[JDEV] RE: [jadmin] install jabber server behind firewall

Thomas Muldowney temas at box5.net
Fri Feb 9 19:19:34 CST 2001


Here is some documentation on dialback:

http://docs.jabber.org/draft-proto/html/dialback.html

There are a few things you'll need to do to use s2s.  First make sure that 
the hostname you are claiming to be actually does point back to your box.
This is the whole point of the dialback mechanism, not allowing you to spoof
as anyone.  Next you'll need to ensure that the s2s communications port is
open on your firewall.  This is 5269 by default.  After that it should work
just fine.

--temas

On Fri, Feb 09, 2001 at 05:50:04PM -0700, Frank Vernon wrote:
> Hi all-
> 
> I too have been wrestling with 1.4 trying to get it to run behind a firewall
> today. I finally got it running locally but still no luck in interoperating
> with the jabber.org server.
> 
> The problem seems to be buried somewhere within the dialback mechanism but
> I'm new to the codebase so it's slow going trying to figure out exactly
> what's going on. Is there any documentation on the details of the dialback
> strategy? I can't seem to find any. Does anyone know if it's exchanging
> explicit IP addresses as apposed to just the canonical names defined in
> jabber.xml? (If so, this mechanism will never work in a  NAT'ed firewall
> scenario like mine.)
> 
> I've captured packets and can see the 'error' result in the
> <db:result.../db:result> exchange. From reading the code it looks like 'db'
> definitely refers to the dialback mechanism. I've browsed the code at some
> length and it would appear that for the most part the hashed items in the
> captured stream are not IP addresses but it's hard to tell in all cases. A
> little documentation would go a long way here.
> 
> I'm pretty sure that my firewall configuration is correct. I'm forwarding
> ports 5222 and 5269 and I have DNS setup so that my server name resolves to
> the IP address on the outside of the firewall. In theory, as far as a remote
> server is concerned, my server should appear to be sitting at the firewall
> address. Is there a reverse lookup in this process? Is there another port in
> use here? Any other pointers?
> 
> BTW- I think it would great if the debug output of the server included the
> raw XML packets at each step. Also some more detail in the db:result 'error'
> would be helpful to debug these issues.
> 
> Thanks-
> Frank
> 
> > -----Original Message-----
> > From: jadmin-admin at mailman.jabber.org
> > [mailto:jadmin-admin at mailman.jabber.org]On Behalf Of Chris Schultz
> > Sent: Friday, February 09, 2001 1:30 PM
> > To: Chris Pile; jadmin at mailman.jabber.org
> > Subject: Re: [jadmin] install jabber server behind firewall
> >
> >
> > I don't have the firewall logs in front of me, but there are no ports
> > open to this system.  I also tried removing the s2s and dnsrv entries
> > but I could not get jabberd to start (I got a config file parse error).
> >
> > BTW, everything else pretty much works.  I'm just worried about dinging
> > update.jabber.org with every user that hits my internal server.
> >
> > --Chris
> >
> > Chris Pile wrote:
> > >
> > > I get similar messages:
> > > 20010209T15:31:00: [notice] (update.jabber.org): bouncing a packet to
> > > 959967024 at update.jabber.org/1.1.1.5 from chris at somedomain.tld/JabberIM:
> > > Unable to deliver, destination unknown
> > >
> > > Although I also removed the s2s and dnsrv entries in my jabber.xml
> > > config.
> > >
> > > I haven't had chance yet but will set up a simple firewall and log to
> > > see what port etc this traffic is transmitted on.
> > >
> > > Chris: do you have any firewall logs to suggest that traffic is being
> > > sent to/from jabber.org?  I just figured these messages indicated that
> > > the info could not be sent.
> > >
> > > Thanks,
> > > Chris Pile
> > >
> > > Chris Schultz wrote:
> > > >
> > > > I'm having a related issue.  I'm trying to set up my Jabber 1.4 server
> > > > for intranet use only.  And yet it keeps trying to communicate with
> > > > update.jabber.org.  Here's the error.log file:
> > > >
> > > > 20010209T03:50:59: [notice] (update.jabber.org): bouncing a packet to
> > > > 959967039 at update.jabber.org/0.9.3.5 from
> > > > chris at monitor.availigence.com/Winjab: Server Connect Timeout
> > > > 20010209T03:51:31: [alert] (s2s): We were told by
> > update.jabber.org that
> > > > our sending name monitor.availigence.com is invalid, either something
> > > > went wrong on their end, we tried using that name improperly, or dns
> > > > does not resolve to us
> > > >
> > > > Now I'm sure that update can't talk to my box because I've blocked
> > > > access at the firewall.  But why is our internal server still
> > trying to
> > > > communicate with the outside world at all?
> > > >
> > > > My jabber.xml file is below.  I've taken out update, jud,
> > mod_version.so
> > > > but the behavior still continues.
> > > >
> > > > Any help would be greatly appreciated.
> > > >
> > > > --Chris
> > > >
> > > > <jabber>
> > > >   <service id="sessions">
> > > >     <host><jabberd:cmdline
> > > > flag="h">monitor.availigence.com</jabberd:cmdline></host>
> > > >     <jsm xmlns="jabber:config:jsm">
> > > >       <filter>
> > > >           <default/>
> > > >           <max_size>100</max_size>
> > > >           <allow>
> > > >               <conditions>
> > > >                   <ns/>
> > > >                   <unavailable/>
> > > >                   <from/>
> > > >                   <resource/>
> > > >                   <subject/>
> > > >                   <body/>
> > > >                   <show/>
> > > >                   <type/>
> > > >                   <roster/>
> > > >                   <group/>
> > > >               </conditions>
> > > >               <actions>
> > > >                   <error/>
> > > >                   <offline/>
> > > >                   <reply/>
> > > >                   <continue/>
> > > >                   <settype/>
> > > >               </actions>
> > > >           </allow>
> > > >       </filter>
> > > >       <register notify="yes">
> > > >         <instructions>Choose a username and password to register with
> > > > this server.</instructions>
> > > >         <name/>
> > > >         <email/>
> > > >       </register>
> > > >       <welcome>
> > > >         <subject>Welcome!</subject>
> > > >         <body>Welcome to the Jabber server at localhost -- we hope you
> > > > enjoy this service! For information about how to use Jabber, visit the
> > > > Jabber User's Guide at http://docs.jabber.org/</body>
> > > >       </welcome>
> > > >       <vcard2jud/>
> > > >       <browse>
> > > >         <conference type="private"
> > > > jid="conference.monitor.availigence.com" name="Conference"/>
> > > >         <service type="aim" jid="aim.monitor.availigence.com"
> > name="AIM
> > > > Transport">
> > > >           <ns>jabber:iq:gateway</ns>
> > > >           <ns>jabber:iq:register</ns>
> > > >         </service>
> > > >       </browse>
> > > >     </jsm>
> > > >
> > > >     <load main="jsm">
> > > >       <jsm>./jsm/jsm.so</jsm>
> > > >       <mod_echo>./jsm/jsm.so</mod_echo>
> > > >       <mod_roster>./jsm/jsm.so</mod_roster>
> > > >       <mod_time>./jsm/jsm.so</mod_time>
> > > >       <mod_vcard>./jsm/jsm.so</mod_vcard>
> > > >       <mod_last>./jsm/jsm.so</mod_last>
> > > >       <mod_announce>./jsm/jsm.so</mod_announce>
> > > >       <mod_agents>./jsm/jsm.so</mod_agents>
> > > >       <mod_browse>./jsm/jsm.so</mod_browse>
> > > >       <mod_admin>./jsm/jsm.so</mod_admin>
> > > >       <mod_filter>./jsm/jsm.so</mod_filter>
> > > >       <mod_offline>./jsm/jsm.so</mod_offline>
> > > >       <mod_presence>./jsm/jsm.so</mod_presence>
> > > >       <mod_auth_plain>./jsm/jsm.so</mod_auth_plain>
> > > >       <mod_auth_digest>./jsm/jsm.so</mod_auth_digest>
> > > >       <mod_auth_0k>./jsm/jsm.so</mod_auth_0k>
> > > >       <mod_log>./jsm/jsm.so</mod_log>
> > > >       <mod_register>./jsm/jsm.so</mod_register>
> > > >       <mod_xml>./jsm/jsm.so</mod_xml>
> > > >     </load>
> > > >   </service>
> > > >
> > > >   <xdb id="xdb">
> > > >     <host/>
> > > >     <load>
> > > >       <xdb_file>./xdb_file/xdb_file.so</xdb_file>
> > > >     </load>
> > > >     <xdb_file xmlns="jabber:config:xdb_file">
> > > >       <spool><jabberd:cmdline
> > flag='s'>./spool</jabberd:cmdline></spool>
> > > >     </xdb_file>
> > > >   </xdb>
> > > >
> > > >   <service id="c2s">
> > > >     <load>
> > > >       <pthsock_client>./pthsock/pthsock_client.so</pthsock_client>
> > > >     </load>
> > > >     <pthcsock xmlns='jabber:config:pth-csock'>
> > > >       <authtime/>
> > > >       <karma>
> > > >         <init>10</init>
> > > >         <max>10</max>
> > > >         <inc>1</inc>
> > > >         <dec>1</dec>
> > > >         <penalty>-6</penalty>
> > > >         <restore>10</restore>
> > > >       </karma>
> > > >       <ip port="5222"/>
> > > >     </pthcsock>
> > > >   </service>
> > > >
> > > >   <log id='elogger'>
> > > >     <host/>
> > > >     <logtype/>
> > > >     <format>%d: [%t] (%h): %s</format>
> > > >     <file>error.log</file>
> > > >     <stderr/>
> > > >   </log>
> > > >   <log id='rlogger'>
> > > >     <host/>
> > > >     <logtype>record</logtype>
> > > >     <format>%d %h %s</format>
> > > >     <file>record.log</file>
> > > >   </log>
> > > >
> > > >   <service id="dnsrv">
> > > >     <host/>
> > > >     <load>
> > > >       <dnsrv>./dnsrv/dnsrv.so</dnsrv>
> > > >     </load>
> > > >     <dnsrv xmlns="jabber:config:dnsrv">
> > > >         <resend service="_jabber._tcp">s2s</resend> <!-- for
> > supporting
> > > > SRV records -->
> > > >         <resend>s2s</resend>
> > > >     </dnsrv>
> > > >   </service>
> > > >   <service id="s2s">
> > > >     <load>
> > > >       <dialback>./dialback/dialback.so</dialback>
> > > >     </load>
> > > >     <dialback xmlns='jabber:config:dialback'>
> > > >       <legacy/>
> > > >       <ip port="5269"/>
> > > >       <karma>
> > > >         <init>50</init>
> > > >         <max>50</max>
> > > >         <inc>4</inc>
> > > >         <dec>1</dec>
> > > >         <penalty>-5</penalty>
> > > >         <restore>50</restore>
> > > >       </karma>
> > > >     </dialback>
> > > >   </service>
> > > >   <service id="conference.monitor.availigence.com">
> > > >   <load><conference>./conference/conference.so</conference></load>
> > > >   <conference xmlns="jabberd:config:conference">
> > > >     <private/>
> > > >     <history>30</history>
> > > >     <vCard>
> > > >       <FN>Conference</FN>
> > > >       <DESC>This service is for private conferencing rooms.</DESC>
> > > >       <URL>http://www.availigence.com/</URL>
> > > >     </vCard>
> > > >     <notice>
> > > >       <join> has become available</join>
> > > >       <leave> has left</leave>
> > > >       <rename> is now known as </rename>
> > > >     </notice>
> > > >   </conference>
> > > >   </service>
> > > >   <service id='aim.monitor.availigence.com'>
> > > >
> > > >
> > <load><aim_transport>./aim-transport/aimtrans.so</aim_transport></load>
> > > >     <aimtrans xmlns='jabber:config:aimtrans'>
> > > >       <vCard>
> > > >         <FN>AIM Transport</FN>
> > > >         <DESC>An AIM Transport!</DESC>
> > > >       </vCard>
> > > >     </aimtrans>
> > > >   </service>
> > > >
> > > >   <io>
> > > >     <rate points="5" time="25"/>
> > > >  </io>
> > > >
> > > >  <pidfile>./jabber.pid</pidfile>
> > > > </jabber>
> > > >
> >
> > --
> > Chris Schultz ................................804.521.3072...o..
> > Availigence, Inc. ............................804.935.0165...f..
> > http://www.availigence.com ....... chris.schutlz at NOSPavailigence.com
> 
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20010209/260d04c0/attachment-0002.pgp>


More information about the JDev mailing list