-
404.city
yes
-
404.city
tom I'll try to write you tomorrow
-
tom
That was weird, I somehow added a muc as a contact
-
tom
Why is xmpp.org's xmpp server on a nonstandard port 2605:da00:5222:5269::3:1:9269
-
tom
?
-
tom
$ host -t srv _xmpp-server._tcp.xmpp.org _xmpp-server._tcp.xmpp.org has SRV record 1 1 9269 xmpp.xmpp.org.
-
tom
It's strange
-
tom
It's a good thing I didn't deploy egress filtering yet
-
stpeter
tom: I can't recall. When we deployed it originally, it might have been running on a machine that was already using the standard port. We change probably change it to the standard port now.
-
stpeter
s/change/can/
-
Frinkel
Curious, what's the issue with using a nonstandard port as long as the appropriate SRV records exist?
-
stpeter
I suspect that tom wanted to set up a firewall rule that allowed only well-defined ports.
-
tom
I saw a weird connection I didn't recognize in netstat
-
tom
I didn't recognize it because the port number was nonstandard
-
tom
I was originally going to setup egress filtering, where the xmpp daemon user could only make external requests on certain ports, namely xmpp-server
-
tom
Now I'm not so sure that's a good idea if people are running their s2s connections on nonstandard ports often
-
tom
Do I need to setup a STUN server if I want Jingle to work reliably? Is that not covered by the socks proxy XEP-0065?
-
rom1dep
> Now I'm not so sure that's a good idea if people are running their s2s connections on nonstandard ports often You can often see non standard s2s ports for direct tls for instance
-
tom
Ah
-
tom
So I should let prosody open whatever port it wants to external hosts
-
tom
As long as it's TCP
-
Ge0rG
Also don't forget UDP for DNS lookups
-
tom
That shouldn't be coming from the xmpp daemon
-
Ge0rG
I'm not so sure about that
-
Martin
I would also guess it uses the local dns.
-
Martin
Why should they nih a dns resolver?
-
MattJ
Martin: because the system resolver often doesn't support async or SRV
-
MattJ
If you run a resolver on 127.0.0.1, fine
-
MattJ
If not, UDP out is required
-
Martin
I have unbound listening on 127.0.0.1 and that's the only dns referred in resolv.conf. So prosody should be happy. :)
-
MattJ
Yep
-
Ge0rG
Martin: but don't dare stopping it for some minutes
-
Martin
Why should I?
-
Ge0rG
Martin: beause you do a package update?
-
Martin
That will stop it for minutes?
-
Ge0rG
maybe long enough for prosody to freak out about the DNS server being gone
-
Martin
I will see :)