Are you talking about the computer on which you install the Jami client or the server?
For the Jami Client, I did not need to open any ports.
For the Jami server, I have it working with the following:
In coming UDP: 3478, 4222, 5349, 10000-30000
In coming TCP: 3478, 5349, 10000-30000
Port 4222 is for the DHT Node, while the others ports are for the TURN server (CoTurn).
For out going most people have all ports open.
I close as many outgoing ports as I can while still being able to maintain the server and for the DHT Node and Turn server to work:
Outgoing UDP: 53
Outgoing TCP: 22, 53, 80, 123, 443
Port 22 (SSH) for me to connect to for doing maintenance.
Port 53 (DNS) for domain name resolution. Needs both UDP and TCP
Port 123 (NTP) for time server to keep the server’s time correct.
Port 80, 443 (HTTP and HTTPS) for apt package manager to download updates.
Hope this helps?
# nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
iifname "enp1s0" ct state established,related accept
iifname "enp1s0" ct state new udp dport { 3478, 4222, 5349, 10000-30000 } accept
# iifname "enp1s0" ct state new ip saddr { 199.46.34.25, 199.46.34.46 } tcp dport 22 accept
iifname "enp1s0" ct state new tcp dport ssh accept
iifname "enp1s0" ct state new tcp dport { 3478, 5349, 10000-30000 } accept
iifname "enp1s0" icmp type echo-request accept
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" accept
oifname "enp1s0" ct state established,related accept
oifname "enp1s0" ct state new udp dport { 53, 123 } accept
oifname "enp1s0" ct state new tcp dport { ssh, 53, 80, 443 } accept
oifname "enp1s0" icmp type echo-request accept
}
}
UPDATE: I have correct NTP port 123: as “timesyncd” does not use TCP; it uses UDP