ports/protocol through firewall
Bill Tangren
bjt at aa.usno.navy.mil
Mon Apr 25 17:46:30 UTC 2005
Kristian Koehntopp wrote:
> Am Montag 25 April 2005 19:10 schrieb Bill Tangren:
>
>>Does anyone know if it is necessary to allow udp traffic as well for inn
>>to work over SSL?
>
>
> nntp and nntps work over TCP and to not use UDP.
>
> You can test access to your server with
>
> $ openssl s_client -connect white.intern.koehntopp.de:563
>
> You should see a certificate exchange, resulting in - among other things - a
> SSL handshake and a NNRP or NNTP server banner like so:
>
> SSL handshake has read 1485 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> ...
> ---
> 200 white.koehntopp.de InterNetNews NNRP server INN 2.4.1 ready (posting ok).
>
> Now try a few commands like "list active" or "quit":
>
> Kristian
>
Thanks for the reply. This is what I get (amongst other things) from
behind the firewall:
---
SSL handshake has read 1637 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
C2545C1A07F2E41034BFB72BAD66EB56BA6B8987F4B6DB41166250E7A67234D4
Session-ID-ctx:
Master-Key:
1557285FE4B5F9E11F2260F1D4B2834167F4E098378340A5126DF53E4D2B14F6A44041F5E65BAB284DFFA687AEB13A4E
Key-Arg : None
Krb5 Principal: None
Start Time: 1114450569
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
200 aa.usno.navy.mil InterNetNews NNRP server INN 2.4.1 ready (posting ok).
list active
480 Authentication required for command
quit
205 .
closed
I don't see anything that indicated (to my eyes, anyway) that this is
tcp only.
I have a local firewall, called firestarter on another machine. I notice
that when I tell it to open a port for nntps, this is what shows up in
iptables:
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:563
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:563
Firestarter opens port 563 for tcp and udp. That doesn't mean that inn
uses udp, only that there must be some newsgroup servers that do (or
firestarter is configured badly).
Any ideas why I cannot connect through the firewall?
Bill Tangren
More information about the inn-workers
mailing list