On 14 June 2010 14:30, paddy joesoap <[email protected]> wrote: > Hi there, > > I am interested to know what your opinions are regarding the role of > firewalls, in particular linux iptables, have in protecting XMPP > servers, such as OpenFire and or XMPP clients. > > Some basic firewall rules would be based on opening TCP/UDP ports for > c2s and s2s. > > However, what other roles in your opinion can iptables play? > > As with any server, be it XMPP, HTTP, SMTP and so forth, iptables can > play a role in rate limiting and anti-bogon spoofing attempts. > > Is there any XMPP specific threats that a firewall such as iptables > could prevent? That is, are their xmpp features that require firewall > protection and/or xmpp features that provide security but require a > firewall to provide defense indepth? > > The literature regarding XMPP access control tends to be focused only > on the XMPP server capabilities. For example, JID blacklisting. Linux > iptbales, while it may be able to also filter the JID user name > possibly using the U32 module, iptables is best suited at the IP, TCP > layers. It does provide support for some L7-filtering. L7-filtering > provides a way to write filters to prevent malware signatures. Perhaps > the firewall (iptables) could be used in conjunction to XMPP server > malware filtering? >
Considering that for the majority of their lifetime most XMPP streams are encrypted and often compressed, iptables probably wouldn't be that much help at L7-filtering in XMPP. I'd say the main weak point in XMPP's defences (at the moment) is DNS. Since few servers have certificates signed by a CA, and many servers don't check anyway, XMPP is very dependent on DNS being correct. Matthew
