Ports listed in FAQ Outgoing or Incoming? Firewall rules(Linux)

Nightlight · February 16, 2025, 5:52pm

Hi!

I’m setting Firewall (NFT) rules on Linux.
Jami FAQ says:
*Jami works as a server and gets new ports for each connections (randomly bound). These are the ranges that can be used for each component:

dht: UDP [4000, 8888]

audio: UDP [16384-32766]

video: UDP [49152-65534]

SIP Control: UDP/TCP randomly bound

Which of the above ports are Outgoing (Destination) or Incoming(source) ports?

I allowed all the above ports in outgoing for UDP, but Jami on Linux still doesn’t receive any message or invitation (most of the incoming ports are blocks).

Don’t use proxy and have direct connection to personal router.
Thank you.

Jorge · March 1, 2025, 9:47am

Are you talking about the computer on which you install the Jami client or the server?

For the Jami Client, I did not need to open any ports.

For the Jami server, I have it working with the following:
In coming UDP: 3478, 4222, 5349, 10000-30000
In coming TCP: 3478, 5349, 10000-30000

Port 4222 is for the DHT Node, while the others ports are for the TURN server (CoTurn).

For out going most people have all ports open.

I close as many outgoing ports as I can while still being able to maintain the server and for the DHT Node and Turn server to work:
Outgoing UDP: 53
Outgoing TCP: 22, 53, 80, 123, 443

Port 22 (SSH) for me to connect to for doing maintenance.
Port 53 (DNS) for domain name resolution. Needs both UDP and TCP
Port 123 (NTP) for time server to keep the server’s time correct.
Port 80, 443 (HTTP and HTTPS) for apt package manager to download updates.

Hope this helps?

# nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		iifname "lo" accept
		iifname "enp1s0" ct state established,related accept
		iifname "enp1s0" ct state new udp dport { 3478, 4222, 5349, 10000-30000 } accept
		# iifname "enp1s0" ct state new ip saddr { 199.46.34.25, 199.46.34.46 } tcp dport 22 accept
		iifname "enp1s0" ct state new tcp dport ssh accept
		iifname "enp1s0" ct state new tcp dport { 3478, 5349, 10000-30000 } accept
		iifname "enp1s0" icmp type echo-request accept
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		oifname "lo" accept
		oifname "enp1s0" ct state established,related accept
		oifname "enp1s0" ct state new udp dport { 53, 123 } accept
		oifname "enp1s0" ct state new tcp dport { ssh, 53, 80, 443 } accept
		oifname "enp1s0" icmp type echo-request accept
	}
}

UPDATE: I have correct NTP port 123: as “timesyncd” does not use TCP; it uses UDP

Jorge · March 1, 2025, 9:51am

To make comment, my Modem/Router cannot open large blocks of ports. However this is all I required to get the server to work:
In coming UDP: 3478, 4222, 5349
In coming TCP: 3478, 5349

Nightlight · March 2, 2025, 10:41pm

Only about Jami client.

Nightlight · March 2, 2025, 10:44pm

This is not my case. Mine outgoing ports policy is reject or drop by default (except manually opened as described in 1st post of course) and a few more.

Nightlight · March 2, 2025, 10:51pm

Thank you for your response!
This is slightly over 20 thousand of opened incoming both UDP and TCP, which is probably why the client also works. But this is a LOT of opened incoming ports, I’d rather avoid that if possible.

The original question is still open (regarding client only).

Nightlight · March 2, 2025, 10:54pm

Do you have drop/block all incoming ports default policy on your Modem/Router?

Jorge · March 3, 2025, 2:00am

My modem/router does have an expose host feature which completely opens a computer to the Internet. While I used this feature at the beginning while working out firewall rules, it is not needed.

However the modem/router does not block any outgoing ports (to my knowledge). I do not know of an option to close outgoing ports for the local LAN, or for servers, hence I set firewall policies on each server to protect each server as required for that server when I want to block outgoing ports on a server.

The only incoming ports on my modem/router that are open, are http (TCP), https (TCP), 3479 (TCP & UDP), 5349 (TCP & UDP). http and https are not open for possible Web Server, not for Jami, though I have been curious about testing alt-*-ports for Jami.

I believe some firewalls only close off what is called “low ports” (0-1023) which are normal services ports used by computers systems. Maybe this modem/router does the same, which is why I have not had to open 10000-30000 in the modem/router. The modem/router will not let me open such a large block of ports, however the modem/router does not appear to be blocking any ports in the 10000-30000 or higher ranges. Jami does need incoming ports 10000-30000 to be open.

Some places I have worked with, lock down (block) all outgoing ports except particular ports like http and https, hence I had to make all services (e.g. video conferencing) work on http and https. I do not know if I could get Jami work with this, due to the dht node for bootstrap (4222). But this was an exceptional instance, most companies do not block high ranges for outgoing ports.

Jorge · March 3, 2025, 2:23am

Since your question is about Jami Client, and your user’s LAN network blocks all outgoing ports by default. If it is blocking high ports, then you will need to open 10000 to 30000 for Jami to work.

Not specifically just Jami, but for TURN protocol which uses a large block of ports for Allocate requests, see the below RFC. This RFC helped me to better understand why Jami required the TURN server to be able to listen on any port within the 10000 to 30000. Note that the RFC suggest a different range as the default range of ports, however the explanation is the same.

To confirm which ports were open for Incoming and Outgoing, I found iperf was a useful tool.

I did not text every port, only a sample of ports, e.g. 3478, 5378, 9999, 10000, 25000, 30000, 30001.

I would expect ports 9999 and 30001 to be blocked, and others to be open.

                 Client            --->              Server
TCP
iperf3 -c x.x.x.x -p <port_number> --->  iperf3 -s -p <port_number>
iperf3 -s -p <port_number>         <---  iperf3 -c x.x.x.x -p <port_number>

UDP
iperf3 -c x.x.x.x -u -p <port_number> --->  iperf3 -s -u -p <port_number>
iperf3 -s -u -p <port_number>         <---  iperf3 -c x.x.x.x -u -p <port_number>

You may already have done this? If not, I hope this suggestion may help.

Jorge · March 3, 2025, 2:33am

[Sorry for posting this information a second time but I wanted to address this specific question too]

It is a lot of ports, and I understand you may not want to unblock such a large range of ports, however for TURN to work, it is required.

Since your question is about Jami Client, and your user’s LAN network blocks all outgoing ports by default. If it is blocking high ports, then you will need to open 10000 to 30000 for Jami to work.

Your client will need to initiate a NEW connection to a port provided by the TURN server on which the TURN server will listen specifically for the client and TURN server has agreed via TURN protocol negotiations (if my understanding of the below RFC is correct).

For a TURN server configured for Jami, the TURN sever is listening on a port in the range of 10000 to 30000, and the Jami client must be able to initiate a NEW connection to the port the TURN server has request it to connect to.

(I have not set up a client computer with all outgoing ports blocked to see prove if the above is correct or not, but now I want to)

Not specifically just Jami, but for TURN protocol which uses a large block of ports for Allocate requests, see the below RFC. This RFC helped me to better understand why Jami required the TURN server to be able to listen on any port within the 10000 to 30000. Note that the RFC suggest a different range as the default range of ports, however the explanation is the same.