PF Firewall settings for XMPP

S

sidetone

Most of the time when I set up an XMPP / Jabber firewall in PF, others' accounts show, but most messages get blocked.

grep xmpp /etc/services gives:
xmpp-client 5222 tcp and udp
xmpp-server 5269 tcp and udp

I added more ports, including those for chat and those based on a search, but nothing of that seemed official for XMPP, except for what was listed in /etc/services.

High ports are 5000 - 5010 and 10000 - 65510. I'm not sure if these were just supposed to be udp, or both udp with tcp.

Keep state alone won't help with instant messages originating externally.

For pf.conf I have:
Code: 
# 443-https, 531-conference, 5050-mmcc, 5222-xmpp-client, 5269-xmpp-server
xmpp="{ 443 531 5050 5222 5223 5269 5280 5298 8010 8012 8013 8333 }"
highport="{ 5000 >< 5010 10000 >< 65510 }"
highportblk="{ ................ }"

pass proto { tcp udp } from port $highport to port $highport # Should this be udp only?
pass quick proto { tcp udp } from port $xmpp to port $xmpp keep state
pass quick proto { tcp udp } from port $xmpp to port $highport
pass quick proto { tcp udp } from port $highport to port $xmpp
block quick log proto { udp tcp } to port $highportblk no state
block quick log proto { udp tcp } from port $highportblk no state
High ports have to be allowed from externally regardless of state, or more messages get dropped.

The user's name always shows with the above. Does anyone have suggestions on what rules to add to prevent more dropped instant messages on XMPP, usually from externally? Thank you.
 
This is an official list pertaining to Cisco Jabber, which I believe translates or is applicable to other XMPP/Jabber servers/clients/programs.
http://www.cisco.com/c/en/us/td/doc..._cisco-jabber-planning-guide_chapter_011.html

https://www.iana.org/assignments/se...rvice-names-port-numbers.xhtml?skey=-1&page=2 has added xmpp-bosh 5280

port protocols:
Code: 
443/tcp : HTTPS, XMPP alternate
5222/tcp : XMPP client
5269/tcp : XMPP server
5280/tcp : xmpp-bosh Bidirectional-streams Over Synchronous HTTP

53/udp,tcp : DNS
636/tcp,udp  :   secure LDAP
2748/tcp   :   Computer Telephony Interface
5061/tcp : SIP
8443/tcp : presence service and Cisco related

5070-6070/udp  :  BFCP for desktop video
7080/tcp,https : Cisco related voice notifications
16384-32766/udp : audio video
30000-39000/udp : camera
49152-65535/tcp : screen share

3269/ldaps ? :  secure Global Catalog server
37200/socks5 Bytestreams : file transfers



(incomplete list...)

Left off many insecure port protocols.

A few forum posts said that PF and many other FreeBSD firewalls are network layer and not application layer, so that helps exclude that information from the list.
 
Last edited:
I put block quick at the top, which made a big difference in not dropping packets, due to efficiency.
Code: 
xmpp="{ https xmpp-client xmpp-server 5280 5298 8010:8013 531 8333 mmcc }"
highport="{ 5000:5010 5070:6070 16384:32766 49152:65535 }" # need more highports for other services
blk="{ ................ }" # absolute blocked port protocols

block quick log proto { udp tcp } to port $blk no state
block quick log proto { udp tcp } from port $blk no state
pass proto { tcp udp } from port $highport to port $highport  # needs udp and tcp
pass proto { tcp udp } from port $xmpp to port $xmpp
pass proto { tcp udp } from port $xmpp to port $highport
pass proto { tcp udp } from port $highport to port $xmpp

I think using XMPP brings down my network during certain hours of the day, and on some servers more often than others. When I refresh the IP address on my gateway, the link from my gateway to the internet works. I would need a maximum connection rate that doesn't drop packets from those on my messenger list.
 
Last edited:
Comprehensive list to be updated:
Code: 
xmpp-client     5222/tcp   #XMPP Client Connection
xmpp-server     5269/tcp   #XMPP Server Connection
xmpp-bosh       5280/tcp   #Bidirectional-streams Over Synchronous HTTP (BOSH)
presence        5298/tcp   #XMPP Link-Local Messaging
presence        5298/udp   #XMPP Link-Local Messaging
clique              /udp   #Clique Link-Local Multicast Chatroom   telapathy.freedesktop.org/xmpp/clique
presence                   #Peer-to-peer messaging/Link-Local Messaging  xmpp.org/registrar/linklocal.html

According to:
 
You must log in or register to reply here.
Back
Top