Description of problem: Satellite-5.3.0-RHEL5-re20090327.0-i386-embedded-oracle.iso Before I open a docs bug, or this turns into a docs bug I wanted to write this up. I tested osad w/ a proxy server and it seemed to me that port 5269 is not necessary. I'm not 100% sure of it, hence the bug. Here is what I found. CLIENT: > osad push package: > > Apr 1 15:28:46 rlx-2-04 kernel: IN=eth0 OUT= > MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135 > DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7902 DF PROTO=TCP > SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 > Apr 1 15:28:53 rlx-2-04 kernel: IN=eth0 OUT= > MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135 > DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7903 DF PROTO=TCP > SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 > Apr 1 15:29:06 rlx-2-04 kernel: IN=eth0 OUT= > MAC=00:42:52:00:ea:71:00:16:3e:72:1b:90:08:00 SRC=10.10.77.135 > DST=10.10.76.174 LEN=190 TOS=0x00 PREC=0x00 TTL=64 ID=7904 DF PROTO=TCP > SPT=5222 DPT=45746 WINDOW=104 RES=0x00 ACK PSH URGP=0 > > UNBLOCKED src PORT 5222 ON CLIENT, retry > > success, package pushed > > > > > PROXY: > install osad, > turn on firewall > restart osad > > Apr 1 15:44:14 dhcp77-135 kernel: Removing netfilter NETLINK layer. > Apr 1 15:44:14 dhcp77-135 kernel: ip_tables: (C) 2000-2006 Netfilter > Core Team > Apr 1 15:44:14 dhcp77-135 kernel: Netfilter messages via NETLINK v0.30. > Apr 1 15:44:14 dhcp77-135 kernel: ip_conntrack version 2.4 (8192 > buckets, 65536 max) - 228 bytes per conntrack > Apr 1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205 > DST=10.10.77.135 LEN=513 TOS=0x00 PREC=0x00 TTL=64 ID=48803 DF PROTO=TCP > SPT=57894 DPT=5269 WINDOW=2264 RES=0x00 ACK PSH URGP=0 > Apr 1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205 > DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34977 DF PROTO=TCP > SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 > Apr 1 15:44:34 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205 > DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34979 DF PROTO=TCP > SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 > Apr 1 15:44:35 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205 > DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34981 DF PROTO=TCP > SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 > Apr 1 15:44:36 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:e0:81:30:8d:26:08:00 SRC=10.10.76.205 > DST=10.10.77.135 LEN=574 TOS=0x00 PREC=0x00 TTL=64 ID=34983 DF PROTO=TCP > SPT=5222 DPT=56175 WINDOW=3592 RES=0x00 ACK PSH URGP=0 > Apr 1 15:44:45 dhcp77-135 kernel: IN=eth0 OUT= > MAC=00:16:3e:72:1b:90:00:42:52:00:ea:71:08:00 SRC=10.10.76.174 > DST=10.10.77.135 LEN=137 TOS=0x00 PREC=0x00 TTL=64 ID=23988 DF PROTO=TCP > SPT=45746 DPT=5222 WINDOW=495 RES=0x00 ACK PSH URGP=0 > > > OSAD working due to rule > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > ADD NEW RULES > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222 > -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269 > -j DROP > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > OSAD, no longer working > > CHANGE RULES > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269 > -j DROP > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Package installs > > CHANGE RULES > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5222 > -j DROP > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --sport 5269 > -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > Package installs > > > http://www.tuxdocs.net/wiki/index.php?title=Jabberd2_Installation_Documentation Firewall * The following ports will need incoming access to the machine: o 389 – LDAP Port (389 is default)(Used for LDAP Authentication) o 686 – LDAPS Port (686 is default)(Used for LDAPS Authentication) o 5222 – Jabber Server Communication (plain text or secure via start-tls) o 5223 – SSL Jabber Server Communication o 5269 – S2S (Used to contact jabber users on other servers) o 5347 – Router (Used to link up components) My conclusion is that whether using osad w/ a client, proxy, or client via a proxy only 5222 is needed. If that is the case, we will need to change the documentation here: http://www.redhat.com/docs/manuals/satellite/Red_Hat_Network_Satellite-5.2.0/html/Proxy_Installation_Guide/s1-requirements-additional.html
<whayutin_> so I'm wondering if 5269 is really necessary? <msuchy> whayutin_: aha, you mean for jabberd? <whayutin_> ya <whayutin_> wondering if it worked due to A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT <msuchy> whayutin_: according to quick google search jabberd can live with 5222, 5223, 5269, and 8010 <msuchy> so it is enough if you open one of them <cliff-hm> whayutin_, its possible docs are incorrect - file a bug, we prob align it to 540 though, since english docs are froozen <whayutin_> :) thanks guys
5269 is needed in both directions between the satellite server and the proxy server.
As per comment #2 - notabug.