Re: [Shorewall-users] ejabberd DNAT problem

Mon, 17 Apr 2023 21:04:24 -0700 

On 4/17/23 23:25, Justin Pryzby wrote:

On Mon, Apr 17, 2023 at 10:56:17PM -0400, Phil Stracchino wrote:

Greetings,

I have a weird problem.  I had a power interruption today during a generator
install, and when everything came back up afterwards, my XMPP server
(ejabberd) is not receiving any external connections.  No firewall rules
changed.


You said they didn't change .. but didn't change since when ?
Several months, and that change was only to move that service to a different IP. Before that? These rules haven't changed in years. 


The relevant rules in my Shorewall config are:

Jabberd(ACCEPT)         all                     all
JabberPlain(ACCEPT)     all                     all
JabberSecure(ACCEPT)    all                     all

...

# Jabber (moved to narn)
DNAT                    net                     LAN:10.24.32.17 tcp       
3478,4560,5222,5223,5269,5280,5347,5444,8010,8888
DNAT                    net                     LAN:10.24.32.17 udp     3478


Is the firewall host able to connect to the .17 host ?


Yes, without a problem.  And vice versa.


Notably MISSING from this list of open ports is 3478, for starters.  If I
LOCALLY nmap the same host, I get:


Locally from where ?
10.24.32.10. "Locally" as in "from the same network segment", not as in "from localhost". 


Can anyone suggest to me why my firewall is apparently ignoring my
instructions to accept and DNAT XMPP traffic?


Are the rules being hit ?

Either add ":info:xmpp"


Add that to what?


Or check iptables -L -v -n
This is a Ubiquiti appliance that does not expose the iptables command. They do NOT want you to frob the firewall rules by hand. 


Actually - why do you have *both* DNAT and ACCEPT rules ?  DNAT (by
default) includes ACCEPT...
OK, so that's redundant then. I thought I had to do those separately. There isn't a macro, to my knowledge, that accepts ALL of the XMPP-related ports *and* DNATs them in a single step. Or is there something I'm missing? 

Is there a better way to do this?
Are the ACCENT and DNAT rules possibly *interfering with* each other? Wouldn't be the first time I've inadvertently constructed a footgun... 



--
  Phil Stracchino
  Babylon Communications
  ph...@caerllewys.net
  p...@co.ordinate.org
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to