Differences between revisions 3 and 4

1. Jabber Admin

1.1. Jabber Daemon

1.2. Erlang Cookie

All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.

1.3. SSL Certificate

We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords.

When installing a new node make sure to copy /etc/ejabberd/ejabberd.pem from another node. The current certificate is valid until 2018 and signed by the HCoop CA.

1.4. Firewall

The IANA service names xmpp-client (port 5222) and xmpp-server (port 5269) must be open to the world at large.

For ferm:

proto tcp dport (xmpp-client xmpp-server) ACCEPT;

Port 4369 (epam) must be open to all other ejabberd nodes, but should not be open to the world at large. Unfortunately this requires maintaining a list of IPs at present (we really should rewrite fwtool).

proto tcp daddr (...) dport 4369 ACCEPT;

1.5. PAM Configuration

TODO

CategorySystemAdministration

-  ⇤ ← Revision 3 as of 2011-03-09 09:06:47 → 
  Size: 903
  Editor: ClintonEbadi
  Comment: firewall config
+   ← Revision 4 as of 2011-03-09 20:23:18 → ⇥
  Size: 1136
  Editor: ClintonEbadi
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 21:
-Port `4369` (epam) must be open to all other `ejabberd` nodes, but should '''not''' be open to the world at large.
+For ferm:

{{{
proto tcp dport (xmpp-client xmpp-server) ACCEPT;
}}}

Port `4369` (epam) must be open to all other `ejabberd` nodes, but should '''not''' be open to the world at large. Unfortunately this requires maintaining a list of IPs at present (we really should rewrite fwtool).

{{{
proto tcp daddr (...) dport 4369 ACCEPT;   
}}}

Quick Links

Search Wiki

Page Tools