Bug 493657

Summary: Jabber ports, is 5269 needed?
Product: Red Hat Satellite 5 Reporter: wes hayutin <whayutin>
Component: Docs Installation GuideAssignee: John Ha <jha>
Status: CLOSED NOTABUG QA Contact: ecs-bugs
Severity: medium Docs Contact:
Priority: low    
Version: 530CC: adstrong, casmith, cperry, ipilcher
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.2.0/html/Proxy_Installation_Guide/s1-requirements-additional.html
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-13 21:05:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 608749    

Description wes hayutin 2009-04-02 14:31:14 UTC 
Description of problem:
Satellite-5.3.0-RHEL5-re20090327.0-i386-embedded-oracle.iso

Before I open a docs bug, or this turns into a docs bug I wanted to write this up.
I tested osad w/ a proxy server and it seemed to me that port 5269 is not necessary.  I'm not 100% sure of it, hence the bug.

Here is what I found.

CLIENT:
> osad push package:
>
> Apr  1 15:28:46 rlx-2-04 kernel: IN=eth0 OUT=
> MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135
> DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7902 DF PROTO=TCP
> SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:28:53 rlx-2-04 kernel: IN=eth0 OUT=
> MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135
> DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7903 DF PROTO=TCP
> SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:29:06 rlx-2-04 kernel: IN=eth0 OUT=
> MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135
> DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7904 DF PROTO=TCP
> SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 
>
> UNBLOCKED src PORT 5222 ON CLIENT, retry
>
> success, package pushed
>
>
>
>
> PROXY:
> install osad,
> turn on firewall
> restart osad
>
> Apr  1 15:44:14 dhcp77-135 kernel: Removing netfilter NETLINK layer.
> Apr  1 15:44:14 dhcp77-135 kernel: ip_tables: (C) 2000-2006 Netfilter
> Core Team
> Apr  1 15:44:14 dhcp77-135 kernel: Netfilter messages via NETLINK v0.30.
> Apr  1 15:44:14 dhcp77-135 kernel: ip_conntrack version 2.4 (8192
> buckets, 65536 max) - 228 bytes per conntrack
> Apr  1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205
> DST=10.10.77.135 LEN=513 TOS=0x00 PREC=0x00 TTL=64 ID=48803 DF PROTO=TCP
> SPT=57894 DPT=5269 WINDOW=2264 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205
> DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34977 DF PROTO=TCP
> SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205
> DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34979 DF PROTO=TCP
> SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:44:35 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205
> DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34981 DF PROTO=TCP
> SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:44:36 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205
> DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34983 DF PROTO=TCP
> SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 
> Apr  1 15:44:45 dhcp77-135 kernel: IN=eth0 OUT=
> MAC=00:16:3e:72:1b:90:00:42:52:00:ea:71:08:00 SRC=10.10.76.174
> DST=10.10.77.135 LEN=137 TOS=0x00 PREC=0x00 TTL=64 ID=23988 DF PROTO=TCP
> SPT=45746 DPT=5222 WINDOW=495 RES=0x00 ACK PSH URGP=0 
>
>
> OSAD working due to rule 
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ADD NEW RULES
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222
> -j DROP
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269
> -j DROP
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> OSAD, no longer working
>
> CHANGE RULES
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269
> -j DROP
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Package installs
>
> CHANGE RULES
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222
> -j DROP
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269
> -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> Package installs
>
>
>

http://www.tuxdocs.net/wiki/index.php?title=Jabberd2_Installation_Documentation

  Firewall

    * The following ports will need incoming access to the machine:
          o 389 – LDAP Port (389 is default)(Used for LDAP Authentication)
          o 686 – LDAPS Port (686 is default)(Used for LDAPS Authentication)
          o 5222 – Jabber Server Communication (plain text or secure via start-tls)
          o 5223 – SSL Jabber Server Communication
          o 5269 – S2S (Used to contact jabber users on other servers)
          o 5347 – Router (Used to link up components) 



My conclusion is that whether using osad w/ a client, proxy, or client via a proxy only 5222 is needed.

If that is the case, we will need to change the documentation here:
http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.2.0/html/Proxy_Installation_Guide/s1-requirements-additional.html
Comment 1 wes hayutin 2009-04-02 14:34:12 UTC 
<whayutin_> so I'm wondering if 5269 is really necessary?
<msuchy> whayutin_: aha, you mean for jabberd?
<whayutin_> ya
<whayutin_> wondering if it worked due to A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
<msuchy> whayutin_: according to quick google search jabberd can live with 5222, 5223, 5269, and 8010
<msuchy> so it is enough if you open one of them
<cliff-hm> whayutin_, its possible docs are incorrect - file a bug, we prob align it to 540 though, since english docs are froozen 
<whayutin_> :)  thanks guys
Comment 2 Calvin Smith 2010-02-27 13:08:51 UTC 
5269 is needed in both directions between the satellite server and the proxy server.
Comment 5 Clifford Perry 2010-09-13 21:05:11 UTC 
As per comment #2 - notabug.