ports/protocol through firewall

Bill Tangren bjt at aa.usno.navy.mil
Mon Apr 25 17:46:30 UTC 2005 

Kristian Koehntopp wrote:
> Am Montag 25 April 2005 19:10 schrieb Bill Tangren:
> 
>>Does anyone know if it is necessary to allow udp traffic as well for inn
>>to work over SSL?
> 
> 
> nntp and nntps work over TCP and to not use UDP.
> 
> You can test access to your server with
> 
> $ openssl s_client -connect white.intern.koehntopp.de:563
> 
> You should see a certificate exchange, resulting in - among other things - a 
> SSL handshake and a NNRP or NNTP server banner like so:
> 
> SSL handshake has read 1485 bytes and written 340 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 1024 bit
> ...
> ---
> 200 white.koehntopp.de InterNetNews NNRP server INN 2.4.1 ready (posting ok).
> 
> Now try a few commands like "list active" or "quit":
> 
> Kristian
> 

Thanks for the reply. This is what I get (amongst other things) from 
behind the firewall:

---
SSL handshake has read 1637 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID: 
C2545C1A07F2E41034BFB72BAD66EB56BA6B8987F4B6DB41166250E7A67234D4
     Session-ID-ctx:
     Master-Key: 
1557285FE4B5F9E11F2260F1D4B2834167F4E098378340A5126DF53E4D2B14F6A44041F5E65BAB284DFFA687AEB13A4E
     Key-Arg   : None
     Krb5 Principal: None
     Start Time: 1114450569
     Timeout   : 300 (sec)
     Verify return code: 18 (self signed certificate)
---
200 aa.usno.navy.mil InterNetNews NNRP server INN 2.4.1 ready (posting ok).
list active
480 Authentication required for command
quit
205 .
closed

I don't see anything that indicated (to my eyes, anyway) that this is 
tcp only.

I have a local firewall, called firestarter on another machine. I notice 
that when I tell it to open a port for nntps, this is what shows up in 
iptables:
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:563
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:563

Firestarter opens port 563 for tcp and udp. That doesn't mean that inn 
uses udp, only that there must be some newsgroup servers that do (or 
firestarter is configured badly).

Any ideas why I cannot connect through the firewall?

Bill Tangren

More information about the inn-workers mailing list