Cant punch EJABBERD through FIREHOL, I'm lost!

NOTE: Oops, when I put this up my session expired, and I accedentally copy-pasted this post into the wrong forum… this was supposed to be in Linux Networking… If somebody wanted to move it… :D

I installed ejabberd on my linode; I wanted a personal server that supported TLS between client and server and server and server… secure from end to end, if you trust the servers, of course :D

So, I installed ejabbered by putting these into /etc/apt/sources.list:

deb sarge main
deb-src sarge main

Then apt-get install ejabberd. YAY!

Then I edited /etc/ejabberd/ejabberd.cfg:


% Users that have admin access.  Add line like one of the following after you
% will be successfully registered on server to get admin access:
{acl, admin, {user, "autodmc"}}.

% Blocked users:
%{acl, blocked, {user, "test"}}.

% Local users:
{acl, local, {user_regexp, ""}}.

% Only admins can use configuration interface:
{access, configure, [{allow, admin}]}.

% Every username can be registered via in-band registration:
{access, register, [{allow, all}]}.

% After successful registration user will get message with following subject
% and body:
  "Welcome to AutoDMC Labs Jabber Service.  "
  "For information about Jabber visit"}}.

% List of people who will get notifications about registered users
%{registration_watchers, ["[email protected]",
%                         "[email protected]"]}.

% Only admins can send announcement messages:
{access, announce, [{allow, admin}]}.

% Only non-blocked users can use c2s connections:
{access, c2s, [{deny, blocked},
               {allow, all}]}.

% Set shaper with name "normal" to limit traffic speed to 1000B/s
{shaper, normal, {maxrate, 1000}}.

% Set shaper with name "fast" to limit traffic speed to 50000B/s
{shaper, fast, {maxrate, 50000}}.

% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
                      {normal, all}]}.

% For all S2S connections used "fast" shaper
{access, s2s_shaper, [{fast, all}]}.

% Admins of this server are also admins of MUC service:
{access, muc_admin, [{allow, admin}]}.

% All users are allowed to use MUC service:
{access, muc, [{allow, all}]}.

% This rule allows access only for local users:
{access, local, [{allow, local}]}.

% Authentication method.  If you want to use internal user base, then use
% this line:
{auth_method, internal}.

% Host(s) name: (replace for your hostname(s))
% Old {host, "localhost"}. option is equivalent to {hosts, ["localhost"]}.
{hosts, [""]}.

% Default language for server messages
{language, "en"}.

% Listen for unencrypted traffic (untrusted)
  {5222, ejabberd_c2s,     [{access, c2s},
                                {shaper, c2s_shaper}]},

% SSL-enabled client-2-server service (trusted)
  {5223, ejabberd_c2s,     [{access, c2s},
                            tls, {certfile, "/home/ejabberd/server.pem"},
                            {shaper, c2s_shaper}]},

% Server-2-server service
  {5269, ejabberd_s2s_in,  [{s2s_use_starttls, true},
                            {domain_certfile, "/home/ejabberd/server.pem"},
                            {shaper, s2s_shaper}]},

% HTTP service (You may choose options HTTP-polling and Web-administering)
% When commenting out, be careful with commas
  {5280, ejabberd_http,    [http_poll, web_admin]}

% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.

% Used modules:
  {mod_announce,   [{access, announce}]},
  {mod_register,   [{access, register}]},
  {mod_roster,     []},
  {mod_shared_roster, []},
  {mod_privacy,    []},
  {mod_configure,  []},
  {mod_configure2, []},
  {mod_disco,      [{extra_domains, [""]}]},
  {mod_stats,      []},
  {mod_vcard,      []},
  {mod_offline,    []},
  {mod_echo,       []},
  {mod_private,    []},
  {mod_irc,        []},
% Default options for mod_muc:
%   host: "conference." ++ ?MYNAME
%   access: all
%   access_create: all
%   access_admin: none (only room creator has owner privileges)
  {mod_muc,        [{access, muc},
                    {access_create, muc},
                    {access_admin, muc_admin}]},
  {mod_pubsub,     []},
  {mod_time,       []},
  {mod_last,       []},
  {mod_version,    []}

Starting ejabberd, it gave me a "host name not resolved" error, or soemthing like that.

Took me a bit to figure out my problem; it was my firewall. So I opened a CLIENT for DNS (client DNS accept) in Firehol, and everyone was happy.

However, I can't connect with my jabber client to ejabberd, or through the web interface.

Here's my Firehol Rules:

version 5

server_ejabberd_ports="tcp/5222 tcp/5223 tcp/5269 tcp/5280"
client_ejabberd_ports="default 5222 5223 5269 5280"

interface eth0 linode
        policy reject

        server ping accept
        server ejabberd accept

        client dns accept

I wanted to use Jabber as a request protocol between some servers (request a file, etc), and I wanted it to be encrypted and authinticated, so if client SetTopBox requests a file from FileCabinet, FileCabinet gets the request without anybody else knowing what the request is (encrypted, etc), then setup a different type of communication to actually transfer the encrypted file, etc, etc, etc.

But before I can dump time into this project and see if it makes any sense I need a working jabber server that I can play with, that's the point of installing ejabberd… but it's not working!

Any help would be much much appreciated.

4 Replies

I run ejabberd + firehol with no problems. Firehol knows about jabber rules, so you don't need to define your own (server jabberd accept works fine for me. Although as far as I can tell, your custom rule should work.

Unless you have good reason to be so paranoid, I'd put a "client all accept" in your firehol.conf. I think this might be causing your problem.


I've rewritten my firehol rules:

version 5

interface eth0 linode
        policy reject

        server ping accept
        server jabberd accept
        server http accept

        client all accept

I've installed ejabberd and jabberd 1.4.4 (apt-get).

When plain JABBERD is running, I can attempt to connect, but I get a resource conflict (I think I left GAIM running at home. Oops).

When I STOP JABBERD and START EJABBERD, I get a message saying that ejabberd has started. When I attempt to register inline, I get a write error. When I attempt to log in, I get a write error. When I try to get into the web interface (web_admin) (… nothing happens.

Portscan fun!

EJABBERD: Open ports: 80

JABBERD: Open ports: 5222,5223,5269,80

(I'm using Angry IP Scanner 2.21 for Windows)

Just to check, my client works just fine to [email protected], so it's not a client thing.

This is really driving me nuts! I need SOME KIND of jabber server for an experiment of mine, but I can't seem to get this thing to work. Apparently it's not a firewall thing. It's a "oops, I thought I new Linux" thing. I need a jabber server that supports MUC, something that if I can accedentally crash without making people angry.

tears hair out Anyone noticing something I'm doing wrong?

Can you check the output of "ejabberdctl status", while the daemon is running? Also, rather than trying inline registration (you'll probably want to disable this for a private server anyway), try registering a new user from the command line using ejabberdctl.

If that fails, the ejabberd config file is very sensitive to syntax errors, and doesn't give you much help if something is wrong so you might want to try purging your config files and starting again, changing one thing at a time. It took me a couple of attempts to get it right, but I got there in the end so don't loose hope :)

Finally got it to work!

Replaced ejabberd.cfg with the one here: … iew=markup">

It's in Jabber's CVS, and I don't know whos it is, really.

But it's really cut down. Changed the stuff to my stuff…

AND IT WORKED! E-GASP, so to speak.

Thanks for your help, "TehDan." I stuck with it and got it to work.


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct