edu>
+z39.50          210/tcp    ANSI Z39.50
+z39.50          210/udp    ANSI Z39.50
+#                          Mark Needleman
+#                          <mhnur%uccmvsa.bitnet@cornell.cit.cornell.edu> 
+914c/g          211/tcp    Texas Instruments 914C/G Terminal
+914c/g          211/udp    Texas Instruments 914C/G Terminal
+#                          Bill Harrell <---none--->
+anet            212/tcp    ATEXSSTR   
+anet            212/udp    ATEXSSTR   
+#                          Jim Taylor <taylor@heart.epps.kodak.com>
+ipx             213/tcp    IPX                                       
+ipx             213/udp    IPX                                
+#                          Don Provan <donp@xlnvax.novell.com>
+vmpwscs         214/tcp    VM PWSCS                         
+vmpwscs         214/udp    VM PWSCS                         
+#                          Dan Shia <dset!shia@uunet.UU.NET>
+softpc          215/tcp    Insignia Solutions
+softpc          215/udp    Insignia Solutions
+#                          Martyn Thomas <---none--->
+CAIlic          216/tcp    Computer Associates Int'l License Server
+CAIlic          216/udp    Computer Associates Int'l License Server
+#                          Chuck Spitz <spich04@cai.com>
+dbase           217/tcp    dBASE Unix
+dbase           217/udp    dBASE Unix
+#                          Don Gibson
+#            <sequent!aero!twinsun!ashtate.A-T.COM!dong@uunet.UU.NET> 
+mpp             218/tcp    Netix Message Posting Protocol
+mpp             218/udp    Netix Message Posting Protocol
+#                          Shannon Yeh <yeh@netix.com>
+uarps           219/tcp    Unisys ARPs               
+uarps           219/udp    Unisys ARPs               
+#                          Ashok Marwaha <---none--->
+imap3           220/tcp    Interactive Mail Access Protocol v3
+imap3           220/udp    Interactive Mail Access Protocol v3
+#                          James Rice <RICE@SUMEX-AIM.STANFORD.EDU>
+fln-spx         221/tcp    Berkeley rlogind with SPX auth   
+fln-spx         221/udp    Berkeley rlogind with SPX auth   
+rsh-spx         222/tcp    Berkeley rshd with SPX auth      
+rsh-spx         222/udp    Berkeley rshd with SPX auth      
+cdc             223/tcp    Certificate Distribution Center  
+cdc             223/udp    Certificate Distribution Center  
+#               Kannan Alagappan <kannan@sejour.enet.dec.com>
+########### Possible Conflict of Port 222 with "Masqdialer"##############
+### Contact for Masqdialer is Charles Wright <cpwright@villagenet.com>###
+masqdialer     224/tcp    masqdialer
+masqdialer     224/udp    masqdialer
+#                         Charles Wright <cpwright@villagenet.com>
+#               225-241    Reserved
+#                          Jon Postel <postel@isi.edu>
+direct          242/tcp    Direct
+direct          242/udp    Direct
+#                          Herb Sutter <HerbS@cntc.com>
+sur-meas        243/tcp    Survey Measurement          
+sur-meas        243/udp    Survey Measurement          
+#                          Dave Clark <ddc@LCS.MIT.EDU>
+inbusiness      244/tcp    inbusiness
+inbusiness      244/udp    inbusiness
+#                         Bruce Jones <bruce.r.jones@intel.com>
+link            245/tcp    LINK
+link            245/udp    LINK
+dsp3270         246/tcp    Display Systems Protocol        
+dsp3270         246/udp    Display Systems Protocol        
+#                          Weldon J. Showalter <Gamma@MINTAKA.DCA.MIL>
+subntbcst_tftp  247/tcp    SUBNTBCST_TFTP
+subntbcst_tftp  247/udp    SUBNTBCST_TFTP
+#                         John Fake <fake@us.ibm.com>
+bhfhs          248/tcp    bhfhs
+bhfhs          248/udp    bhfhs
+#                         John Kelly <johnk@bellhow.com>
+#               249-255    Reserved
+#                          Jon Postel <postel@isi.edu>
+rap             256/tcp    RAP
+rap             256/udp    RAP
+#                          J.S. Greenfield <greeny@raleigh.ibm.com>
+set             257/tcp    Secure Electronic Transaction
+set             257/udp    Secure Electronic Transaction
+#                          Donald Eastlake <dee3@torque.pothole.com>
+yak-chat        258/tcp    Yak Winsock Personal Chat
+yak-chat        258/udp    Yak Winsock Personal Chat
+#                          Brian Bandy <bbandy@swbell.net>
+esro-gen        259/tcp    Efficient Short Remote Operations
+esro-gen        259/udp    Efficient Short Remote Operations
+#                          Mohsen Banan <mohsen@rostam.neda.com>
+openport        260/tcp    Openport
+openport        260/udp    Openport
+#                          John Marland <jmarland@dean.openport.com>
+nsiiops        261/tcp    IIOP Name Service over TLS/SSL
+nsiiops                261/udp    IIOP Name Service over TLS/SSL
+#                          Jeff Stewart <jstewart@netscape.com>
+arcisdms       262/tcp    Arcisdms
+arcisdms       262/udp    Arcisdms
+#                         Russell Crook (rmc@sni.ca>
+hdap           263/tcp    HDAP
+hdap           263/udp    HDAP
+#                         Troy Gau <troy@zyxel.com>
+bgmp           264/tcp    BGMP
+bgmp           264/udp    BGMP
+#                         Dave Thaler <thalerd@eecs.umich.edu>
+x-bone-ctl     265/tcp    X-Bone CTL
+x-bone-ctl     265/udp    X-Bone CTL
+#                         Joe Touch <touch@isi.edu>
+sst             266/tcp    SCSI on ST
+sst             266/udp    SCSI on ST
+#                          Donald D. Woelz <don@genroco.com>
+td-service      267/tcp    Tobit David Service Layer
+td-service      267/udp    Tobit David Service Layer
+td-replica      268/tcp    Tobit David Replica
+td-replica      268/udp    Tobit David Replica
+#                          Franz-Josef Leuders <development@tobit.com>
+#               269-279    Unassigned
+http-mgmt       280/tcp    http-mgmt
+http-mgmt       280/udp    http-mgmt
+#                          Adrian Pell
+#                          <PELL_ADRIAN/HP-UnitedKingdom_om6@hplb.hpl.hp.com>
+personal-link   281/tcp           Personal Link
+personal-link  281/udp    Personal Link
+#                         Dan Cummings <doc@cnr.com>
+cableport-ax   282/tcp    Cable Port A/X
+cableport-ax   282/udp    Cable Port A/X
+#                         Craig Langfahl <Craig_J_Langfahl@ccm.ch.intel.com>
+rescap         283/tcp    rescap
+rescap         283/udp    rescap
+#                         Paul Hoffman <phoffman@imc.org>
+corerjd                284/tcp    corerjd
+corerjd                284/udp    corerjd
+#                         Chris Thornhill <cjt@corenetworks.com>
+#               285        Unassigned  
+fxp-1           286/tcp    FXP-1
+fxp-1           286/udp    FXP-1
+#                          James Darnall <jim@cennoid.com>   
+k-block         287/tcp    K-BLOCK
+k-block         287/udp    K-BLOCK
+#                          Simon P Jackson <jacko@kring.co.uk>    
+#               288-307    Unassigned
+novastorbakcup 308/tcp    Novastor Backup
+novastorbakcup 308/udp    Novastor Backup
+#                         Brian Dickman <brian@novastor.com>
+entrusttime     309/tcp    EntrustTime    
+entrusttime     309/udp    EntrustTime    
+#                          Peter Whittaker <pww@entrust.com>
+bhmds          310/tcp    bhmds
+bhmds          310/udp    bhmds
+#                         John Kelly <johnk@bellhow.com>
+asip-webadmin  311/tcp    AppleShare IP WebAdmin
+asip-webadmin  311/udp    AppleShare IP WebAdmin
+#                         Ann Huang <annhuang@apple.com>
+vslmp          312/tcp    VSLMP
+vslmp          312/udp    VSLMP
+#                         Gerben Wierda <Gerben_Wierda@RnA.nl>
+magenta-logic  313/tcp    Magenta Logic
+magenta-logic  313/udp    Magenta Logic
+#                         Karl Rousseau <kr@netfusion.co.uk>
+opalis-robot   314/tcp    Opalis Robot
+opalis-robot   314/udp    Opalis Robot
+#                         Laurent Domenech, Opalis <laurent@opalis.com>
+dpsi           315/tcp    DPSI
+dpsi           315/udp    DPSI
+#                         Tony Scamurra <Tony@DesktopPaging.com>
+decauth                316/tcp    decAuth
+decauth                316/udp    decAuth
+#                         Michael Agishtein <misha@unx.dec.com>
+zannet         317/tcp    Zannet
+zannet         317/udp    Zannet
+#                         Zan Oliphant <zan@accessone.com>
+pkix-timestamp 318/tcp    PKIX TimeStamp
+pkix-timestamp 318/udp    PKIX TimeStamp
+#                         Robert Zuccherato <robert.zuccherato@entrust.com>
+ptp-event      319/tcp    PTP Event
+ptp-event      319/udp    PTP Event
+ptp-general    320/tcp    PTP General
+ptp-general    320/udp    PTP General
+#                         John Eidson <eidson@hpl.hp.com>
+pip            321/tcp    PIP
+pip            321/udp    PIP
+#                         Gordon Mohr <gojomo@usa.net>
+rtsps          322/tcp    RTSPS
+rtsps          322/udp    RTSPS
+#                         Anders Klemets <anderskl@microsoft.com>
+#               323-332    Unassigned
+texar          333/tcp    Texar Security Port
+texar          333/udp    Texar Security Port
+#                         Darin Cowan <darin@texar.com>
+#              334-343    Unassigned
+pdap            344/tcp    Prospero Data Access Protocol
+pdap            344/udp    Prospero Data Access Protocol
+#                          B. Clifford Neuman <bcn@isi.edu>
+pawserv         345/tcp    Perf Analysis Workbench
+pawserv         345/udp    Perf Analysis Workbench
+zserv           346/tcp    Zebra server
+zserv           346/udp    Zebra server
+fatserv         347/tcp    Fatmen Server
+fatserv         347/udp    Fatmen Server
+csi-sgwp        348/tcp    Cabletron Management Protocol
+csi-sgwp        348/udp    Cabletron Management Protocol
+mftp            349/tcp    mftp
+mftp            349/udp    mftp
+#                          Dave Feinleib <davefe@microsoft.com>
+matip-type-a    350/tcp    MATIP Type A
+matip-type-a   350/udp    MATIP Type A
+matip-type-b    351/tcp    MATIP Type B
+matip-type-b    351/udp    MATIP Type B
+#                         Alain Robert <arobert@par.sita.int>
+# The following entry records an unassigned but widespread use
+bhoetty                351/tcp    bhoetty (added 5/21/97)
+bhoetty                351/udp    bhoetty
+#                         John Kelly <johnk@bellhow.com>
+dtag-ste-sb    352/tcp    DTAG (assigned long ago)
+dtag-ste-sb    352/udp    DTAG
+#                         Ruediger Wald <wald@ez-darmstadt.telekom.de>
+# The following entry records an unassigned but widespread use
+bhoedap4       352/tcp    bhoedap4 (added 5/21/97)
+bhoedap4       352/udp    bhoedap4
+#                         John Kelly <johnk@bellhow.com>
+ndsauth                353/tcp    NDSAUTH
+ndsauth                353/udp    NDSAUTH
+#                         Jayakumar Ramalingam <jayakumar@novell.com>
+bh611          354/tcp    bh611
+bh611          354/udp    bh611
+#                         John Kelly <johnk@bellhow.com>
+datex-asn      355/tcp    DATEX-ASN
+datex-asn      355/udp    DATEX-ASN
+#                         Kenneth Vaughn <kvaughn@mail.viggen.com>
+cloanto-net-1  356/tcp    Cloanto Net 1
+cloanto-net-1  356/udp    Cloanto Net 1
+#                         Michael Battilana <mcb@cloanto.com>
+bhevent                357/tcp    bhevent
+bhevent                357/udp    bhevent
+#                         John Kelly <johnk@bellhow.com>
+shrinkwrap     358/tcp    Shrinkwrap
+shrinkwrap     358/udp    Shrinkwrap
+#                         Bill Simpson <wsimpson@greendragon.com>
+tenebris_nts   359/tcp    Tenebris Network Trace Service
+tenebris_nts   359/udp    Tenebris Network Trace Service
+#                         Eric Jacksch <jacksch@tenebris.ca>
+scoi2odialog   360/tcp    scoi2odialog
+scoi2odialog   360/udp    scoi2odialog
+#                         Keith Petley <keithp@sco.COM>
+semantix       361/tcp    Semantix
+semantix       361/udp    Semantix
+#                         Semantix <xsSupport@semantix.com>
+srssend                362/tcp    SRS Send
+srssend                362/udp    SRS Send
+#                         Curt Mayer <curt@emergent.com>
+rsvp_tunnel    363/tcp    RSVP Tunnel
+rsvp_tunnel    363/udp    RSVP Tunnel
+#                         Andreas Terzis <terzis@cs.ucla.edu>
+aurora-cmgr    364/tcp    Aurora CMGR
+aurora-cmgr    364/udp    Aurora CMGR
+#                         Philip Budne <budne@auroratech.com>
+dtk            365/tcp    DTK
+dtk            365/udp    DTK
+#                         Fred Cohen <fc@all.net>
+odmr           366/tcp    ODMR
+odmr           366/udp    ODMR
+#                         Randall Gellens <randy@qualcomm.com>
+mortgageware   367/tcp    MortgageWare
+mortgageware   367/udp    MortgageWare
+#                         Ole Hellevik <oleh@interlinq.com>
+qbikgdp                368/tcp    QbikGDP
+qbikgdp                368/udp    QbikGDP
+#                         Adrien de Croy <adrien@qbik.com>
+rpc2portmap    369/tcp    rpc2portmap 
+rpc2portmap    369/udp    rpc2portmap
+codaauth2      370/tcp    codaauth2
+codaauth2      370/udp    codaauth2
+#                         Robert Watson <robert@cyrus.watson.org>
+clearcase       371/tcp    Clearcase
+clearcase       371/udp    Clearcase
+#                          Dave LeBlang <leglang@atria.com>
+ulistproc       372/tcp    ListProcessor
+ulistproc       372/udp    ListProcessor
+#                          Anastasios Kotsikonas <tasos@cs.bu.edu>
+legent-1        373/tcp    Legent Corporation
+legent-1        373/udp    Legent Corporation
+legent-2        374/tcp    Legent Corporation
+legent-2        374/udp    Legent Corporation
+#                          Keith Boyce <---none--->
+hassle          375/tcp    Hassle
+hassle          375/udp    Hassle
+#                          Reinhard Doelz <doelz@comp.bioz.unibas.ch>
+nip             376/tcp    Amiga Envoy Network Inquiry Proto   
+nip             376/udp    Amiga Envoy Network Inquiry Proto
+#                          Heinz Wrobel <hwrobel@gmx.de>
+tnETOS          377/tcp    NEC Corporation
+tnETOS          377/udp    NEC Corporation
+dsETOS          378/tcp    NEC Corporation
+dsETOS          378/udp    NEC Corporation
+#                          Tomoo Fujita <tf@arc.bs1.fc.nec.co.jp>
+is99c           379/tcp    TIA/EIA/IS-99 modem client
+is99c           379/udp    TIA/EIA/IS-99 modem client
+is99s           380/tcp    TIA/EIA/IS-99 modem server
+is99s           380/udp    TIA/EIA/IS-99 modem server
+#                          Frank Quick <fquick@qualcomm.com>
+hp-collector    381/tcp    hp performance data collector
+hp-collector    381/udp    hp performance data collector
+hp-managed-node 382/tcp    hp performance data managed node
+hp-managed-node 382/udp    hp performance data managed node
+hp-alarm-mgr    383/tcp    hp performance data alarm manager
+hp-alarm-mgr    383/udp    hp performance data alarm manager
+#                          Frank Blakely <frankb@hpptc16.rose.hp.com>
+arns            384/tcp    A Remote Network Server System
+arns            384/udp    A Remote Network Server System
+#                          David Hornsby <djh@munnari.OZ.AU>
+ibm-app         385/tcp    IBM Application
+ibm-app         385/udp    IBM Application
+#                          Lisa Tomita <---none--->
+asa             386/tcp    ASA Message Router Object Def.
+asa             386/udp    ASA Message Router Object Def.
+#                          Steve Laitinen <laitinen@brutus.aa.ab.com>
+aurp            387/tcp    Appletalk Update-Based Routing Pro.
+aurp            387/udp    Appletalk Update-Based Routing Pro.
+#                          Chris Ranch <cranch@novell.com>
+unidata-ldm     388/tcp    Unidata LDM  
+unidata-ldm     388/udp    Unidata LDM 
+#                          Glenn Davis <support@unidata.ucar.edu>
+#               389/tcp    Lightweight Directory Access Protocol
+ldap            389/udp    Lightweight Directory Access Protocol
+#                          Tim Howes <Tim.Howes@terminator.cc.umich.edu>
+uis             390/tcp    UIS
+uis             390/udp    UIS
+#                          Ed Barron <---none---> 
+synotics-relay  391/tcp    SynOptics SNMP Relay Port
+synotics-relay  391/udp    SynOptics SNMP Relay Port
+synotics-broker 392/tcp    SynOptics Port Broker Port
+synotics-broker 392/udp    SynOptics Port Broker Port
+#                          Illan Raab <iraab@synoptics.com>
+meta5           393/tcp    Meta5
+meta5           393/udp    Meta5
+#                          Jim Kanzler <jim.kanzler@meta5.com>
+embl-ndt        394/tcp    EMBL Nucleic Data Transfer
+embl-ndt        394/udp    EMBL Nucleic Data Transfer
+#                          Peter Gad <peter@bmc.uu.se>
+netcp           395/tcp    NETscout Control Protocol
+netcp           395/udp    NETscout Control Protocol
+#                          Anil Singhal <---none--->
+netware-ip      396/tcp    Novell Netware over IP
+netware-ip      396/udp    Novell Netware over IP
+mptn            397/tcp    Multi Protocol Trans. Net.
+mptn            397/udp    Multi Protocol Trans. Net.
+#                          Soumitra Sarkar <sarkar@vnet.ibm.com>
+kryptolan       398/tcp    Kryptolan
+kryptolan       398/udp    Kryptolan
+#                          Peter de Laval <pdl@sectra.se>
+iso-tsap-c2     399/tcp    ISO Transport Class 2 Non-Control over TCP
+iso-tsap-c2     399/udp    ISO Transport Class 2 Non-Control over TCP
+#                          Yanick Pouffary <pouffary@taec.enet.dec.com>
+work-sol        400/tcp    Workstation Solutions
+work-sol        400/udp    Workstation Solutions
+#                          Jim Ward <jimw@worksta.com>
+ups             401/tcp    Uninterruptible Power Supply
+ups             401/udp    Uninterruptible Power Supply
+#                          Charles Bennett <chuck@benatong.com>
+genie           402/tcp    Genie Protocol
+genie           402/udp    Genie Protocol
+#                          Mark Hankin <---none--->
+decap           403/tcp    decap
+decap           403/udp    decap
+nced            404/tcp    nced
+nced            404/udp    nced
+ncld            405/tcp    ncld
+ncld            405/udp    ncld
+#                          Richard Jones <---none--->
+imsp            406/tcp    Interactive Mail Support Protocol
+imsp            406/udp    Interactive Mail Support Protocol
+#                          John Myers <jgm+@cmu.edu>
+timbuktu        407/tcp    Timbuktu
+timbuktu        407/udp    Timbuktu
+#                          Marc Epard <marc@netopia.com>
+prm-sm          408/tcp    Prospero Resource Manager Sys. Man.
+prm-sm          408/udp    Prospero Resource Manager Sys. Man.
+prm-nm          409/tcp    Prospero Resource Manager Node Man.
+prm-nm          409/udp    Prospero Resource Manager Node Man.
+#                          B. Clifford Neuman <bcn@isi.edu>
+decladebug      410/tcp    DECLadebug Remote Debug Protocol
+decladebug      410/udp    DECLadebug Remote Debug Protocol
+#                          Anthony Berent <anthony.berent@reo.mts.dec.com>
+rmt             411/tcp    Remote MT Protocol
+rmt             411/udp    Remote MT Protocol
+#                          Peter Eriksson <pen@lysator.liu.se>
+synoptics-trap  412/tcp    Trap Convention Port
+synoptics-trap  412/udp    Trap Convention Port
+#                          Illan Raab <iraab@synoptics.com>
+smsp            413/tcp    Storage Management Services Protocol
+smsp            413/udp    Storage Management Services Protocol
+#                          Murthy Srinivas <murthy@novell.com>
+infoseek        414/tcp    InfoSeek
+infoseek        414/udp    InfoSeek
+#                          Steve Kirsch <stk@infoseek.com>
+bnet            415/tcp    BNet
+bnet            415/udp    BNet
+#                          Jim Mertz <JMertz+RV09@rvdc.unisys.com>
+silverplatter   416/tcp    Silverplatter
+silverplatter   416/udp    Silverplatter
+#                          Peter Ciuffetti <petec@silverplatter.com>
+onmux           417/tcp    Onmux
+onmux           417/udp    Onmux
+#                          Stephen Hanna <hanna@world.std.com>
+hyper-g         418/tcp    Hyper-G
+hyper-g         418/udp    Hyper-G
+#                          Frank Kappe <fkappe@iicm.tu-graz.ac.at>
+ariel1          419/tcp    Ariel
+ariel1          419/udp    Ariel
+#                          Lennie Stovel <bl.mds@rlg.org>
+smpte           420/tcp    SMPTE
+smpte           420/udp    SMPTE
+#                          Si Becker <71362.22@CompuServe.COM>
+ariel2          421/tcp    Ariel
+ariel2          421/udp    Ariel
+ariel3          422/tcp    Ariel
+ariel3          422/udp    Ariel
+#                          Lennie Stovel <bl.mds@rlg.org>
+opc-job-start   423/tcp    IBM Operations Planning and Control Start
+opc-job-start   423/udp    IBM Operations Planning and Control Start
+opc-job-track   424/tcp    IBM Operations Planning and Control Track
+opc-job-track   424/udp    IBM Operations Planning and Control Track
+#                          Conny Larsson  <cocke@VNET.IBM.COM>
+icad-el         425/tcp    ICAD
+icad-el         425/udp    ICAD
+#                         Larry Stone  <lcs@icad.com>
+smartsdp        426/tcp    smartsdp
+smartsdp        426/udp    smartsdp
+#                          Alexander Dupuy <dupuy@smarts.com>
+svrloc          427/tcp    Server Location
+svrloc          427/udp    Server Location
+#                          <veizades@ftp.com>
+ocs_cmu         428/tcp    OCS_CMU
+ocs_cmu         428/udp    OCS_CMU
+ocs_amu         429/tcp    OCS_AMU
+ocs_amu         429/udp    OCS_AMU
+#                          Florence Wyman <wyman@peabody.plk.af.mil>
+utmpsd          430/tcp    UTMPSD
+utmpsd          430/udp    UTMPSD
+utmpcd          431/tcp    UTMPCD
+utmpcd          431/udp    UTMPCD
+iasd            432/tcp    IASD  
+iasd            432/udp    IASD  
+#                          Nir Baroz <nbaroz@encore.com>
+nnsp            433/tcp    NNSP
+nnsp            433/udp    NNSP
+#                          Rob Robertson <rob@gangrene.berkeley.edu>
+mobileip-agent  434/tcp    MobileIP-Agent
+mobileip-agent  434/udp    MobileIP-Agent
+mobilip-mn      435/tcp    MobilIP-MN
+mobilip-mn      435/udp    MobilIP-MN
+#                          Kannan Alagappan <kannan@sejour.lkg.dec.com>
+dna-cml         436/tcp    DNA-CML   
+dna-cml         436/udp    DNA-CML   
+#                          Dan Flowers <flowers@smaug.lkg.dec.com>
+comscm          437/tcp    comscm
+comscm          437/udp    comscm
+#                          Jim Teague <teague@zso.dec.com>
+dsfgw           438/tcp    dsfgw
+dsfgw           438/udp    dsfgw
+#                          Andy McKeen <mckeen@osf.org>
+dasp            439/tcp    dasp      Thomas Obermair
+dasp            439/udp    dasp      tommy@inlab.m.eunet.de
+#                          Thomas Obermair <tommy@inlab.m.eunet.de>
+sgcp            440/tcp    sgcp      
+sgcp            440/udp    sgcp      
+#                          Marshall Rose <mrose@dbc.mtview.ca.us>
+decvms-sysmgt   441/tcp    decvms-sysmgt
+decvms-sysmgt   441/udp    decvms-sysmgt
+#                          Lee Barton <barton@star.enet.dec.com>
+cvc_hostd       442/tcp    cvc_hostd
+cvc_hostd       442/udp    cvc_hostd
+#                          Bill Davidson <billd@equalizer.cray.com>
+https           443/tcp    http protocol over TLS/SSL
+https           443/udp    http protocol over TLS/SSL
+#                          Kipp E.B. Hickman <kipp@mcom.com>
+snpp            444/tcp    Simple Network Paging Protocol
+snpp            444/udp    Simple Network Paging Protocol
+#                          [RFC1568]
+microsoft-ds    445/tcp    Microsoft-DS
+microsoft-ds    445/udp    Microsoft-DS
+#                          Pradeep Bahl <pradeepb@microsoft.com>
+ddm-rdb         446/tcp    DDM-RDB
+ddm-rdb         446/udp    DDM-RDB
+ddm-dfm         447/tcp    DDM-RFM
+ddm-dfm         447/udp    DDM-RFM
+#                          Jan David Fisher <jdfisher@VNET.IBM.COM>
+ddm-ssl         448/tcp    DDM-SSL
+ddm-ssl         448/udp    DDM-SSL
+#                         Steve Ritland <srr@vnet.ibm.com>
+as-servermap    449/tcp    AS Server Mapper
+as-servermap    449/udp    AS Server Mapper
+#                          Barbara Foss <BGFOSS@rchvmv.vnet.ibm.com>
+tserver         450/tcp    TServer
+tserver         450/udp    TServer
+#                          Harvey S. Schultz <hss@mtgzfs3.mt.att.com>
+sfs-smp-net     451/tcp    Cray Network Semaphore server
+sfs-smp-net     451/udp    Cray Network Semaphore server
+sfs-config     452/tcp    Cray SFS config server
+sfs-config     452/udp    Cray SFS config server
+#                          Walter Poxon <wdp@ironwood.cray.com>
+creativeserver  453/tcp    CreativeServer
+creativeserver  453/udp    CreativeServer
+contentserver   454/tcp    ContentServer
+contentserver   454/udp    ContentServer
+creativepartnr  455/tcp    CreativePartnr
+creativepartnr  455/udp    CreativePartnr
+#                          Jesus Ortiz <jesus_ortiz@emotion.com>
+macon-tcp       456/tcp    macon-tcp
+macon-udp       456/udp    macon-udp
+#                          Yoshinobu Inoue
+#                          <shin@hodaka.mfd.cs.fujitsu.co.jp>
+scohelp         457/tcp    scohelp
+scohelp         457/udp    scohelp
+#                          Faith Zack <faithz@sco.com>
+appleqtc        458/tcp    apple quick time
+appleqtc        458/udp    apple quick time
+#                          Murali Ranganathan 
+#                          <murali_ranganathan@quickmail.apple.com>
+ampr-rcmd       459/tcp    ampr-rcmd              
+ampr-rcmd       459/udp    ampr-rcmd              
+#                          Rob Janssen <rob@sys3.pe1chl.ampr.org>
+skronk          460/tcp    skronk
+skronk          460/udp    skronk
+#                          Henry Strickland <strick@yak.net>
+datasurfsrv     461/tcp    DataRampSrv
+datasurfsrv     461/udp    DataRampSrv
+datasurfsrvsec  462/tcp    DataRampSrvSec
+datasurfsrvsec  462/udp    DataRampSrvSec
+#                          Diane Downie <downie@jibe.MV.COM>
+alpes           463/tcp    alpes
+alpes           463/udp    alpes
+#                          Alain Durand <Alain.Durand@imag.fr>
+kpasswd         464/tcp    kpasswd
+kpasswd         464/udp    kpasswd
+#                          Theodore Ts'o <tytso@MIT.EDU>
+smtps           465/tcp    smtps
+digital-vrc     466/tcp    digital-vrc
+digital-vrc     466/udp    digital-vrc
+#                          Peter Higginson <higginson@mail.dec.com>
+mylex-mapd      467/tcp    mylex-mapd
+mylex-mapd      467/udp    mylex-mapd
+#                          Gary Lewis <GaryL@hq.mylex.com>
+photuris        468/tcp    proturis
+photuris        468/udp    proturis
+#                          Bill Simpson <Bill.Simpson@um.cc.umich.edu>
+rcp             469/tcp    Radio Control Protocol
+rcp             469/udp    Radio Control Protocol
+#                          Jim Jennings +1-708-538-7241
+scx-proxy       470/tcp    scx-proxy
+scx-proxy       470/udp    scx-proxy
+#                          Scott Narveson <sjn@cray.com>
+mondex          471/tcp    Mondex
+mondex          471/udp    Mondex
+#                          Bill Reding <redingb@nwdt.natwest.co.uk>
+ljk-login       472/tcp    ljk-login
+ljk-login       472/udp    ljk-login
+#                          LJK Software, Cambridge, Massachusetts
+#                          <support@ljk.com>
+hybrid-pop      473/tcp    hybrid-pop
+hybrid-pop      473/udp    hybrid-pop
+#                          Rami Rubin <rami@hybrid.com>
+tn-tl-w1        474/tcp    tn-tl-w1
+tn-tl-w2        474/udp    tn-tl-w2
+#                          Ed Kress <eskress@thinknet.com>
+tcpnethaspsrv   475/tcp    tcpnethaspsrv
+tcpnethaspsrv   475/udp    tcpnethaspsrv
+#                          Charlie Hava <charlie@aladdin.co.il>
+tn-tl-fd1       476/tcp    tn-tl-fd1
+tn-tl-fd1       476/udp    tn-tl-fd1
+#                          Ed Kress <eskress@thinknet.com>
+ss7ns           477/tcp    ss7ns
+ss7ns           477/udp    ss7ns
+#                          Jean-Michel URSCH <ursch@taec.enet.dec.com>
+spsc            478/tcp    spsc
+spsc            478/udp    spsc
+#                          Mike Rieker <mikea@sp32.com>
+iafserver       479/tcp    iafserver
+iafserver       479/udp    iafserver
+iafdbase        480/tcp    iafdbase
+iafdbase        480/udp    iafdbase
+#                          ricky@solect.com <Rick Yazwinski>
+ph              481/tcp    Ph service
+ph              481/udp    Ph service
+#                          Roland Hedberg <Roland.Hedberg@umdac.umu.se>
+bgs-nsi         482/tcp    bgs-nsi
+bgs-nsi         482/udp    bgs-nsi
+#                          Jon Saperia <saperia@bgs.com>         
+ulpnet          483/tcp    ulpnet
+ulpnet          483/udp    ulpnet
+#                          Kevin Mooney <kevinm@bfs.unibol.com>
+integra-sme     484/tcp    Integra Software Management Environment
+integra-sme     484/udp    Integra Software Management Environment
+#                          Randall Dow <rand@randix.m.isr.de>
+powerburst      485/tcp    Air Soft Power Burst
+powerburst      485/udp    Air Soft Power Burst
+#                          <gary@airsoft.com>
+avian           486/tcp    avian
+avian           486/udp    avian
+#                          Robert Ullmann 
+#                          <Robert_Ullmann/CAM/Lotus.LOTUS@crd.lotus.com>
+saft            487/tcp    saft Simple Asynchronous File Transfer
+saft            487/udp    saft Simple Asynchronous File Transfer
+#                          Ulli Horlacher <framstag@rus.uni-stuttgart.de>
+gss-http        488/tcp    gss-http
+gss-http        488/udp    gss-http
+#                          Doug Rosenthal <rosenthl@krypton.einet.net>
+nest-protocol   489/tcp    nest-protocol
+nest-protocol   489/udp    nest-protocol
+#                          Gil Gameiro <gil_gameiro@novell.com>
+micom-pfs       490/tcp    micom-pfs
+micom-pfs       490/udp    micom-pfs
+#                          David Misunas <DMisunas@micom.com>
+go-login        491/tcp    go-login
+go-login        491/udp    go-login
+#                          Troy Morrison <troy@graphon.com>
+ticf-1          492/tcp    Transport Independent Convergence for FNA
+ticf-1          492/udp    Transport Independent Convergence for FNA
+ticf-2          493/tcp    Transport Independent Convergence for FNA
+ticf-2          493/udp    Transport Independent Convergence for FNA
+#                          Mamoru Ito <Ito@pcnet.ks.pfu.co.jp>
+pov-ray         494/tcp    POV-Ray
+pov-ray         494/udp    POV-Ray
+#                          POV-Team Co-ordinator 
+#                          <iana-port.remove-spamguard@povray.org>
+intecourier     495/tcp    intecourier
+intecourier     495/udp    intecourier
+#                          Steve Favor <sfavor@tigger.intecom.com>
+pim-rp-disc     496/tcp    PIM-RP-DISC
+pim-rp-disc     496/udp    PIM-RP-DISC
+#                          Dino Farinacci <dino@cisco.com>
+dantz           497/tcp    dantz
+dantz           497/udp    dantz
+#                          Richard Zulch <richard_zulch@dantz.com>
+siam            498/tcp    siam
+siam            498/udp    siam
+#                          Philippe Gilbert <pgilbert@cal.fr>
+iso-ill         499/tcp    ISO ILL Protocol
+iso-ill         499/udp    ISO ILL Protocol
+#                          Mark H. Needleman <Mark.Needleman@ucop.edu>
+isakmp          500/tcp    isakmp
+isakmp          500/udp    isakmp
+#                          Mark Schertler <mjs@tycho.ncsc.mil>
+stmf            501/tcp    STMF
+stmf            501/udp    STMF
+#                          Alan Ungar <aungar@farradyne.com>
+asa-appl-proto  502/tcp    asa-appl-proto
+asa-appl-proto  502/udp    asa-appl-proto
+#                          Dennis Dube <ddube@modicon.com>
+intrinsa        503/tcp    Intrinsa
+intrinsa        503/udp    Intrinsa
+#                          Robert Ford <robert@intrinsa.com>
+citadel         504/tcp    citadel
+citadel         504/udp    citadel
+#                          Art Cancro <ajc@uncnsrd.mt-kisco.ny.us>
+mailbox-lm      505/tcp    mailbox-lm
+mailbox-lm      505/udp    mailbox-lm
+#                          Beverly Moody <Beverly_Moody@stercomm.com>
+ohimsrv         506/tcp    ohimsrv
+ohimsrv         506/udp    ohimsrv
+#                          Scott Powell <spowell@openhorizon.com>
+crs             507/tcp    crs
+crs             507/udp    crs
+#                          Brad Wright <bradwr@microsoft.com>
+xvttp           508/tcp    xvttp
+xvttp           508/udp    xvttp
+#                          Keith J. Alphonso <alphonso@ncs-ssc.com>
+snare           509/tcp    snare
+snare           509/udp    snare
+#                          Dennis Batchelder <dennis@capres.com>
+fcp             510/tcp    FirstClass Protocol
+fcp             510/udp    FirstClass Protocol
+#                          Mike Marshburn <paul@softarc.com>
+passgo          511/tcp    PassGo
+passgo          511/udp    PassGo
+#                          John Rainford <jrainford@passgo.com>
+exec            512/tcp    remote process execution;
+#                          authentication performed using
+#                          passwords and UNIX login names
+comsat          512/udp
+biff            512/udp    used by mail system to notify users
+#                          of new mail received; currently
+#                          receives messages only from 
+#                          processes on the same machine
+login           513/tcp    remote login a la telnet;
+#                          automatic authentication performed
+#                          based on priviledged port numbers
+#                          and distributed data bases which
+#                          identify "authentication domains"
+who             513/udp    maintains data bases showing who's
+#                          logged in to machines on a local 
+#                          net and the load average of the
+#                          machine
+shell           514/tcp    cmd
+#                          like exec, but automatic authentication 
+#                          is performed as for login server
+syslog          514/udp
+printer         515/tcp    spooler
+printer         515/udp    spooler
+videotex        516/tcp    videotex
+videotex        516/udp    videotex
+#                          Daniel Mavrakis <system@venus.mctel.fr>
+talk            517/tcp    like tenex link, but across
+#                          machine - unfortunately, doesn't
+#                          use link protocol (this is actually
+#                          just a rendezvous port from which a
+#                          tcp connection is established)
+talk            517/udp    like tenex link, but across
+#                          machine - unfortunately, doesn't
+#                          use link protocol (this is actually
+#                          just a rendezvous port from which a
+#                          tcp connection is established)
+ntalk           518/tcp
+ntalk           518/udp
+utime           519/tcp    unixtime
+utime           519/udp    unixtime
+efs             520/tcp    extended file name server
+router          520/udp    local routing process (on site);
+#                          uses variant of Xerox NS routing
+#                          information protocol - RIP
+ripng           521/tcp    ripng
+ripng           521/udp    ripng
+#                          Robert E. Minnear <minnear@ipsilon.com>
+ulp             522/tcp    ULP    
+ulp             522/udp    ULP    
+#                          Max Morris <maxm@MICROSOFT.com>
+ibm-db2         523/tcp    IBM-DB2
+ibm-db2         523/udp    IBM-DB2
+#                          Peter Pau <pau@VNET.IBM.COM>
+ncp             524/tcp    NCP
+ncp             524/udp    NCP    
+#                          Don Provan <donp@sjf.novell.com>
+timed                  525/tcp    timeserver
+timed           525/udp    timeserver
+tempo          526/tcp    newdate
+tempo          526/udp    newdate
+#                          Unknown
+stx             527/tcp    Stock IXChange
+stx             527/udp    Stock IXChange
+custix          528/tcp    Customer IXChange
+custix          528/udp    Customer IXChange
+#                          Ferdi Ladeira <ferdi.ladeira@ixchange.com> 
+irc-serv        529/tcp    IRC-SERV
+irc-serv        529/udp    IRC-SERV
+#                          Brian Tackett <cym@acrux.net>
+courier         530/tcp    rpc
+courier         530/udp    rpc
+conference      531/tcp    chat
+conference      531/udp    chat
+netnews         532/tcp    readnews
+netnews         532/udp    readnews
+netwall                533/tcp    for emergency broadcasts
+netwall                533/udp    for emergency broadcasts
+mm-admin        534/tcp    MegaMedia Admin
+mm-admin        534/udp    MegaMedia Admin
+#                          Andreas Heidemann <a.heidemann@ais-gmbh.de>
+corba-iiop      535/tcp    iiop
+corba-iiop      535/udp    iiop
+#                          Jeff M.Michaud <michaud@zk3.dec.com>
+opalis-rdv      536/tcp    opalis-rdv
+opalis-rdv      536/udp    opalis-rdv
+#                          Laurent Domenech <laurent@opalis.com>
+nmsp            537/tcp    Networked Media Streaming Protocol
+nmsp            537/udp    Networked Media Streaming Protocol
+#                          Paul Santinelli Jr. <psantinelli@narrative.com>
+gdomap          538/tcp    gdomap
+gdomap          538/udp    gdomap
+#                          Richard Frith-Macdonald <richard@brainstorm.co.uk>
+apertus-ldp     539/tcp    Apertus Technologies Load Determination
+apertus-ldp     539/udp    Apertus Technologies Load Determination
+uucp           540/tcp    uucpd                
+uucp           540/udp    uucpd                
+uucp-rlogin     541/tcp    uucp-rlogin  
+uucp-rlogin     541/udp    uucp-rlogin
+#                          Stuart Lynne <sl@wimsey.com>
+commerce        542/tcp    commerce
+commerce        542/udp    commerce
+#                          Randy Epstein <repstein@host.net>
+klogin          543/tcp
+klogin          543/udp
+kshell                 544/tcp    krcmd
+kshell                 544/udp    krcmd
+appleqtcsrvr    545/tcp    appleqtcsrvr
+appleqtcsrvr    545/udp    appleqtcsrvr
+#                          Murali Ranganathan 
+#                          <Murali_Ranganathan@quickmail.apple.com>
+dhcpv6-client   546/tcp    DHCPv6 Client
+dhcpv6-client   546/udp    DHCPv6 Client
+dhcpv6-server   547/tcp    DHCPv6 Server
+dhcpv6-server   547/udp    DHCPv6 Server
+#                          Jim Bound <bound@zk3.dec.com>
+afpovertcp      548/tcp    AFP over TCP
+afpovertcp      548/udp    AFP over TCP
+#                          Leland Wallace <randall@apple.com>
+idfp            549/tcp    IDFP
+idfp            549/udp    IDFP
+#                          Ramana Kovi <ramana@kovi.com>
+new-rwho        550/tcp    new-who
+new-rwho        550/udp    new-who
+cybercash       551/tcp    cybercash
+cybercash       551/udp    cybercash
+#                          Donald E. Eastlake 3rd <dee@cybercash.com>
+deviceshare     552/tcp    deviceshare
+deviceshare     552/udp    deviceshare
+#                          Brian Schenkenberger <brians@advsyscon.com>
+pirp            553/tcp    pirp
+pirp            553/udp    pirp
+#                          D. J. Bernstein <djb@silverton.berkeley.edu>
+rtsp            554/tcp    Real Time Stream Control Protocol
+rtsp            554/udp    Real Time Stream Control Protocol
+#                         Rob Lanphier <robla@prognet.com>
+dsf/phase-trojan             555/tcp
+dsf/phase-trojan             555/udp
+remotefs        556/tcp    rfs server
+remotefs        556/udp    rfs server
+openvms-sysipc  557/tcp    openvms-sysipc
+openvms-sysipc  557/udp    openvms-sysipc
+#                          Alan Potter <potter@movies.enet.dec.com>
+sdnskmp         558/tcp    SDNSKMP
+sdnskmp         558/udp    SDNSKMP
+teedtap         559/tcp    TEEDTAP
+teedtap         559/udp    TEEDTAP
+#                          Mort Hoffman <hoffman@mail.ndhm.gtegsc.com>
+rmonitor        560/tcp    rmonitord
+rmonitor        560/udp    rmonitord
+monitor         561/tcp
+monitor         561/udp
+chshell         562/tcp    chcmd
+chshell         562/udp    chcmd
+nntps           563/tcp    nntp protocol over TLS/SSL (was snntp)
+nntps           563/udp    nntp protocol over TLS/SSL (was snntp)
+#                          Kipp E.B. Hickman <kipp@netscape.com>
+9pfs            564/tcp    plan 9 file service
+9pfs            564/udp    plan 9 file service
+whoami          565/tcp    whoami
+whoami          565/udp    whoami
+streettalk      566/tcp    streettalk
+streettalk      566/udp    streettalk
+banyan-rpc      567/tcp    banyan-rpc
+banyan-rpc      567/udp    banyan-rpc
+#                          Tom Lemaire <toml@banyan.com>
+ms-shuttle      568/tcp    microsoft shuttle
+ms-shuttle      568/udp    microsoft shuttle
+#                          Rudolph Balaz <rudolphb@microsoft.com>
+ms-rome         569/tcp    microsoft rome
+ms-rome         569/udp    microsoft rome
+#                          Rudolph Balaz <rudolphb@microsoft.com>
+meter           570/tcp    demon
+meter           570/udp    demon
+meter          571/tcp    udemon
+meter          571/udp    udemon
+sonar           572/tcp    sonar
+sonar           572/udp    sonar
+#                          Keith Moore <moore@cs.utk.edu>
+banyan-vip      573/tcp    banyan-vip
+banyan-vip      573/udp    banyan-vip
+#                          Denis Leclerc <DLeclerc@banyan.com>
+ftp-agent       574/tcp    FTP Software Agent System
+ftp-agent       574/udp    FTP Software Agent System
+#                          Michael S. Greenberg <arnoff@ftp.com>
+vemmi           575/tcp    VEMMI
+vemmi           575/udp    VEMMI
+#                          Daniel Mavrakis <mavrakis@mctel.fr>
+ipcd            576/tcp    ipcd
+ipcd            576/udp    ipcd
+vnas            577/tcp    vnas
+vnas            577/udp    vnas
+ipdd            578/tcp    ipdd
+ipdd            578/udp    ipdd
+#                          Jay Farhat <jfarhat@ipass.com>
+decbsrv                579/tcp    decbsrv
+decbsrv                579/udp    decbsrv
+#                         Rudi Martin <movies::martin"@movies.enet.dec.com>
+sntp-heartbeat  580/tcp    SNTP HEARTBEAT
+sntp-heartbeat  580/udp           SNTP HEARTBEAT
+#                         Louis Mamakos <louie@uu.net>
+bdp            581/tcp    Bundle Discovery Protocol
+bdp            581/udp    Bundle Discovery Protocol
+#                         Gary Malkin <gmalkin@xylogics.com>
+scc-security    582/tcp    SCC Security
+scc-security    582/udp           SCC Security
+#                         Prashant Dholakia <prashant@semaphorecom.com>
+philips-vc     583/tcp    Philips Video-Conferencing
+philips-vc     583/udp    Philips Video-Conferencing
+#                         Janna Chang <janna@pmc.philips.com>
+keyserver      584/tcp    Key Server
+keyserver      584/udp    Key Server
+#                         Gary Howland <gary@systemics.com>
+imap4-ssl      585/tcp    IMAP4+SSL (use 993 instead)
+imap4-ssl      585/udp    IMAP4+SSL (use 993 instead)
+#                         Terry Gray <gray@cac.washington.edu>
+#               Use of 585 is not recommended, use 993 instead
+password-chg   586/tcp    Password Change
+password-chg   586/udp    Password Change
+submission     587/tcp    Submission
+submission     587/udp    Submission
+#                         Randy Gellens <randy@qualcomm.com>
+cal            588/tcp    CAL
+cal            588/udp    CAL
+#                         Myron Hattig <Myron_Hattig@ccm.jf.intel.com>
+eyelink                589/tcp    EyeLink
+eyelink                589/udp    EyeLink
+#                         Dave Stampe <dstampe@psych.toronto.edu>
+tns-cml                590/tcp    TNS CML
+tns-cml                590/udp    TNS CML
+#                         Jerome Albin <albin@taec.enet.dec.com>
+http-alt       591/tcp    FileMaker, Inc. - HTTP Alternate (see Port 80)
+http-alt       591/udp    FileMaker, Inc. - HTTP Alternate (see Port 80)
+#                         Clay Maeckel <clay_maeckel@filemaker.com>
+eudora-set     592/tcp    Eudora Set
+eudora-set     592/udp    Eudora Set
+#                         Randall Gellens <randy@qualcomm.com>
+http-rpc-epmap  593/tcp    HTTP RPC Ep Map
+http-rpc-epmap  593/udp    HTTP RPC Ep Map
+#                         Edward Reus <edwardr@microsoft.com>
+tpip           594/tcp    TPIP
+tpip           594/udp    TPIP
+#                         Brad Spear <spear@platinum.com>
+cab-protocol   595/tcp    CAB Protocol
+cab-protocol   595/udp    CAB Protocol
+#                         Winston Hetherington
+smsd           596/tcp    SMSD
+smsd           596/udp    SMSD
+#                         Wayne Barlow <web@unx.dec.com>
+ptcnameservice 597/tcp    PTC Name Service
+ptcnameservice 597/udp    PTC Name Service
+#                         Yuri Machkasov <yuri@ptc.com>
+sco-websrvrmg3 598/tcp    SCO Web Server Manager 3
+sco-websrvrmg3 598/udp    SCO Web Server Manager 3
+#                         Simon Baldwin <simonb@sco.com>
+acp            599/tcp    Aeolon Core Protocol
+acp            599/udp    Aeolon Core Protocol
+#                         Michael Alyn Miller <malyn@aeolon.com>
+ipcserver/backdoor 600/tcp    Sun IPC server
+ipcserver/backdoor 600/udp    Sun IPC server
+#                          Bill Schiefelbein <schief@aspen.cray.com>
+#               601-605    Unassigned
+urm             606/tcp    Cray Unified Resource Manager
+urm             606/udp    Cray Unified Resource Manager
+nqs            607/tcp    nqs
+nqs            607/udp    nqs
+#                          Bill Schiefelbein <schief@aspen.cray.com>
+sift-uft        608/tcp    Sender-Initiated/Unsolicited File Transfer 
+sift-uft        608/udp    Sender-Initiated/Unsolicited File Transfer
+#                          Rick Troth <troth@rice.edu>
+npmp-trap       609/tcp    npmp-trap
+npmp-trap       609/udp    npmp-trap
+npmp-local      610/tcp    npmp-local
+npmp-local      610/udp    npmp-local
+npmp-gui        611/tcp    npmp-gui  
+npmp-gui        611/udp    npmp-gui  
+#                          John Barnes <jbarnes@crl.com>
+hmmp-ind       612/tcp    HMMP Indication
+hmmp-ind       612/udp    HMMP Indication
+hmmp-op                613/tcp    HMMP Operation
+hmmp-op                613/udp    HMMP Operation
+#                         Andrew Sinclair <andrsin@microsoft.com>
+sshell         614/tcp    SSLshell
+sshell         614/udp    SSLshell
+#                         Simon J. Gerraty <sjg@quick.com.au>
+sco-inetmgr    615/tcp    Internet Configuration Manager
+sco-inetmgr    615/udp    Internet Configuration Manager
+sco-sysmgr     616/tcp    SCO System Administration Server
+sco-sysmgr     616/udp    SCO System Administration Server
+sco-dtmgr      617/tcp    SCO Desktop Administration Server
+sco-dtmgr      617/udp    SCO Desktop Administration Server
+#                         Christopher Durham <chrisdu@sco.com>
+dei-icda       618/tcp    DEI-ICDA
+dei-icda       618/udp    DEI-ICDA
+#                         David Turner <digital@Quetico.tbaytel.net>
+digital-evm    619/tcp    Digital EVM
+digital-evm    619/udp    Digital EVM
+#                         Jem Treadwell <jem@unx.dec.com>
+sco-websrvrmgr  620/tcp    SCO WebServer Manager
+sco-websrvrmgr  620/udp    SCO WebServer Manager
+#                         Christopher Durham <chrisdu@sco.com>
+escp-ip                621/tcp    ESCP
+escp-ip                621/udp    ESCP
+#                         Lai Zit Seng <lzs@pobox.com>
+collaborator   622/tcp    Collaborator
+collaborator   622/udp    Collaborator
+#                         Johnson Davis <johnsond@opteamasoft.com>
+aux_bus_shunt  623/tcp    Aux Bus Shunt
+aux_bus_shunt  623/udp    Aux Bus Shunt
+#                         Steve Williams <Steven_D_Williams@ccm.jf.intel.com>
+cryptoadmin    624/tcp    Crypto Admin
+cryptoadmin    624/udp    Crypto Admin
+#                         Tony Walker <tony@cryptocard.com>
+dec_dlm                625/tcp    DEC DLM
+dec_dlm                625/udp    DEC DLM
+#                         Rudi Martin <Rudi.Martin@edo.mts.dec.com>
+asia           626/tcp    ASIA
+asia           626/udp    ASIA
+#                         Michael Dasenbrock <dasenbro@apple.com>
+passgo-tivoli  627/tcp    PassGo Tivoli
+passgo-tivoli  627/udp    PassGo Tivoli
+#                         Chris Hall <chall@passgo.com>
+qmqp           628/tcp    QMQP
+qmqp           628/udp    QMQP
+#                         Dan Bernstein <djb@cr.yp.to>
+3com-amp3      629/tcp    3Com AMP3
+3com-amp3      629/udp    3Com AMP3
+#                         Prakash Banthia <prakash_banthia@3com.com>
+rda            630/tcp    RDA
+rda            630/udp    RDA
+#                         John Hadjioannou <john@minster.co.uk>
+ipp            631/tcp    IPP (Internet Printing Protocol)
+ipp            631/udp    IPP (Internet Printing Protocol)
+#                         Carl-Uno Manros <manros@cp10.es.xerox.com>
+bmpp           632/tcp    bmpp
+bmpp           632/udp    bmpp
+#                         Troy Rollo <troy@kroll.corvu.com.au> 
+servstat       633/tcp    Service Status update (Sterling Software)
+servstat       633/udp    Service Status update (Sterling Software)
+#                          Greg Rose <Greg_Rose@sydney.sterling.com>
+ginad           634/tcp    ginad
+ginad           634/udp    ginad
+#                          Mark Crother <mark@eis.calstate.edu>
+mountd/rlzdbase 635/tcp    RLZ DBase
+mountd/rlzdbase 635/udp    RLZ DBase
+#                          Michael Ginn <ginn@tyxar.com>
+ldaps           636/tcp    ldap protocol over TLS/SSL (was sldap)
+ldaps           636/udp    ldap protocol over TLS/SSL (was sldap)
+#                          Pat Richard <patr@xcert.com>
+lanserver       637/tcp    lanserver
+lanserver       637/udp    lanserver
+#                          Chris Larsson <clarsson@VNET.IBM.COM>
+mcns-sec       638/tcp    mcns-sec
+mcns-sec       638/udp    mcns-sec
+#                         Kaz Ozawa <k.ozawa@cablelabs.com>
+msdp           639/tcp    MSDP
+msdp           639/udp    MSDP
+#                         Dino Farinacci <dino@cisco.com>
+entrust-sps    640/tcp    entrust-sps
+entrust-sps    640/udp    entrust-sps
+#                         Marek Buchler <Marek.Buchler@entrust.com>
+repcmd         641/tcp    repcmd
+repcmd         641/udp    repcmd
+#                         Scott Dale <scott@Replicase.com>
+esro-emsdp     642/tcp    ESRO-EMSDP V1.3
+esro-emsdp     642/udp    ESRO-EMSDP V1.3
+#                         Mohsen Banan <mohsen@neda.com> 
+sanity         643/tcp    SANity
+sanity         643/udp    SANity
+#                         Peter Viscarola <PeterGV@osr.com>
+dwr            644/tcp    dwr
+dwr            644/udp    dwr
+#                         Bill Fenner <fenner@parc.xerox.com>
+pssc           645/tcp    PSSC
+pssc           645/udp    PSSC
+#                         Egon Meier-Engelen <egon.meier-engelen@dlr.de>
+ldp            646/tcp    LDP
+ldp            646/udp    LDP
+#                         Bob Thomas <rhthomas@cisco.com>
+dhcp-failover   647/tcp    DHCP Failover
+dhcp-failover   647/udp    DHCP Failover
+#                          Bernard Volz <volz@ipworks.com> 
+rrp            648/tcp    Registry Registrar Protocol (RRP)
+rrp            648/udp    Registry Registrar Protocol (RRP)
+#                         Scott Hollenbeck <shollenb@netsol.com>       
+aminet         649/tcp    Aminet
+aminet         649/udp    Aminet
+#                         Martin Toeller <mtoeller@adaptivemedia.com> 
+obex           650/tcp    OBEX
+obex           650/udp    OBEX
+#                         Jeff Garbers <FJG030@email.mot.com>
+ieee-mms       651/tcp    IEEE MMS
+ieee-mms       651/udp    IEEE MMS
+#                         Curtis Anderson <canderson@turbolinux.com>
+udlr-dtcp      652/tcp    UDLR_DTCP    
+udlr-dtcp      652/udp    UDLR_DTCP    
+#                         Patrick Cipiere <Patrick.Cipiere@sophia.inria.fr>
+repscmd                653/tcp    RepCmd
+repscmd                653/udp    RepCmd
+#                         Scott Dale <scott@tioga.com>
+aodv           654/tcp    AODV
+aodv           654/udp    AODV
+#                         Charles Perkins <cperkins@eng.sun.com>
+tinc           655/tcp    TINC
+tinc           655/udp    TINC
+#                         Ivo Timmermans <itimmermans@bigfoot.com>
+spmp           656/tcp    SPMP
+spmp           656/udp    SPMP
+#                         Jakob Kaivo <jkaivo@nodomainname.net>
+rmc            657/tcp    RMC
+rmc            657/udp    RMC
+#                         Michael Schmidt <mmaass@us.ibm.com>
+tenfold                658/tcp    TenFold
+tenfold                658/udp    TenFold
+#                         Louis Olszyk <lolszyk@10fold.com>
+url-rendezvous 659/tcp    URL Rendezvous
+url-rendezvous 659/udp    URL Rendezvous
+#                         Liming Wei <lwei@cisco.com>
+mac-srvr-admin 660/tcp    MacOS Server Admin
+mac-srvr-admin 660/udp    MacOS Server Admin
+#                         Forest Hill <forest@apple.com>
+hap            661/tcp    HAP
+hap            661/udp    HAP
+#                         Igor Plotnikov <igor@uroam.com>
+pftp           662/tcp    PFTP
+pftp           662/udp    PFTP
+#                         Ben Schluricke <pftp@star.trek.org>
+purenoise      663/tcp    PureNoise
+purenoise      663/udp    PureNoise
+#                         Sam Osa <pristine@mailcity.com>
+secure-aux-bus 664/tcp    Secure Aux Bus
+secure-aux-bus 664/udp    Secure Aux Bus
+#                         Steven Williams <steven.d.williams@intel.com>
+sun-dr         665/tcp    Sun DR
+sun-dr         665/udp    Sun DR
+#                         Harinder Bhasin <Harinder.Bhasin@Sun.COM>
+mdqs            666/tcp        
+mdqs            666/udp        
+doom            666/tcp    doom Id Software
+doom            666/udp    doom Id Software
+#                          <ddt@idcube.idsoftware.com>
+disclose        667/tcp    campaign contribution disclosures - SDR Technologies
+disclose        667/udp    campaign contribution disclosures - SDR Technologies
+#                          Jim Dixon  <jim@lambda.com>
+mecomm          668/tcp    MeComm
+mecomm          668/udp    MeComm
+meregister      669/tcp    MeRegister
+meregister      669/udp    MeRegister
+#                          Armin Sawusch <armin@esd1.esd.de>
+vacdsm-sws      670/tcp    VACDSM-SWS
+vacdsm-sws      670/udp    VACDSM-SWS
+vacdsm-app      671/tcp    VACDSM-APP
+vacdsm-app      671/udp    VACDSM-APP
+vpps-qua        672/tcp    VPPS-QUA
+vpps-qua        672/udp    VPPS-QUA
+cimplex         673/tcp    CIMPLEX
+cimplex         673/udp    CIMPLEX
+#                          Ulysses G. Smith Jr. <ugsmith@cesi.com>
+acap           674/tcp    ACAP
+acap           674/udp    ACAP
+#                         Chris Newman <Chris.Newman@innosoft.com>
+dctp           675/tcp    DCTP
+dctp           675/udp    DCTP
+#                         Andre Kramer <Andre.Kramer@ansa.co.uk>
+vpps-via       676/tcp    VPPS Via
+vpps-via       676/udp    VPPS Via
+#                         Ulysses G. Smith Jr. <ugsmith@cesi.com>
+vpp            677/tcp    Virtual Presence Protocol 
+vpp            677/udp    Virtual Presence Protocol 
+#                         Klaus Wolf <wolf@cobrow.com>
+ggf-ncp                678/tcp    GNU Gereration Foundation NCP
+ggf-ncp                678/udp    GNU Generation Foundation NCP
+#                         Noah Paul <noahp@altavista.net>
+mrm            679/tcp    MRM
+mrm            679/udp    MRM
+#                         Liming Wei <lwei@cisco.com>
+entrust-aaas   680/tcp    entrust-aaas 
+entrust-aaas   680/udp    entrust-aaas 
+entrust-aams   681/tcp    entrust-aams
+entrust-aams   681/udp    entrust-aams
+#                         Adrian Mancini <adrian.mancini@entrust.com>
+xfr            682/tcp    XFR
+xfr            682/udp    XFR
+#                         Noah Paul <noahp@ultranet.com>
+corba-iiop     683/tcp    CORBA IIOP 
+corba-iiop     683/udp    CORBA IIOP 
+corba-iiop-ssl 684/tcp    CORBA IIOP SSL
+corba-iiop-ssl 684/udp    CORBA IIOP SSL
+#                         Henry Lowe <lowe@omg.org>
+mdc-portmapper 685/tcp    MDC Port Mapper
+mdc-portmapper 685/udp    MDC Port Mapper
+#                         Noah Paul <noahp@altavista.net>
+hcp-wismar     686/tcp    Hardware Control Protocol Wismar
+hcp-wismar     686/udp    Hardware Control Protocol Wismar
+#                         David Merchant <d.f.merchant@livjm.ac.uk>    
+asipregistry   687/tcp    asipregistry
+asipregistry   687/udp    asipregistry
+#                         Erik Sea <sea@apple.com>
+realm-rusd     688/tcp    REALM-RUSD
+realm-rusd     688/udp    REALM-RUSD
+#                         Jerry Knight <jknight@realminfo.com>
+nmap           689/tcp    NMAP
+nmap           689/udp    NMAP
+#                         Peter Dennis Bartok <peter@novonyx.com>
+vatp           690/tcp    VATP
+vatp           690/udp    VATP
+#                         Atica Software <comercial@aticasoft.es>
+msexch-routing 691/tcp    MS Exchange Routing
+msexch-routing 691/udp    MS Exchange Routing
+#                         David Lemson <dlemson@microsoft.com>
+hyperwave-isp  692/tcp    Hyperwave-ISP
+hyperwave-isp  692/udp    Hyperwave-ISP
+#                         Gerald Mesaric <gmesaric@hyperwave.com>
+connendp       693/tcp    connendp
+connendp       693/udp    connendp
+#                         Ronny Bremer <rbremer@future-gate.com>
+ha-cluster     694/tcp    ha-cluster
+ha-cluster     694/udp    ha-cluster
+#                         Alan Robertson <alanr@bell-labs.com>
+ieee-mms-ssl    695/tcp    IEEE-MMS-SSL
+ieee-mms-ssl    695/udp    IEEE-MMS-SSL
+#                          Curtis Anderson <ecanderson@turbolinux.com> 
+rushd           696/tcp    RUSHD
+rushd           696/udp    RUSHD
+#                          Greg Ercolano <erco@netcom.com>
+uuidgen         697/tcp    UUIDGEN
+uuidgen         697/udp    UUIDGEN
+#                          James Falkner <jhf@eng.sun.com>
+olsr            698/tcp    OLSR
+olsr            698/udp    OLSR
+#                          Thomas Clausen <thomas.clausen@inria.fr>   
+accessnetwork   699/tcp    Access Network
+accessnetwork   699/udp    Access Network
+#                          Yingchun Xu <Yingchun_Xu@3com.com>
+#               700-703    Unassigned
+elcsd          704/tcp    errlog copy/server daemon
+elcsd          704/udp    errlog copy/server daemon
+agentx         705/tcp    AgentX
+agentx         705/udp    AgentX
+#                         Bob Natale <natale@acec.com>
+silc           706/tcp    SILC
+silc            706/udp    SILC
+#                          Pekka Riikonen <priikone@poseidon.pspt.fi>  
+borland-dsj    707/tcp    Borland DSJ
+borland-dsj    707/udp    Borland DSJ
+#                         Gerg Cole <gcole@corp.borland.com>
+#              708        Unassigned
+entrust-kmsh    709/tcp    Entrust Key Management Service Handler
+entrust-kmsh    709/udp    Entrust Key Management Service Handler
+entrust-ash     710/tcp    Entrust Administration Service Handler
+entrust-ash     710/udp    Entrust Administration Service Handler
+#                          Peter Whittaker <pww@entrust.com>
+cisco-tdp      711/tcp    Cisco TDP
+cisco-tdp      711/udp    Cisco TDP
+#                         Bruce Davie <bsd@cisco.com>
+#               712-728    Unassigned
+netviewdm1      729/tcp    IBM NetView DM/6000 Server/Client
+netviewdm1      729/udp    IBM NetView DM/6000 Server/Client
+netviewdm2      730/tcp    IBM NetView DM/6000 send/tcp
+netviewdm2      730/udp    IBM NetView DM/6000 send/tcp
+netviewdm3      731/tcp    IBM NetView DM/6000 receive/tcp
+netviewdm3      731/udp    IBM NetView DM/6000 receive/tcp
+#                          Philippe Binet  (phbinet@vnet.IBM.COM)
+#               732-740    Unassigned           
+netgw           741/tcp    netGW
+netgw           741/udp    netGW
+#                          Oliver Korfmacher (okorf@netcs.com)
+netrcs          742/tcp    Network based Rev. Cont. Sys.
+netrcs          742/udp    Network based Rev. Cont. Sys.
+#                          Gordon C. Galligher <gorpong@ping.chi.il.us>
+#               743        Unassigned
+flexlm          744/tcp    Flexible License Manager
+flexlm          744/udp    Flexible License Manager
+#                          Matt Christiano
+#                          <globes@matt@oliveb.atc.olivetti.com> 
+#               745-746    Unassigned
+fujitsu-dev     747/tcp    Fujitsu Device Control
+fujitsu-dev     747/udp    Fujitsu Device Control
+ris-cm          748/tcp    Russell Info Sci Calendar Manager
+ris-cm          748/udp    Russell Info Sci Calendar Manager
+kerberos-adm    749/tcp    kerberos administration
+kerberos-adm    749/udp    kerberos administration
+rfile          750/tcp
+loadav          750/udp
+kerberos-iv     750/udp    kerberos version iv
+#                          Martin Hamilton <martin@mrrl.lut.as.uk>
+pump           751/tcp
+pump           751/udp
+qrh            752/tcp
+qrh            752/udp
+rrh                    753/tcp
+rrh            753/udp
+tell           754/tcp    send
+tell           754/udp    send
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+#               755-756    Unassigned
+nlogin         758/tcp
+nlogin         758/udp
+con            759/tcp
+con            759/udp
+ns             760/tcp
+ns             760/udp
+rxe            761/tcp
+rxe            761/udp
+quotad         762/tcp
+quotad         762/udp
+cycleserv       763/tcp
+cycleserv       763/udp
+omserv         764/tcp
+omserv         764/udp
+webster                765/tcp
+webster                765/udp
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+#               766        Unassigned
+phonebook       767/tcp           phone
+phonebook       767/udp           phone
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+#               768        Unassigned
+vid            769/tcp
+vid            769/udp
+cadlock         770/tcp
+cadlock         770/udp
+rtip           771/tcp
+rtip           771/udp
+cycleserv2      772/tcp
+cycleserv2      772/udp
+submit         773/tcp
+notify         773/udp
+rpasswd                774/tcp
+acmaint_dbd     774/udp
+entomb         775/tcp
+acmaint_transd 775/udp
+wpages         776/tcp
+wpages          776/udp
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+multiling-http 777/tcp    Multiling HTTP
+multiling-http 777/udp    Multiling HTTP
+#                         Alejandro Bonet <babel@ctv.es>
+#              778-779    Unassigned
+wpgs           780/tcp
+wpgs           780/udp
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+#               781-785    Unassigned
+concert         786/tcp    Concert
+concert         786/udp    Concert
+#                          Josyula R. Rao <jrrao@watson.ibm.com>
+qsc            787/tcp    QSC
+qsc            787/udp    QSC 
+#                         James Furness <furn@bluenews.com>
+#               788-799    Unassigned
+mdbs_daemon    800/tcp 
+mdbs_daemon    800/udp 
+device         801/tcp
+device         801/udp
+#              802-809    Unassigned
+fcp-udp                810/tcp    FCP
+fcp-udp                810/udp    FCP Datagram
+#                         Paul Whittemore <paul@softarc.com>
+#              811-827    Unassigned
+itm-mcell-s    828/tcp    itm-mcell-s
+itm-mcell-s    828/udp    itm-mcell-s
+#                         Miles O'Neal <meo@us.itmasters.com>
+pkix-3-ca-ra   829/tcp    PKIX-3 CA/RA
+pkix-3-ca-ra    829/udp    PKIX-3 CA/RA
+#                         Carlisle Adams <Cadams@entrust.com>
+#               830-846    Unassigned
+dhcp-failover2  847/tcp    dhcp-failover 2
+dhcp-failover2  847/udp    dhcp-failover 2
+#                          Bernard Volz <volz@ipworks.com> 
+#              848-872    Unassigned
+rsync          873/tcp    rsync
+rsync          873/udp    rsync
+#                         Andrew Tridgell <tridge@samba.anu.edu.au>
+#              874-885    Unassigned
+iclcnet-locate  886/tcp    ICL coNETion locate server
+iclcnet-locate  886/udp    ICL coNETion locate server
+#                          Bob Lyon <bl@oasis.icl.co.uk>
+iclcnet_svinfo  887/tcp    ICL coNETion server info
+iclcnet_svinfo  887/udp    ICL coNETion server info
+#                          Bob Lyon <bl@oasis.icl.co.uk>
+accessbuilder   888/tcp    AccessBuilder
+accessbuilder   888/udp    AccessBuilder
+#                          Steve Sweeney <Steven_Sweeney@3mail.3com.com>
+# The following entry records an unassigned but widespread use
+cddbp           888/tcp    CD Database Protocol
+#                          Steve Scherf <steve@moonsoft.com>
+#
+#              889-899    Unassigned
+omginitialrefs  900/tcp    OMG Initial Refs
+omginitialrefs  900/udp    OMG Initial Refs
+#                         Christian Callsen <Christian.Callsen@eng.sun.com>
+smpnameres      901/tcp    SMPNAMERES
+smpnameres      901/udp    SMPNAMERES
+#                          Leif Ekblad <leif@rdos.net>
+ideafarm-chat   902/tcp    IDEAFARM-CHAT
+ideafarm-chat   902/udp    IDEAFARM-CHAT
+ideafarm-catch  903/tcp    IDEAFARM-CATCH
+ideafarm-catch  903/udp    IDEAFARM-CATCH
+#                          Wo'o Ideafarm <wo@ideafarm.com> 
+#               904-910    Unassigned
+xact-backup     911/tcp    xact-backup
+xact-backup     911/udp    xact-backup
+#                          Bill Carroll <billc@xactlabs.com>
+#               912-988    Unassigned
+ftps-data      989/tcp    ftp protocol, data, over TLS/SSL
+ftps-data      989/udp    ftp protocol, data, over TLS/SSL
+ftps           990/tcp    ftp protocol, control, over TLS/SSL
+ftps           990/udp    ftp protocol, control, over TLS/SSL
+#                         Christopher Allen <ChristopherA@consensus.com>
+nas            991/tcp    Netnews Administration System
+nas            991/udp    Netnews Administration System
+#                         Vera Heinau <heinau@fu-berlin.de>
+#                         Heiko Schlichting <heiko@fu-berlin.de>
+telnets                992/tcp    telnet protocol over TLS/SSL
+telnets                992/udp    telnet protocol over TLS/SSL
+imaps          993/tcp    imap4 protocol over TLS/SSL
+imaps          993/udp    imap4 protocol over TLS/SSL
+ircs           994/tcp    irc protocol over TLS/SSL
+ircs           994/udp    irc protocol over TLS/SSL
+#                         Christopher Allen <ChristopherA@consensus.com>
+pop3s           995/tcp    pop3 protocol over TLS/SSL (was spop3)
+pop3s           995/udp    pop3 protocol over TLS/SSL (was spop3)
+#                          Gordon Mangione <gordm@microsoft.com>
+vsinet          996/tcp    vsinet
+vsinet          996/udp    vsinet
+#                          Rob Juergens <robj@vsi.com>
+maitrd         997/tcp
+maitrd         997/udp
+busboy         998/tcp
+puparp         998/udp
+garcon         999/tcp
+applix         999/udp        Applix ac
+puprouter      999/tcp
+puprouter      999/udp
+cadlock2       1000/tcp
+cadlock2       1000/udp
+#               1001-1009      Unassigned
+#              1008/udp   Possibly used by Sun Solaris????
+surf           1010/tcp       surf
+surf           1010/udp       surf
+#                             Joseph Geer <jgeer@peapod.com>    
+#              1011-1022      Reserved
+                1023/tcp       Reserved
+               1023/udp       Reserved
+#                              IANA <iana@iana.org>
+
+
+
+REGISTERED PORT NUMBERS
+
+The Registered Ports are listed by the IANA and on most systems can be
+used by ordinary user processes or programs executed by ordinary
+users.
+
+Ports are used in the TCP [RFC793] to name the ends of logical
+connections which carry long term conversations.  For the purpose of
+providing services to unknown callers, a service contact port is
+defined.  This list specifies the port used by the server process as
+its contact port.
+
+The IANA registers uses of these ports as a convienence to the
+community.
+
+To the extent possible, these same port assignments are used with the
+UDP [RFC768].
+
+The Registered Ports are in the range 1024-49151.
+
+Port Assignments:
+
+Keyword         Decimal    Description                     References
+-------         -------    -----------                     ----------
+                1024/tcp   Reserved            
+                1024/udp   Reserved             
+#                          IANA <iana@iana.org>
+blackjack      1025/tcp   network blackjack
+blackjack      1025/udp   network blackjack
+#                         Unknown contact
+#               1026-1029  Unassigned 
+iad1            1030/tcp   BBN IAD
+iad1            1030/udp   BBN IAD
+iad2            1031/tcp   BBN IAD
+iad2            1031/udp   BBN IAD
+iad3            1032/tcp   BBN IAD
+iad3            1032/udp   BBN IAD
+#                          Andy Malis <malis_a@timeplex.com>
+#               1033-1039  Unassigned
+netarx          1040/tcp   Netarx
+netarx          1040/udp   Netarx
+#                          Fredrick Paul Eisele <phreed@netarx.com>
+#               1041-1046  Unassigned
+neod1           1047/tcp   Sun's NEO Object Request Broker
+neod1           1047/udp   Sun's NEO Object Request Broker
+neod2           1048/tcp   Sun's NEO Object Request Broker
+neod2           1048/udp   Sun's NEO Object Request Broker
+#                          Rohit Garg <rohit.garg@eng.sun.com>
+td-postman      1049/tcp   Tobit David Postman VPMN
+td-postman      1049/udp   Tobit David Postman VPMN
+#                          Franz-Josef Leuders <development@tobit.com>
+cma             1050/tcp   CORBA Management Agent
+cma             1050/udp   CORBA Management Agent
+#                          Ramy Zaarour <ramy@lumos.com>  
+optima-vnet     1051/tcp   Optima VNET
+optima-vnet     1051/udp   Optima VNET
+#                          Ralf Doewich <ralf.doewich@optimatele.com>
+ddt             1052/tcp   Dynamic DNS Tools
+ddt             1052/udp   Dynamic DNS Tools
+#                          Remi Lefebvre <remi@debian.org>
+remote-as       1053/tcp   Remote Assistant (RA)
+remote-as       1053/udp   Remote Assistant (RA)
+#                          Roman Kriis <roman@previo.ee>   
+brvread         1054/tcp   BRVREAD
+brvread         1054/udp   BRVREAD
+#                          Gilles Roussel <groussel@eu-symtrax.com>
+ansyslmd        1055/tcp   ANSYS - License Manager 
+ansyslmd        1055/udp   ANSYS - License Manager
+#                          Suzanne Lorrin <suzanne.lorrin@ansys.com>
+vfo             1056/tcp   VFO
+vfo             1056/udp   VFO 
+#                          Anthony Gonzalez <agonzal1@telcordia.com>
+startron        1057/tcp   STARTRON
+startron        1057/udp   STARTRON
+#                          Markus Sabadello <sabadello@startron.org> 
+nim             1058/tcp   nim
+nim             1058/udp   nim
+nimreg          1059/tcp   nimreg
+nimreg          1059/udp   nimreg
+#                          Robert Gordon <rbg@austin.ibm.com>
+polestar        1060/tcp   POLESTAR
+polestar        1060/udp   POLESTAR
+#                          Masakuni Okada <masakuni@jp.ibm.com>
+kiosk           1061/tcp   KIOSK
+kiosk           1061/udp   KIOSK
+#                          Howard Buck <hbuck@maytag.com>
+veracity        1062/tcp   Veracity
+veracity        1062/udp   Veracity
+#                          Ross Williams <ross@rocksoft.com>
+kyoceranetdev   1063/tcp   KyoceraNetDev
+kyoceranetdev   1063/udp   KyoceraNetDev
+#                          Shigenaka Kanemitsu 
+#                          <Shigenaka_Kanemitsu@ypd.kyocera.co.jp>
+jstel           1064/tcp   JSTEL
+jstel           1064/udp   JSTEL
+#                          Duane Kiser <dkiser@jsexpress.com> 
+syscomlan       1065/tcp   SYSCOMLAN
+syscomlan       1065/udp   SYSCOMLAN
+#                          Henri Schultze
+#                          <Henri.Schultze@sig-positec-systems.ch>  
+fpo-fns         1066/tcp   FPO-FNS
+fpo-fns         1066/udp   FPO-FNS
+#                          Jens Klose <jklose@intercope.com>
+instl_boots     1067/tcp   Installation Bootstrap Proto. Serv. 
+instl_boots     1067/udp   Installation Bootstrap Proto. Serv. 
+instl_bootc     1068/tcp   Installation Bootstrap Proto. Cli.  
+instl_bootc     1068/udp   Installation Bootstrap Proto. Cli.  
+#                          David Arko <darko@hpfcrn.fc.hp.com>
+cognex-insight  1069/tcp   COGNEX-INSIGHT
+cognex-insight  1069/udp   COGNEX-INSIGHT
+#                          Steve Olson <solson@cognex.com>
+gmrupdateserv   1070/tcp   GMRUpdateSERV
+gmrupdateserv   1070/udp   GMRUpdateSERV
+#                          Steve Kellogg <stevekellogg@mezzogmr.com>
+bsquare-voip    1071/tcp   BSQUARE-VOIP
+bsquare-voip    1071/udp   BSQUARE-VOIP
+#                          Yen Lee <YenL@bsquare.com>
+cardax          1072/tcp   CARDAX
+cardax          1072/udp   CARDAX
+#                          Charles Oram <charleso@cardax.com>
+bridgecontrol   1073/tcp   BridgeControl
+bridgecontrol   1073/udp   BridgeControl
+#                          Andy Heron <andy.p.heron@bt.com>
+fastechnologlm  1074/tcp   FASTechnologies License Manager
+fastechnologlm  1074/udp   FASTechnologies License Manager
+#                          Robert C. Henningsgard
+#                          <rhenn@fastechnologies.com>
+rdrmshc         1075/tcp   RDRMSHC
+rdrmshc         1075/udp   RDRMSHC
+#                          Ericko Shimada <eriko@kel.fujitsu.co.jp> 
+dab-sti-c       1076/tcp   DAB STI-C
+dab-sti-c       1076/udp   DAB STI-C
+#                          World DAB <worlddab_irc@worlddab.org>
+imgames         1077/tcp   IMGames
+imgames         1077/udp   IMGames
+#                          Jean A. Ames <engr-admin@flipside.com>
+emanagecstp     1078/tcp   eManageCstp
+emanagecstp     1078/udp   eManageCstp
+#                          Steven W. Clark <sclark@equinox.com> 
+asprovatalk     1079/tcp   ASPROVATalk
+asprovatalk     1079/udp   ASPROVATalk
+#                          Chiew Farn Chung <cfchung@asprova.com>
+socks           1080/tcp   Socks    
+socks           1080/udp   Socks    
+#                          Ying-Da Lee <ylee@syl.dl.nec.com
+pvuniwien       1081/tcp   PVUNIWIEN
+pvuniwien       1081/udp   PVUNIWIEN
+#                          Peter Lipp <Peter.Lipp@iaik.at>
+amt-esd-prot    1082/tcp   AMT-ESD-PROT
+amt-esd-prot    1082/udp   AMT-ESD-PROT 
+#                          AMTEC S.p.A <sp.amtec@interbusiness.it>
+ansoft-lm-1     1083/tcp   Anasoft License Manager
+ansoft-lm-1     1083/udp   Anasoft License Manager
+ansoft-lm-2     1084/tcp   Anasoft License Manager
+ansoft-lm-2     1084/udp   Anasoft License Manager
+webobjects     1085/tcp   Web Objects
+webobjects     1085/udp   Web Objects
+#                         Andy Belk <abelk@apple.com>
+cplscrambler-lg 1086/tcp   CPL Scrambler Logging
+cplscrambler-lg 1086/udp   CPL Scrambler Logging
+cplscrambler-in 1087/tcp   CPL Scrambler Internal
+cplscrambler-in 1087/udp   CPL Scrambler Internal 
+cplscrambler-al 1088/tcp   CPL Scrambler Alarm Log
+cplscrambler-al 1088/udp   CPL Scrambler Alarm Log
+#                          Richard Corn <rac@racc.com> 
+ff-annunc       1089/tcp   FF Annunciation 
+ff-annunc       1089/udp   FF Annunciation 
+ff-fms          1090/tcp   FF Fieldbus Message Specification 
+ff-fms          1090/udp   FF Fieldbus Message Specification
+ff-sm           1091/tcp   FF System Management
+ff-sm           1091/udp   FF System Management
+#                          Fieldbus Foundation <dglanzer@fieldbus.org>
+obrpd           1092/tcp   OBRPD
+obrpd           1092/udp   OBRPD
+#                          William Randolph Royere III <royere@obrs.org> 
+proofd          1093/tcp   PROOFD
+proofd          1093/udp   PROOFD
+rootd           1094/tcp   ROOTD
+rootd           1094/udp   ROOTD
+#                          Fons Rademakers <Fons.Rademakers@cern.ch>
+nicelink        1095/tcp   NICELink
+nicelink        1095/udp   NICELink
+#                          Jordi Lisbona <jlisbona@tango04.net>   
+cnrprotocol     1096/tcp   Common Name Resolution Protocol
+cnrprotocol     1096/udp   Common Name Resolution Protocol
+#                          Michael Mealling <michaelm@netsol.com> 
+sunclustermgr  1097/tcp   Sun Cluster Manager
+sunclustermgr  1097/udp   Sun Cluster Manager
+#                         Ashit Patel <Ashit.Patel@eng.Sun.COM>
+rmiactivation  1098/tcp   RMI Activation
+rmiactivation  1098/udp   RMI Activation
+rmiregistry    1099/tcp   RMI Registry
+rmiregistry    1099/udp   RMI Registry
+#                         Adrain Colley <Adrian.Colley@East.Sun.COM>
+mctp            1100/tcp   MCTP 
+mctp            1100/udp   MCTP
+#                          Vitaly Revsin <vitaly@webmanage.com>
+pt2-discover    1101/tcp   PT2-DISCOVER
+pt2-discover    1101/udp   PT2-DISCOVER
+#                          Ralph Kammerlander 
+#                          <ralph.kammerlander@khe.siemens.de> 
+adobeserver-1   1102/tcp   ADOBE SERVER 1
+adobeserver-1   1102/udp   ADOBE SERVER 1
+adobeserver-2   1103/tcp   ADOBE SERVER 2
+adobeserver-2   1103/udp   ADOBE SERVER 2
+#                          Ned Hayes <nhayes@adobe.com>
+xrl             1104/tcp   XRL
+xrl             1104/udp   XRL
+#                          Patrick Robinson <probinson@plosive.com>
+ftranhc         1105/tcp   FTRANHC
+ftranhc         1105/udp   FTRANHC
+#                          Eriko Shimada <eriko@kel.fujitsu.co.jp> 
+isoipsigport-1  1106/tcp   ISOIPSIGPORT-1
+isoipsigport-1  1106/udp   ISOIPSIGPORT-1 
+isoipsigport-2  1107/tcp   ISOIPSIGPORT-2 
+isoipsigport-2  1107/udp   ISOIPSIGPORT-2 
+#                          Peter Egli <peter.egli@inalp.com> 
+ratio-adp       1108/tcp   ratio-adp
+ratio-adp       1108/udp   ratio-adp
+#                          Oliver Thulke <oth@ratio.de>
+#               1109       Unassigned
+nfsd-status    1110/tcp   Cluster status info
+nfsd-keepalive 1110/udp   Client status info
+#                          Edgar Circenis <ec@hpfclj.fc.hp.com>
+lmsocialserver  1111/tcp   LM Social Server
+lmsocialserver 1111/udp   LM Social Server
+#                         Ron Lussier <coyote@likeminds.com>
+icp             1112/tcp   Intelligent Communication Protocol
+icp             1112/udp   Intelligent Communication Protocol
+#                          Mark H. David <mhd@gensym.com>   
+#               1113       Unassigned 
+mini-sql       1114/tcp   Mini SQL
+mini-sql       1114/udp   Mini SQL
+#                         David Hughes <bambi@Hughes.com.au>
+ardus-trns      1115/tcp   ARDUS Transfer
+ardus-trns      1115/udp   ARDUS Transfer
+ardus-cntl      1116/tcp   ARDUS Control
+ardus-cntl      1116/udp   ARDUS Control
+ardus-mtrns     1117/tcp   ARDUS Multicast Transfer
+ardus-mtrns     1117/udp   ARDUS Multicast Transfer
+#                          Shinya Abe <abeabe@pfu.co.jp>
+#               1118-1121  Unassigned
+availant-mgr    1122/tcp   availant-mgr
+availant-mgr    1122/udp   availant-mgr
+#                          Steven Pelletier <stevep@Availant.com> 
+murray          1123/tcp   Murray
+murray          1123/udp   Murray
+#                          Stu Mark <fordii@j51.com>
+#               1124-1154  Unassigned 
+nfa             1155/tcp   Network File Access                
+nfa             1155/udp   Network File Access                
+#                          James Powell <james@mailhost.unidata.com>
+#               1156-1160  Unassigned
+health-polling 1161/tcp   Health Polling
+health-polling 1161/udp   Health Polling
+health-trap    1162/tcp   Health Trap
+health-trap    1162/udp   Health Trap
+#               1163-1168  Unassigned
+tripwire        1169/tcp   TRIPWIRE
+tripwire        1169/udp   TRIPWIRE
+#                          Ed Metcalf <emetcalf@tripwiresecurity.com>
+#                         Albert Holt <alberth@triosoftware.com>
+#               1170-1179  Unassigned
+mc-client      1180/tcp   Millicent Client Proxy
+mc-client      1180/udp   Millicent Client Proxy
+#                         Steve Glassman <steveg@pa.dec.com>
+#               1181-1187  Unassigned
+hp-webadmin    1188/tcp   HP Web Admin
+hp-webadmin    1188/udp   HP Web Admin
+#                         Lance Kind <lance_kind@hp.com>
+#               1189-1199  Unassigned
+scol           1200/tcp   SCOL
+scol           1200/udp   SCOL
+#                         Cryo-Networks <p.favre@cryo-networks.fr>
+nucleus-sand    1201/tcp   Nucleus Sand
+nucleus-sand    1201/udp   Nucleus Sand
+#                          James Marsh <James.Marsh@sandtechnology.com>
+caiccipc       1202/tcp   caiccipc
+caiccipc       1202/udp   caiccipc
+#                         Vince Re <Vincent.Re@cai.com>
+ssslic-mgr     1203/tcp   License Validation
+ssslic-mgr      1203/udp   License Validation
+ssslog-mgr      1204/tcp   Log Request Listener
+ssslog-mgr      1204/udp   Log Request Listener
+#                          Eric Bruno <bruno@best.com> 
+accord-mgc      1205/tcp   Accord-MGC
+accord-mgc      1205/udp   Accord-MGC
+#                          Roni Even <roni_e@accord.co.il>
+anthony-data    1206/tcp   Anthony Data
+anthony-data    1206/udp   Anthony Data
+#                          Paul Dollemore <pauld@anthonydata.com>
+metasage        1207/tcp   MetaSage
+metasage        1207/udp   MetaSage
+#                          Peter Anvelt <panvelt@xnai.com> 
+seagull-ais     1208/tcp   SEAGULL AIS
+seagull-ais     1208/udp   SEAGULL AIS
+#                          Lee Breisacher <lbreisacher@seagullsw.com> 
+ipcd3           1209/tcp   IPCD3
+ipcd3           1209/udp   IPCD3
+#                          Mark Ciskey <mlciskey@plato.com>  
+eoss            1210/tcp   EOSS
+eoss            1210/udp   EOSS
+#                          Robert Armes <rarmes@axarte.com>
+groove-dpp      1211/tcp   Groove DPP
+groove-dpp      1211/udp   Groove DPP
+#                          Ken Moore <kmoore@groove.net>
+lupa            1212/tcp   lupa
+lupa            1212/udp   lupa
+#                          Barney Wolff <barney@databus.com>
+mpc-lifenet     1213/tcp   MPC LIFENET
+mpc-lifenet     1213/udp   MPC LIFENET
+#                          Ward Silver <hwardsil@wolfenet.com>
+kazaa           1214/tcp   KAZAA
+kazaa           1214/udp   KAZAA
+#                          Ahti Heinla <ahti@ahti.bluemoon.ee>  
+scanstat-1     1215/tcp   scanSTAT 1.0
+scanstat-1     1215/udp   scanSTAT 1.0
+#                         William Scheding <wls@isi.edu>
+etebac5         1216/tcp   ETEBAC 5
+etebac5         1216/udp   ETEBAC 5
+#                          GSIT <jl.barbut@gsit.fr>
+hpss-ndapi      1217/tcp   HPSS-NDAPI
+hpss-ndapi      1217/udp   HPSS-NDAPI
+#                          Michael Gleicher <mkg@san.rr.com>
+aeroflight-ads  1218/tcp   AeroFlight-ADs
+aeroflight-ads  1218/udp   AeroFlight-ADs
+aeroflight-ret  1219/tcp   AeroFlight-Ret
+aeroflight-ret  1219/udp   AeroFlight-Ret
+#                          Eric Johnson <eric@gruver.net>
+qt-serveradmin  1220/tcp   QT SERVER ADMIN
+qt-serveradmin  1220/udp   QT SERVER ADMIN
+#                          Chris LeCroy <lecroy@apple.com>
+sweetware-apps  1221/tcp   SweetWARE Apps
+sweetware-apps  1221/udp   SweetWARE Apps
+#                          David Dunetz <david@sweetware.com> 
+nerv           1222/tcp   SNI R&D network                  
+nerv           1222/udp   SNI R&D network                  
+#                          Martin Freiss <freiss.pad@sni.de>
+tgp             1223/tcp   TGP
+tgp             1223/udp   TGP
+#                          Gur Kimchi <gur@mail.trulyglobal.com>  
+vpnz            1224/tcp   VPNz
+vpnz            1224/udp   VPNz
+#                          Tom Strack <TSTRACK@Advnw.com>      
+slinkysearch    1225/tcp   SLINKYSEARCH
+slinkysearch    1225/udp   SLINKYSEARCH
+#                          Desmond Chan <deschan@prismedia.com>
+stgxfws         1226/tcp   STGXFWS
+stgxfws         1226/udp   STGXFWS
+#                          Tetsuya Shioda <tetsuya@saint.nm.fujitsu.co.jp>   
+dns2go          1227/tcp   DNS2Go
+dns2go          1227/udp   DNS2Go
+#                          Mark Richards <mark.richards@deerfield.com>
+florence        1228/tcp   FLORENCE
+florence        1228/udp   FLORENCE
+#                          Brian Trammell <btrammell@iventurelab.com>
+novell-zfs      1229/tcp   Novell ZFS
+novell-zfs      1229/udp   Novell ZFS
+#                          Jon Pomeroy <jpomeroy@novell.com> 
+periscope       1230/tcp   Periscope
+periscope       1230/udp   Periscope
+#                          Kevin Madden <Kevin@emailxtras.com>
+menandmice-lpm  1231/tcp   menandmice-lpm
+menandmice-lpm  1231/udp   menandmice-lpm
+#                          Sigfus Magnusson <sigfusm@menandmice.com>
+mtrgtrans       1232/tcp   mtrgtrans
+mtrgtrans       1232/udp   mtrgtrans
+#                          Katsuhito Muroi <muroi@pfu.co.jp>
+univ-appserver  1233/tcp   Universal App Server
+univ-appserver  1233/udp   Universal App Server
+#                          Tim Sent <tim.sent@systemsarchitects.com>
+search-agent   1234/tcp   Infoseek Search Agent
+search-agent   1234/udp   Infoseek Search Agent
+#                         Jackie Wu <jackiew@infoseek.com>
+mosaicsyssvc1   1235/tcp   mosaicsyssvc1
+mosaicsyssvc1   1235/udp   mosaicsyssvc1
+#                          Brian Matthews <bmatthews@mosaicsystems.com>        
+bvcontrol       1236/tcp   bvcontrol
+bvcontrol      1236/udp   bvcontrol
+#                          Daniel J Walsh <dwalsh@bindview.com>
+tsdos390        1237/tcp   tsdos390
+tsdos390        1237/udp   tsdos390
+#                          Ben Pracht <ben.pracht@tivoli.com> 
+hacl-qs                1238/tcp   hacl-qs
+hacl-qs                1238/udp   hacl-qs
+#                          Farid Faez <farid_faez@hp.com>
+nmsd           1239/tcp   NMSD
+nmsd           1239/udp   NMSD
+#                         Yuri Machkasov <yuri@ptc.com>
+instantia       1240/tcp   Instantia
+instantia       1240/udp   Instantia
+#                          Ruth Slater <ruth.slater@ideagen.co.uk> 
+nessus         1241/tcp   nessus
+nessus         1241/udp   nessus
+#                          Jordan Hrycaj <jordan@mjh.teddy-net.com>
+nmasoverip      1242/tcp   NMAS over IP
+nmasoverip      1242/udp   NMAS over IP
+#                          Mark G. Gayman <mgayman@novell.com>         
+sub7trojan-horse 1243/tcp   # serialgateway SerialGateway
+sub7trojan-horse 1243/udp   # serialgateway SerialGateway
+#                          Stephen LaValley <lavalley@lucent.com>
+isbconference1  1244/tcp   isbconference1
+isbconference1  1244/udp   isbconference1
+isbconference2  1245/tcp   isbconference2
+isbconference2  1245/udp   isbconference2
+#                          Arnold Dittmann <dittmann@isbcad.de>
+payrouter       1246/tcp   payrouter
+payrouter       1246/udp   payrouter
+#                          David Wilson <dwilson@integral-ie.com>
+visionpyramid   1247/tcp   VisionPyramid
+visionpyramid   1247/udp   VisionPyramid
+#                          Gavin Hutchinson <gavinh@visionlogistics.com>
+hermes         1248/tcp   hermes
+hermes         1248/udp   hermes
+#                          Not known
+mesavistaco    1249/tcp   Mesa Vista Co
+mesavistaco    1249/udp   Mesa Vista Co
+#                          Rick LaBanca <rel@mesasys.com>
+swldy-sias     1250/tcp   swldy-sias
+swldy-sias     1250/udp   swldy-sias
+#                          Peter E Williams <peter.williams@smallworld-us.com>
+servergraph     1251/tcp   servergraph
+servergraph    1251/udp   servergraph
+#                          Lindsay Morris <lmorris@servergraph.com>
+bspne-pcc      1252/tcp   bspne-pcc
+bspne-pcc       1252/udp   bspne-pcc
+q55-pcc         1253/tcp   q55-pcc
+q55-pcc                1253/udp   q55-pcc
+#                          Prem Tirilok <Prem.Tirilok@tellabs.com>     
+de-noc         1254/tcp   de-noc
+de-noc         1254/udp   de-noc
+de-cache-query  1255/tcp   de-cache-query
+de-cache-query  1255/udp   de-cache-query
+de-server      1256/tcp   de-server
+de-server      1256/udp   de-server
+#                         Jeff Burdette <support@digitalenvoy.net>
+shockwave2      1257/tcp   Shockwave 2
+shockwave2     1257/udp   Shockwave 2
+#                         Dave Simmons <dsimmons@macromedia.com>       
+opennl         1258/tcp   Open Network Library
+opennl         1258/udp   Open Network Library
+opennl-voice    1259/tcp   Open Network Library Voice
+opennl-voice   1259/udp   Open Network Library Voice
+#                          Phil Frisbie <phil@hawksoft.com> 
+ibm-ssd                1260/tcp   ibm-ssd
+ibm-ssd                1260/udp   ibm-ssd
+#                         Amadeo Asco <amadeo@uk.ibm.com>
+mpshrsv         1261/tcp   mpshrsv
+mpshrsv                1261/udp   mpshrsv
+#                          Makoto Ikeyama <ikeyama@ael.fujitsu.co.jp>
+qnts-orb       1262/tcp   QNTS-ORB
+qnts-orb        1262/udp   QNTS-ORB
+#                          Raghurama Bhat <raghu@quintus.com> 
+dka            1263/tcp   dka
+dka            1263/udp   dka
+#                          Chris Griffin <cgriffin@dka.com>
+prat           1264/tcp   PRAT
+prat            1264/udp   PRAT
+#                          Keith Wood <keith.wood@epid.eurotherm.co.uk> 
+dssiapi         1265/tcp   DSSIAPI
+dssiapi         1265/udp   DSSIAPI
+#                          Steve Sando <steve.sando@diversifiedsoftware.com> 
+dellpwrappks    1266/tcp   DELLPWRAPPKS
+dellpwrappks    1266/udp   DELLPWRAPPKS
+#                          David Troeger <David_Troeger@dell.com> 
+pcmlinux        1267/tcp   pcmlinux
+pcmlinux        1267/udp   pcmlinux
+#                          Aaron Stein <aaron.stein@ca.com>
+propel-msgsys   1268/tcp   PROPEL-MSGSYS
+propel-msgsys   1268/udp   PROPEL-MSGSYS
+#                          Bert Van der Linden <bert@propel.com>
+watilapp        1269/tcp   WATiLaPP
+watilapp        1269/udp   WATiLaPP
+#                          Frederic Weymann <Fizzban@swcombine.com>
+opsman          1270/tcp   opsman
+opsman          1270/udp   opsman
+#                          Brad Daniels <brad.daniels@netiq.com>
+dabew           1271/tcp   Dabew
+dabew           1271/udp   Dabew
+#                          Norm Freedman <normfree@att.net>
+cspmlockmgr     1272/tcp   CSPMLockMgr
+cspmlockmgr     1272/udp   CSPMLockMgr
+#                          Ibtsam Mahfouz <imahfouz@cisco.com>
+emc-gateway     1273/tcp   EMC-Gateway
+emc-gateway     1273/udp   EMC-Gateway
+#                          Rene Fontaine <fontaine_rene@emc.com>
+t1distproc      1274/tcp   t1distproc
+t1distproc      1274/udp   t1distproc
+#                          Julian Biddle <julian_biddle@TechnologyOneCorp.com>
+ivcollector     1275/tcp   ivcollector
+ivcollector     1275/udp   ivcollector
+ivmanager       1276/tcp   ivmanager
+ivmanager       1276/udp   ivmanager
+#                          Xavier Roques <xroques@infovista.fr>
+miva-mqs        1277/tcp   mqs
+miva-mqs        1277/udp   mqs
+#                          Miva Corporation <jwoods@miva.com.au>
+dellwebadmin-1  1278/tcp   Dell Web Admin 1
+dellwebadmin-1  1278/udp   Dell Web Admin 1
+dellwebadmin-2  1279/tcp   Dell Web Admin 2
+dellwebadmin-2  1279/udp   Dell Web Admin 2   
+#                          Bridget Navoda <Bridget_Navoda@dell.com> 
+pictrography    1280/tcp   Pictrography
+pictrography    1280/udp   Pictrography
+#                          Takashi Hoshino <hoshino@miya.fujifilm.co.jp>   
+healthd         1281/tcp   healthd
+healthd         1281/udp   healthd
+#                          James E. Housley <jim@thehousleys.net> 
+emperion        1282/tcp   Emperion
+emperion        1282/udp   Emperion
+#                          Claus Thor Barth <ctb@satworks.net>
+productinfo     1283/tcp   ProductInfo
+productinfo     1283/udp   ProductInfo
+iee-qfx         1284/tcp   IEE-QFX
+iee-qfx         1284/udp   IEE-QFX
+#                          Kevin D. Quitt <KQuitt@IEEInc.com>
+neoiface        1285/tcp   neoiface
+neoiface        1285/udp   neoiface
+#                          Jason McManus <jasonm@neoinformatics.com>
+netuitive       1286/tcp   netuitive
+netuitive       1286/udp   netuitive 
+#                          Clayton Wilkinson <cwilkinson@netuitive.com>
+#               1287       Unassigned
+navbuddy        1288/tcp   NavBuddy
+navbuddy        1288/udp   NavBuddy
+#                          Eric Hackman <ehackman@millapps.com>
+jwalkserver     1289/tcp   JWalkServer
+jwalkserver     1289/udp   JWalkServer
+winjaserver     1290/tcp   WinJaServer 
+winjaserver     1290/udp   WinJaServer  
+seagulllms      1291/tcp   SEAGULLLMS
+seagulllms      1291/udp   SEAGULLLMS
+#                          Lee Breisacher <lbreisacher@seafullsw.com>
+dsdn            1292/tcp   dsdn
+dsdn            1292/udp   dsdn
+#                          Stanislaw Skowronek <thesis@elementary.pl>
+pkt-krb-ipsec   1293/tcp   PKT-KRB-IPSec
+pkt-krb-ipsec   1293/udp   PKT-KRB-IPSec
+#                          Nancy Davoust <n.davoust@cablelabs.com>
+cmmdriver       1294/tcp   CMMdriver
+cmmdriver       1294/udp   CMMdriver
+#                          Lutz Karras <karras@zeiss.de>
+eetp            1295/tcp   EETP
+eetp            1295/udp   EETP
+#                          Alexander Bogdanov <alexandr_bgd@softhome.net>  
+dproxy          1296/tcp   dproxy
+dproxy          1296/udp   dproxy
+sdproxy         1297/tcp   sdproxy
+sdproxy         1297/udp   sdproxy
+#                          Raimond Diederik <rdiederik@descartes.com> 
+lpcp            1298/tcp   lpcp
+lpcp            1298/udp   lpcp
+#                          Greg Herlein <gherlein@herlein.com>
+hp-sci          1299/tcp   hp-sci
+hp-sci          1299/udp   hp-sci
+#                          Kim Scott <kims@cup.hp.com>       
+h323hostcallsc 1300/tcp   H323 Host Call Secure
+h323hostcallsc 1300/udp   H323 Host Call Secure
+#                         Jim Toga <jtoga@ideal.jf.intel.com>
+ci3-software-1  1301/tcp   CI3-Software-1
+ci3-software-1  1301/udp   CI3-Software-1
+ci3-software-2  1302/tcp   CI3-Software-2
+ci3-software-2  1302/udp   CI3-Software-2
+#                          Kelli Watson <kwatson@ci3software.com>
+sftsrv          1303/tcp   sftsrv
+sftsrv          1303/udp   sftsrv
+#                          Robert Frazier <BobF@mrp3.com>
+boomerang       1304/tcp   Boomerang
+boomerang       1304/udp   Boomerang
+#                          Bruce Lueckenhoff <brucelu@cisco.com>
+pe-mike                1305/tcp   pe-mike
+pe-mike         1305/udp   pe-mike
+#                          Stephen Hemminger <shemminger@passedge.com>
+re-conn-proto   1306/tcp   RE-Conn-Proto
+re-conn-proto   1306/udp   RE-Conn-Proto
+#                          Sandeep Singhal <sandeep@reefedge.com>
+pacmand         1307/tcp   Pacmand
+pacmand         1307/udp   Pacmand
+#                          Edward T. O'Shea <oshea@bellsouth.net> 
+odsi            1308/tcp   Optical Domain Service Interconnect (ODSI)
+odsi            1308/udp   Optical Domain Service Interconnect (ODSI)
+#                          K. Arvind <arvind@tenornetworks.com> 
+jtag-server     1309/tcp   JTAG server
+jtag-server     1309/udp   JTAG server
+#                          Andrew Draper <adraper@altera.com>
+husky          1310/tcp   Husky
+husky          1310/udp   Husky
+#                         Mark Zang <mark@zang.com>
+rxmon          1311/tcp   RxMon
+rxmon          1311/udp   RxMon
+#                         Javier Jiminez <javier_l_jimenez@dell.com>
+sti-envision   1312/tcp   STI Envision
+sti-envision   1312/udp   STI Envision
+#                         Don Stedman <dones@stisystems.com>
+bmc_patroldb    1313/tcp   BMC_PATROLDB
+bmc_patroldb    1313/udp   BMC_PATROLDB
+#                          Devon Shows <Devon_Shows@crow.bmc.com>
+pdps           1314/tcp   Photoscript Distributed Printing System
+pdps            1314/udp   Photoscript Distributed Printing System
+#                         Les Klein <sgy@cix.compulink.co.uk>
+els            1315/tcp   els
+els            1315/udp   els
+#                         Jim Cleppe <clep13@cfer.com>
+exbit-escp      1316/tcp   Exbit-ESCP
+exbit-escp      1316/udp   Exbit-ESCP
+#                          Morten Christensen <mjc@exbit.dk>
+vrts-ipcserver  1317/tcp   vrts-ipcserver
+vrts-ipcserver  1317/udp   vrts-ipcserver
+#                          Bruce Hestand <Bruce.Hestand@veritas.com>
+krb5gatekeeper  1318/tcp   krb5gatekeeper
+krb5gatekeeper  1318/udp   krb5gatekeeper
+#                          Patrick Moore <pcmoore@sandia.gov> 
+panja-icsp      1319/tcp   Panja-ICSP
+panja-icsp      1319/udp   Panja-ICSP
+#                          Ron Barber <ron.barber@panja.com>     
+panja-axbnet   1320/tcp   Panja-AXBNET
+panja-axbnet   1320/udp   Panja-AXBNET
+#                         Andrew van Wensen <avanwensen@panja.com>
+pip            1321/tcp   PIP
+pip            1321/udp   PIP
+#                         Gordon Mohr <gojomo@usa.net>
+novation        1322/tcp   Novation
+novation        1322/udp   Novation
+#                          Alan Dano <wiseobject@yahoo.com>
+brcd            1323/tcp   brcd
+brcd            1323/udp   brcd
+#                          Todd Picquelle <todd@convergence.net>
+delta-mcp       1324/tcp   delta-mcp
+delta-mcp       1324/udp   delta-mcp
+#                          Quinton Tormanen <quinton@deltacompsys.com> 
+dx-instrument   1325/tcp   DX-Instrument
+dx-instrument   1325/udp   DX-Instrument
+#                          Walt Modic <Walt.Modic@dionex.com>
+wimsic          1326/tcp   WIMSIC
+wimsic          1326/udp   WIMSIC
+#                          James Brown <ender@admdev.com>
+ultrex          1327/tcp   Ultrex
+ultrex          1327/udp   Ultrex
+#                          Tim Walsh <tim@ultrex.com>
+ewall           1328/tcp   EWALL
+ewall           1328/udp   EWALL
+#                          Jeff Busma <busma@echogent.com>
+netdb-export    1329/tcp   netdb-export
+netdb-export    1329/udp   netdb-export
+#                          Konstantinos Kostis <netdb@kostis.net>
+streetperfect   1330/tcp   StreetPerfect
+streetperfect   1330/udp   StreetPerfect
+#                          Michael R. Young <michael.young@tor.sunpub.com> 
+intersan        1331/tcp   intersan
+intersan        1331/udp   intersan
+#                          Barry H. Feild <barry@intersan.net> 
+pcia-rxp-b      1332/tcp   PCIA RXP-B
+pcia-rxp-b      1332/udp   PCIA RXP-B
+#                          James Dabbs <jdabbs@tga.com>
+passwrd-policy  1333/tcp   Password Policy
+passwrd-policy  1333/udp   Password Policy
+#                          Tonio Pirotta <tonio@tpis.com.au> 
+writesrv        1334/tcp   writesrv
+writesrv        1334/udp   writesrv
+#                          Marvin Toungate <toungate@austin.ibm.com>   
+digital-notary 1335/tcp   Digital Notary Protocol
+digital-notary 1335/udp   Digital Notary Protocol
+#                         Wes Doonan
+ischat         1336/tcp   Instant Service Chat
+ischat          1336/udp   Instant Service Chat
+#                          Mike Clise <mikec@instantservice.com>
+menandmice-dns  1337/tcp   menandmice DNS
+menandmice-dns  1337/udp   menandmice DNS
+#                          Sigfus Magnusson <sigfusm@menandmice.com>
+wmc-log-svc     1338/tcp   WMC-log-svr
+wmc-log-svc     1338/udp   WMC-log-svr
+#                          Stephen Brosseau <brosseau@workingmachines.com>  
+kjtsiteserver   1339/tcp   kjtsiteserver
+kjtsiteserver   1339/udp   kjtsiteserver
+#                          Jason Aubain <jaubain@kjt.com>
+naap           1340/tcp   NAAP
+naap            1340/udp   NAAP
+#                          Henry Haverinen <henry.haverinen@nokia.com> 
+qubes           1341/tcp   QuBES
+qubes          1341/udp   QuBES
+#                          Eric Grange <egrange@creative-it.net> 
+esbroker       1342/tcp   ESBroker
+esbroker       1342/udp   ESBroker
+#                          Alexander Medvinsky <smedvinsky@gi.com>
+re101          1343/tcp   re101
+re101           1343/udp   re101
+#                          Doriano Blengino <rampone@areacom.it>
+icap           1344/tcp   ICAP
+icap            1344/udp   ICAP
+#                          Jeremy Elson <jelson@isi.edu>
+vpjp            1345/tcp   VPJP
+vpjp            1345/udp   VPJP
+#                          Michael Collins <UBMCollins@aol.com>
+alta-ana-lm     1346/tcp   Alta Analytics License Manager 
+alta-ana-lm     1346/udp   Alta Analytics License Manager 
+bbn-mmc                1347/tcp   multi media conferencing
+bbn-mmc                1347/udp   multi media conferencing
+bbn-mmx                1348/tcp   multi media conferencing
+bbn-mmx                1348/udp   multi media conferencing
+sbook           1349/tcp   Registration Network Protocol       
+sbook           1349/udp   Registration Network Protocol       
+editbench       1350/tcp   Registration Network Protocol       
+editbench       1350/udp   Registration Network Protocol       
+#                          Simson L. Garfinkel <simsong@next.cambridge.ma.us>
+equationbuilder 1351/tcp   Digital Tool Works (MIT)            
+equationbuilder 1351/udp   Digital Tool Works (MIT)            
+#                          Terrence J. Talbot <lexcube!tjt@bu.edu>
+lotusnote       1352/tcp   Lotus Note                          
+lotusnote       1352/udp   Lotus Note                          
+#                          Greg Pflaum <iris.com!Greg_Pflaum@uunet.uu.net>
+relief          1353/tcp   Relief Consulting                   
+relief          1353/udp   Relief Consulting                   
+#                          John Feiler <relief!jjfeiler@uu2.psi.com>
+rightbrain      1354/tcp   RightBrain Software              
+rightbrain      1354/udp   RightBrain Software              
+#                          Glenn Reid <glann@rightbrain.com>
+intuitive-edge  1355/tcp   Intuitive Edge 
+intuitive-edge  1355/udp   Intuitive Edge 
+#                          Montgomery Zukowski
+#                          <monty@nextnorth.acs.ohio-state.edu> 
+cuillamartin    1356/tcp   CuillaMartin Company 
+cuillamartin    1356/udp   CuillaMartin Company 
+pegboard        1357/tcp   Electronic PegBoard  
+pegboard        1357/udp   Electronic PegBoard  
+#                          Chris Cuilla
+#                          <balr!vpnet!cuilla!chris@clout.chi.il.us> 
+connlcli        1358/tcp   CONNLCLI                             
+connlcli        1358/udp   CONNLCLI                             
+ftsrv           1359/tcp   FTSRV                                
+ftsrv           1359/udp   FTSRV                                
+#                          Ines Homem de Melo <sidinf@brfapesp.bitnet>
+mimer           1360/tcp   MIMER                               
+mimer           1360/udp   MIMER                               
+#                          Per Schroeder  <Per.Schroder@mimer.se>
+linx            1361/tcp   LinX                        
+linx            1361/udp   LinX                        
+#                          Steffen Schilke <---none--->
+timeflies       1362/tcp   TimeFlies                           
+timeflies       1362/udp   TimeFlies                           
+#                          Doug Kent <mouthers@slugg@nwnexus.wa.com>
+ndm-requester   1363/tcp   Network DataMover Requester
+ndm-requester   1363/udp   Network DataMover Requester
+ndm-server      1364/tcp   Network DataMover Server   
+ndm-server      1364/udp   Network DataMover Server   
+#                          Toshio Watanabe
+#                          <watanabe@godzilla.rsc.spdd.ricoh.co.j> 
+adapt-sna       1365/tcp   Network Software Associates
+adapt-sna       1365/udp   Network Software Associates
+#                          Jeffery Chiao <714-768-401>
+netware-csp     1366/tcp   Novell NetWare Comm Service Platform
+netware-csp     1366/udp   Novell NetWare Comm Service Platform
+#                          Laurie Lindsey <llindsey@novell.com>
+dcs             1367/tcp   DCS                             
+dcs             1367/udp   DCS                             
+#                          Stefan Siebert <ssiebert@dcs.de>
+screencast      1368/tcp   ScreenCast                          
+screencast      1368/udp   ScreenCast                          
+#                          Bill Tschumy <other!bill@uunet.UU.NET>
+gv-us           1369/tcp   GlobalView to Unix Shell             
+gv-us           1369/udp   GlobalView to Unix Shell             
+us-gv           1370/tcp   Unix Shell to GlobalView             
+us-gv           1370/udp   Unix Shell to GlobalView             
+#                          Makoto Mita <mita@ssdev.ksp.fujixerox.co.jp>
+fc-cli          1371/tcp   Fujitsu Config Protocol             
+fc-cli          1371/udp   Fujitsu Config Protocol             
+fc-ser          1372/tcp   Fujitsu Config Protocol             
+fc-ser          1372/udp   Fujitsu Config Protocol             
+#                          Ryuichi Horie <horie@spad.sysrap.cs.fujitsu.co.jp>
+chromagrafx     1373/tcp   Chromagrafx                         
+chromagrafx     1373/udp   Chromagrafx                         
+#                          Mike Barthelemy <msb@chromagrafx.com>
+molly           1374/tcp   EPI Software Systems        
+molly           1374/udp   EPI Software Systems        
+#                          Jim Vlcek <vlcek@epimbe.com>
+bytex           1375/tcp   Bytex                             
+bytex           1375/udp   Bytex                             
+#                          Mary Ann Burt <bytex!ws054!maryann@uunet.UU.NET>
+ibm-pps         1376/tcp   IBM Person to Person Software     
+ibm-pps         1376/udp   IBM Person to Person Software     
+#                          Simon Phipps <sphipps@vnet.ibm.com>
+cichlid         1377/tcp   Cichlid License Manager       
+cichlid         1377/udp   Cichlid License Manager       
+#                          Andy Burgess <aab@cichlid.com>
+elan            1378/tcp   Elan License Manager   
+elan            1378/udp   Elan License Manager   
+#                          Ken Greer <kg@elan.com>
+dbreporter      1379/tcp   Integrity Solutions                 
+dbreporter      1379/udp   Integrity Solutions                 
+#                          Tim Dawson <tdawson%mspboss@uunet.UU.NET>
+telesis-licman  1380/tcp   Telesis Network License Manager     
+telesis-licman  1380/udp   Telesis Network License Manager     
+#                          Karl Schendel, Jr. <wiz@telesis.com>
+apple-licman    1381/tcp   Apple Network License Manager 
+apple-licman    1381/udp   Apple Network License Manager 
+#                          Earl Wallace <earlw@apple.com>
+udt_os          1382/tcp   udt_os
+udt_os          1382/udp   udt_os
+gwha            1383/tcp   GW Hannaway Network License Manager
+gwha            1383/udp   GW Hannaway Network License Manager
+#                          J. Gabriel Foster <fop@gwha.com>
+os-licman       1384/tcp   Objective Solutions License Manager 
+os-licman       1384/udp   Objective Solutions License Manager 
+#                          Donald Cornwell <don.cornwell@objective.com>
+atex_elmd       1385/tcp   Atex Publishing License Manager
+atex_elmd       1385/udp   Atex Publishing License Manager
+#                          Brett Sorenson <bcs@atex.com>
+checksum        1386/tcp   CheckSum License Manager            
+checksum        1386/udp   CheckSum License Manager            
+#                          Andreas Glocker <glocker@sirius.com>
+cadsi-lm        1387/tcp   Computer Aided Design Software Inc LM 
+cadsi-lm        1387/udp   Computer Aided Design Software Inc LM 
+#                          Sulistio Muljadi <e-mail?>
+objective-dbc   1388/tcp   Objective Solutions DataBase Cache
+objective-dbc   1388/udp   Objective Solutions DataBase Cache
+#                          Donald Cornwell <e-mail?>
+iclpv-dm        1389/tcp   Document Manager                    
+iclpv-dm        1389/udp   Document Manager                    
+iclpv-sc        1390/tcp   Storage Controller                  
+iclpv-sc        1390/udp   Storage Controller                  
+iclpv-sas       1391/tcp   Storage Access Server               
+iclpv-sas       1391/udp   Storage Access Server               
+iclpv-pm        1392/tcp   Print Manager                       
+iclpv-pm        1392/udp   Print Manager                       
+iclpv-nls       1393/tcp   Network Log Server                  
+iclpv-nls       1393/udp   Network Log Server                  
+iclpv-nlc       1394/tcp   Network Log Client                  
+iclpv-nlc       1394/udp   Network Log Client                  
+iclpv-wsm       1395/tcp   PC Workstation Manager software     
+iclpv-wsm       1395/udp   PC Workstation Manager software     
+#                          A.P. Hobson <A.P.Hobson@bra0112.wins.icl.co.uk>
+dvl-activemail  1396/tcp   DVL Active Mail                     
+dvl-activemail  1396/udp   DVL Active Mail                     
+audio-activmail 1397/tcp   Audio Active Mail                   
+audio-activmail 1397/udp   Audio Active Mail                   
+video-activmail 1398/tcp   Video Active Mail                   
+video-activmail 1398/udp   Video Active Mail                   
+#                          Avshalom Houri <Avshalom@ubique.com>
+cadkey-licman   1399/tcp   Cadkey License Manager         
+cadkey-licman   1399/udp   Cadkey License Manager         
+cadkey-tablet   1400/tcp   Cadkey Tablet Daemon           
+cadkey-tablet   1400/udp   Cadkey Tablet Daemon           
+#                          Joe McCollough <joe@cadkey.com>
+goldleaf-licman 1401/tcp   Goldleaf License Manager
+goldleaf-licman 1401/udp   Goldleaf License Manager
+#                          John Fox <---none--->
+prm-sm-np       1402/tcp   Prospero Resource Manager
+prm-sm-np       1402/udp   Prospero Resource Manager
+prm-nm-np       1403/tcp   Prospero Resource Manager
+prm-nm-np       1403/udp   Prospero Resource Manager
+#                          B. Clifford Neuman <bcn@isi.edu>
+igi-lm          1404/tcp   Infinite Graphics License Manager
+igi-lm          1404/udp   Infinite Graphics License Manager
+ibm-res         1405/tcp   IBM Remote Execution Starter
+ibm-res         1405/udp   IBM Remote Execution Starter
+netlabs-lm      1406/tcp   NetLabs License Manager
+netlabs-lm      1406/udp   NetLabs License Manager
+dbsa-lm         1407/tcp   DBSA License Manager        
+dbsa-lm         1407/udp   DBSA License Manager        
+#                          Scott Shattuck <ss@dbsa.com>
+sophia-lm       1408/tcp   Sophia License Manager              
+sophia-lm       1408/udp   Sophia License Manager              
+#                          Eric Brown <sst!emerald!eric@uunet.UU.net>
+here-lm         1409/tcp   Here License Manager             
+here-lm         1409/udp   Here License Manager             
+#                          David Ison  <here@dialup.oar.net>
+hiq             1410/tcp   HiQ License Manager               
+hiq             1410/udp   HiQ License Manager               
+#                          Rick Pugh <rick@bilmillennium.com>
+af              1411/tcp   AudioFile                  
+af              1411/udp   AudioFile                  
+#                          Jim Gettys <jg@crl.dec.com>
+innosys         1412/tcp   InnoSys               
+innosys         1412/udp   InnoSys               
+innosys-acl     1413/tcp   Innosys-ACL           
+innosys-acl     1413/udp   Innosys-ACL           
+#                          Eric Welch <--none--->
+ibm-mqseries    1414/tcp   IBM MQSeries                        
+ibm-mqseries    1414/udp   IBM MQSeries                        
+#                          Roger Meli <rmmeli%winvmd@vnet.ibm.com>
+dbstar          1415/tcp   DBStar                          
+dbstar          1415/udp   DBStar                          
+#                          Jeffrey Millman <jcm@dbstar.com>
+novell-lu6.2    1416/tcp   Novell LU6.2         
+novell-lu6.2    1416/udp   Novell LU6.2         
+#                          Peter Liu <--none--->
+timbuktu-srv1   1417/tcp   Timbuktu Service 1 Port            
+timbuktu-srv1   1417/udp   Timbuktu Service 1 Port            
+timbuktu-srv2   1418/tcp   Timbuktu Service 2 Port            
+timbuktu-srv2   1418/udp   Timbuktu Service 2 Port            
+timbuktu-srv3   1419/tcp   Timbuktu Service 3 Port            
+timbuktu-srv3   1419/udp   Timbuktu Service 3 Port            
+timbuktu-srv4   1420/tcp   Timbuktu Service 4 Port            
+timbuktu-srv4   1420/udp   Timbuktu Service 4 Port            
+#                          Marc Epard <marc@netopia.com>
+gandalf-lm      1421/tcp   Gandalf License Manager
+gandalf-lm      1421/udp   Gandalf License Manager
+#                          gilmer@gandalf.ca
+autodesk-lm     1422/tcp   Autodesk License Manager   
+autodesk-lm     1422/udp   Autodesk License Manager   
+#                          David Ko <dko@autodesk.com>
+essbase         1423/tcp   Essbase Arbor Software     
+essbase         1423/udp   Essbase Arbor Software     
+hybrid          1424/tcp   Hybrid Encryption Protocol  
+hybrid          1424/udp   Hybrid Encryption Protocol  
+#                          Howard Hart <hch@hybrid.com>
+zion-lm         1425/tcp   Zion Software License Manager 
+zion-lm         1425/udp   Zion Software License Manager 
+#                          David Ferrero <david@zion.com>
+sais            1426/tcp   Satellite-data Acquisition System 1
+sais            1426/udp   Satellite-data Acquisition System 1
+#                          Bill Taylor <sais@ssec.wisc.edu>
+mloadd          1427/tcp   mloadd monitoring tool     
+mloadd          1427/udp   mloadd monitoring tool     
+#                          Bob Braden <braden@isi.edu>
+informatik-lm   1428/tcp   Informatik License Manager
+informatik-lm   1428/udp   Informatik License Manager
+#                          Harald Schlangmann
+#                          <schlangm@informatik.uni-muenchen.de> 
+nms             1429/tcp   Hypercom NMS                      
+nms             1429/udp   Hypercom NMS                      
+tpdu            1430/tcp   Hypercom TPDU                     
+tpdu            1430/udp   Hypercom TPDU                     
+#                          Noor Chowdhury <noor@hypercom.com>
+rgtp            1431/tcp   Reverse Gossip Transport
+rgtp            1431/udp   Reverse Gossip Transport
+#                          Ian Jackson  <iwj@cam-orl.co.uk>
+blueberry-lm    1432/tcp   Blueberry Software License Manager  
+blueberry-lm    1432/udp   Blueberry Software License Manager  
+#                          Steve Beigel <ublueb!steve@uunet.uu.net>
+ms-sql-s        1433/tcp   Microsoft-SQL-Server 
+ms-sql-s        1433/udp   Microsoft-SQL-Server 
+ms-sql-m        1434/tcp   Microsoft-SQL-Monitor
+ms-sql-m        1434/udp   Microsoft-SQL-Monitor                
+#                          Peter Hussey <peterhus@microsoft.com>
+ibm-cics        1435/tcp   IBM CICS
+ibm-cics        1435/udp   IBM CICS
+#                          Geoff Meacock <gbibmswl@ibmmail.COM>
+saism           1436/tcp   Satellite-data Acquisition System 2
+saism           1436/udp   Satellite-data Acquisition System 2
+#                          Bill Taylor <sais@ssec.wisc.edu>
+tabula          1437/tcp   Tabula
+tabula          1437/udp   Tabula
+#                          Marcelo Einhorn
+#                          <KGUNE%HUJIVM1.bitnet@taunivm.tau.ac.il> 
+eicon-server    1438/tcp   Eicon Security Agent/Server         
+eicon-server    1438/udp   Eicon Security Agent/Server         
+eicon-x25       1439/tcp   Eicon X25/SNA Gateway               
+eicon-x25       1439/udp   Eicon X25/SNA Gateway               
+eicon-slp       1440/tcp   Eicon Service Location Protocol     
+eicon-slp       1440/udp   Eicon Service Location Protocol     
+#                          Pat Calhoun <CALHOUN@admin.eicon.qc.ca>
+cadis-1         1441/tcp   Cadis License Management       
+cadis-1         1441/udp   Cadis License Management       
+cadis-2         1442/tcp   Cadis License Management       
+cadis-2         1442/udp   Cadis License Management       
+#                          Todd Wichers <twichers@csn.org>
+ies-lm          1443/tcp   Integrated Engineering Software     
+ies-lm          1443/udp   Integrated Engineering Software     
+#                          David Tong <David_Tong@integrated.mb.ca>
+marcam-lm       1444/tcp   Marcam  License Management    
+marcam-lm       1444/udp   Marcam  License Management    
+#                          Therese Hunt <hunt@marcam.com>
+proxima-lm      1445/tcp   Proxima License Manager       
+proxima-lm      1445/udp   Proxima License Manager       
+ora-lm          1446/tcp   Optical Research Associates License Manager
+ora-lm          1446/udp   Optical Research Associates License Manager
+apri-lm         1447/tcp   Applied Parallel Research LM
+apri-lm         1447/udp   Applied Parallel Research LM
+#                          Jim Dillon <jed@apri.com>
+oc-lm           1448/tcp   OpenConnect License Manager
+oc-lm           1448/udp   OpenConnect License Manager
+#                          Sue Barnhill <snb@oc.com>
+peport          1449/tcp   PEport                               
+peport          1449/udp   PEport                               
+#                          Qentin Neill <quentin@ColumbiaSC.NCR.COM>
+dwf             1450/tcp   Tandem Distributed Workbench Facility 
+dwf             1450/udp   Tandem Distributed Workbench Facility 
+#                          Mike Bert <BERG_MIKE@tandem.com>
+infoman         1451/tcp   IBM Information Management
+infoman         1451/udp   IBM Information Management
+#                          Karen Burns <---none--->
+gtegsc-lm       1452/tcp   GTE Government Systems License Man   
+gtegsc-lm       1452/udp   GTE Government Systems License Man   
+#                          Mike Gregory <Gregory_Mike@msmail.iipo.gtegsc.com>
+genie-lm        1453/tcp   Genie License Manager                
+genie-lm        1453/udp   Genie License Manager                
+#                          Paul Applegate <p.applegate2@genie.geis.com>
+interhdl_elmd   1454/tcp   interHDL License Manager      
+interhdl_elmd   1454/udp   interHDL License Manager      
+#                          Eli Sternheim eli@interhdl.com
+esl-lm          1455/tcp   ESL License Manager           
+esl-lm          1455/udp   ESL License Manager           
+#                          Abel Chou <abel@willy.esl.com>
+dca             1456/tcp   DCA           
+dca             1456/udp   DCA           
+#                          Jeff Garbers <jgarbers@netcom.com>
+valisys-lm      1457/tcp   Valisys License Manager
+valisys-lm      1457/udp   Valisys License Manager
+#                          Leslie Lincoln <leslie_lincoln@valisys.com>
+nrcabq-lm       1458/tcp   Nichols Research Corp.
+nrcabq-lm       1458/udp   Nichols Research Corp.
+#                          Howard Cole <hcole@tumbleweed.nrcabq.com>
+proshare1       1459/tcp   Proshare Notebook Application
+proshare1       1459/udp   Proshare Notebook Application
+proshare2       1460/tcp   Proshare Notebook Application
+proshare2       1460/udp   Proshare Notebook Application
+#                          Robin Kar <Robin_Kar@ccm.hf.intel.com>
+ibm_wrless_lan  1461/tcp   IBM Wireless LAN 
+ibm_wrless_lan  1461/udp   IBM Wireless LAN 
+#                          <flanne@vnet.IBM.COM>
+world-lm        1462/tcp   World License Manager
+world-lm        1462/udp   World License Manager
+#                          Michael S Amirault <ambi@world.std.com>
+nucleus         1463/tcp   Nucleus
+nucleus         1463/udp   Nucleus
+#                          Venky Nagar <venky@fafner.Stanford.EDU>
+msl_lmd         1464/tcp    MSL License Manager
+msl_lmd         1464/udp    MSL License Manager
+#                           Matt Timmermans
+pipes           1465/tcp    Pipes Platform 
+pipes           1465/udp    Pipes Platform  mfarlin@peerlogic.com
+#                           Mark Farlin <mfarlin@peerlogic.com>
+oceansoft-lm    1466/tcp    Ocean Software License Manager
+oceansoft-lm    1466/udp    Ocean Software License Manager
+#                           Randy Leonard <randy@oceansoft.com>
+csdmbase        1467/tcp    CSDMBASE  
+csdmbase        1467/udp    CSDMBASE  
+csdm            1468/tcp    CSDM      
+csdm            1468/udp    CSDM      
+#               Robert Stabl <stabl@informatik.uni-muenchen.de>
+aal-lm          1469/tcp    Active Analysis Limited License Manager
+aal-lm          1469/udp    Active Analysis Limited License Manager
+#                           David Snocken  +44 (71)437-7009
+uaiact          1470/tcp    Universal Analytics  
+uaiact          1470/udp    Universal Analytics  
+#                           Mark R. Ludwig <Mark-Ludwig@uai.com>
+csdmbase        1471/tcp    csdmbase   
+csdmbase        1471/udp    csdmbase   
+csdm            1472/tcp    csdm       
+csdm            1472/udp    csdm       
+#               Robert Stabl <stabl@informatik.uni-muenchen.de>
+openmath        1473/tcp    OpenMath   
+openmath        1473/udp    OpenMath   
+#                           Garth Mayville <mayville@maplesoft.on.ca>
+telefinder      1474/tcp    Telefinder 
+telefinder      1474/udp    Telefinder 
+#                           Jim White <Jim_White@spiderisland.com>
+taligent-lm     1475/tcp    Taligent License Manager  
+taligent-lm     1475/udp    Taligent License Manager  
+#               Mark Sapsford <Mark_Sapsford@@taligent.com>
+clvm-cfg        1476/tcp    clvm-cfg  
+clvm-cfg        1476/udp    clvm-cfg  
+#                           Eric Soderberg <seric@cup.hp.com>
+ms-sna-server   1477/tcp    ms-sna-server  
+ms-sna-server   1477/udp    ms-sna-server  
+ms-sna-base     1478/tcp    ms-sna-base    
+ms-sna-base     1478/udp    ms-sna-base    
+#                           Gordon Mangione <gordm@microsoft.com>
+dberegister     1479/tcp    dberegister  
+dberegister     1479/udp    dberegister  
+#                           Brian Griswold <brian@dancingbear.com>
+pacerforum      1480/tcp    PacerForum  
+pacerforum      1480/udp    PacerForum  
+#                           Peter Caswell <pfc@pacvax.pacersoft.com>
+airs            1481/tcp    AIRS        
+airs            1481/udp    AIRS        
+#                           Bruce Wilson, 905-771-6161
+miteksys-lm     1482/tcp    Miteksys License Manager
+miteksys-lm     1482/udp    Miteksys License Manager
+#                           Shane McRoberts <mcroberts@miteksys.com>
+afs             1483/tcp    AFS License Manager   
+afs             1483/udp    AFS License Manager   
+#                           Michael R. Pizolato <michael@afs.com>
+confluent       1484/tcp    Confluent License Manager 
+confluent       1484/udp    Confluent License Manager 
+#                           James Greenfiel <jim@pa.confluent.com>
+lansource       1485/tcp    LANSource 
+lansource       1485/udp    LANSource 
+#                           Christopher Wells <Christopher_Wells@3com.com>
+nms_topo_serv   1486/tcp    nms_topo_serv  
+nms_topo_serv   1486/udp    nms_topo_serv  
+#                           Sylvia Siu <Sylvia_Siu@Novell.CO>
+localinfosrvr   1487/tcp    LocalInfoSrvr  
+localinfosrvr   1487/udp    LocalInfoSrvr  
+#               Brian Matthews <brian_matthews@ibist.ibis.com>
+docstor         1488/tcp    DocStor  
+docstor         1488/udp    DocStor  
+#                           Brian Spears <bspears@salix.com>
+dmdocbroker     1489/tcp    dmdocbroker  
+dmdocbroker     1489/udp    dmdocbroker  
+#                           Razmik Abnous <abnous@documentum.com>
+insitu-conf     1490/tcp    insitu-conf  
+insitu-conf     1490/udp    insitu-conf  
+#                           Paul Blacknell <paul@insitu.com>
+anynetgateway   1491/tcp    anynetgateway  
+anynetgateway   1491/udp    anynetgateway  
+#                           Dan Poirier <poirier@VNET.IBM.COM>
+stone-design-1  1492/tcp    stone-design-1  
+stone-design-1  1492/udp    stone-design-1  
+#                           Andrew Stone <andrew@stone.com>
+netmap_lm       1493/tcp    netmap_lm  
+netmap_lm       1493/udp    netmap_lm  
+#                           Phillip Magson <philm@extro.ucc.su.OZ.AU>
+ica             1494/tcp    ica   
+ica             1494/udp    ica   
+#                           John Richardson, Citrix Systems
+cvc             1495/tcp    cvc  
+cvc             1495/udp    cvc  
+#                           Bill Davidson <billd@equalizer.cray.com>
+liberty-lm      1496/tcp    liberty-lm
+liberty-lm      1496/udp    liberty-lm
+#                           Jim Rogers <trane!jimbo@pacbell.com>
+rfx-lm          1497/tcp    rfx-lm
+rfx-lm          1497/udp    rfx-lm
+#                           Bill Bishop <bil@rfx.rfx.com>
+sybase-sqlany   1498/tcp    Sybase SQL Any
+sybase-sqlany   1498/udp    Sybase SQL Any
+#                           Dave Neudoerffer <Dave.Neudoerffer@sybase.com>
+fhc             1499/tcp    Federico Heinz Consultora
+fhc             1499/udp    Federico Heinz Consultora
+#                           Federico Heinz <federico@heinz.com>
+vlsi-lm         1500/tcp    VLSI License Manager
+vlsi-lm         1500/udp    VLSI License Manager
+#                           Shue-Lin Kuo <shuelin@mdk.sanjose.vlsi.com>
+saiscm          1501/tcp    Satellite-data Acquisition System 3 
+saiscm          1501/udp    Satellite-data Acquisition System 3 
+#                           Bill Taylor <sais@ssec.wisc.edu>
+shivadiscovery  1502/tcp    Shiva
+shivadiscovery  1502/udp    Shiva
+#                           Jonathan Wenocur <jhw@Shiva.COM>
+imtc-mcs        1503/tcp    Databeam
+imtc-mcs        1503/udp    Databeam
+#                           Jim Johnston <jjohnston@databeam.com>
+evb-elm         1504/tcp    EVB Software Engineering License Manager
+evb-elm         1504/udp    EVB Software Engineering License Manager
+#                           B.G. Mahesh < mahesh@sett.com>
+funkproxy       1505/tcp    Funk Software, Inc.
+funkproxy       1505/udp    Funk Software, Inc.
+#                           Robert D. Vincent <bert@willowpond.com>
+utcd            1506/tcp    Universal Time daemon (utcd)
+utcd            1506/udp    Universal Time daemon (utcd)
+#                           Walter Poxon <wdp@ironwood.cray.com>
+symplex         1507/tcp    symplex
+symplex         1507/udp    symplex
+#                           Mike Turley <turley@symplex.com>
+diagmond        1508/tcp    diagmond
+diagmond        1508/udp    diagmond
+#                           Pete Moscatelli <moscat@hprdstl0.rose.hp.com>
+robcad-lm       1509/tcp    Robcad, Ltd. License Manager
+robcad-lm       1509/udp    Robcad, Ltd. License Manager
+#                           Hindin Joseph <hindin%robcad@uunet.uu.net>
+mvx-lm          1510/tcp    Midland Valley Exploration Ltd. Lic. Man.
+mvx-lm          1510/udp    Midland Valley Exploration Ltd. Lic. Man.
+#                           Neil Salter <neil@indigo2.mvel.demon.co.uk>Laszlo
+3l-l1           1511/tcp    3l-l1
+3l-l1           1511/udp    3l-l1
+#                           Ian A. Young <iay@threel.co.uk>
+wins            1512/tcp    Microsoft's Windows Internet Name Service
+wins            1512/udp    Microsoft's Windows Internet Name Service
+#                           Pradeep Bahl <pradeepb@microsoft.com>
+fujitsu-dtc     1513/tcp    Fujitsu Systems Business of America, Inc
+fujitsu-dtc     1513/udp    Fujitsu Systems Business of America, Inc
+fujitsu-dtcns   1514/tcp    Fujitsu Systems Business of America, Inc
+fujitsu-dtcns   1514/udp    Fujitsu Systems Business of America, Inc
+#                           Charles A. Higgins <75730.2257@compuserve.com>
+ifor-protocol   1515/tcp    ifor-protocol
+ifor-protocol   1515/udp    ifor-protocol
+#                           Dr. R.P. Alston <robin@gradient.com>
+vpad            1516/tcp    Virtual Places Audio data
+vpad            1516/udp    Virtual Places Audio data
+vpac            1517/tcp    Virtual Places Audio control
+vpac            1517/udp    Virtual Places Audio control
+vpvd            1518/tcp    Virtual Places Video data
+vpvd            1518/udp    Virtual Places Video data
+vpvc            1519/tcp    Virtual Places Video control
+vpvc            1519/udp    Virtual Places Video control
+#                           Avshalom Houri <Avshalom@ubique.com>
+atm-zip-office  1520/tcp    atm zip office
+atm-zip-office  1520/udp    atm zip office
+#                           Wilson Kwan <wilsonk%toronto@zip.atm.com>
+ncube-lm        1521/tcp    nCube License Manager
+ncube-lm        1521/udp    nCube License Manager
+#                           Maxine Yuen <maxine@hq.ncube.com>
+ricardo-lm      1522/tcp    Ricardo North America License Manager
+ricardo-lm      1522/udp    Ricardo North America License Manager
+#                           Mike Flemming <mf@xnet.com>
+cichild-lm      1523/tcp    cichild
+cichild-lm      1523/udp    cichild
+#                           Andy Burgess <aab@cichlid.com>
+ingreslock/backdoor 1524/tcp    ingres
+ingreslock/backdoor 1524/udp    ingres
+orasrv          1525/tcp    oracle
+orasrv          1525/udp    oracle
+prospero-np     1525/tcp    Prospero Directory Service non-priv
+prospero-np     1525/udp    Prospero Directory Service non-priv
+pdap-np         1526/tcp    Prospero Data Access Prot non-priv 
+pdap-np         1526/udp    Prospero Data Access Prot non-priv 
+#                           B. Clifford Neuman <bcn@isi.edu>
+tlisrv          1527/tcp    oracle
+tlisrv          1527/udp    oracle
+mciautoreg      1528/tcp    micautoreg
+mciautoreg      1528/udp    micautoreg
+#                           John Klensin <klensin@MAIL1.RESTON.MCI.NET>
+coauthor        1529/tcp    oracle
+coauthor        1529/udp    oracle
+rap-service     1530/tcp    rap-service
+rap-service     1530/udp    rap-service
+rap-listen      1531/tcp    rap-listen
+rap-listen      1531/udp    rap-listen
+#                           Phil Servita <meister@ftp.com>
+miroconnect     1532/tcp    miroconnect
+miroconnect     1532/udp    miroconnect
+#                           Michael Fischer +49 531 21 13 0
+virtual-places  1533/tcp    Virtual Places Software
+virtual-places  1533/udp    Virtual Places Software
+#                           Avshalom Houri <Avshalom@ubique.com> 
+micromuse-lm    1534/tcp    micromuse-lm    
+micromuse-lm    1534/udp    micromuse-lm    
+#                           Adam Kerrison <adam@micromuse.co.uk>
+ampr-info       1535/tcp    ampr-info    
+ampr-info       1535/udp    ampr-info    
+ampr-inter      1536/tcp    ampr-inter
+ampr-inter      1536/udp    ampr-inter
+#                           Rob Janssen <rob@sys3.pe1chl.ampr.org>
+sdsc-lm         1537/tcp    isi-lm
+sdsc-lm         1537/udp    isi-lm
+#                           Len Wanger <lrw@sdsc.edu>
+3ds-lm          1538/tcp    3ds-lm
+3ds-lm      &nb