Document what ports must be permitted through firewall (and NAT)

[vorburger]

I'm trying to figure out which ports must be externally open and e.g. permit through an Firewall (both on the firewalld on a Fedora Server, or a VM on some Cloud Provider, or e.g. port forwarded on a home router doing NAT from a public IP to a 192.168.1.x). Being a noob and not understanding much of WebRTC and Jitsi internal architecture, and just based on this output of docker ps ...

$ sudo docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                                              NAMES
7607ce4c1628        jitsi/jvb           "/init"             2 hours ago         Up 2 hours          0.0.0.0:4443->4443/tcp, 0.0.0.0:10000->10000/udp   docker-jitsi-meet_jvb_1
ec6a709e6706        jitsi/jicofo        "/init"             2 hours ago         Up 2 hours                                                             docker-jitsi-meet_jicofo_1
5f68b25b3767        jitsi/prosody       "/init"             2 hours ago         Up 2 hours          5222/tcp, 5269/tcp, 5280/tcp, 5347/tcp             docker-jitsi-meet_prosody_1
3c9562f8ad8b        jitsi/web           "/init"             2 hours ago         Up 2 hours          0.0.0.0:8000->80/tcp, 0.0.0.0:8443->443/tcp        docker-jitsi-meet_web_1

... I'm guessing that ports 8000 & 8443 (which I'm about to change to 80 and 443...) and also 4443 and 10000 must be open, but not those 5222/tcp, 5269/tcp, 5280/tcp, 5347/tcp on "prosody" - are those just internal among the containers, but not externally needed?

I've tried to figure this out staring at https://github.com/jitsi/docker-jitsi-meet#architecture, but I don't see the 4443 there ... plus there is 20000-20050 there, does that range need to be open? And does it mean only 50 clients can connect? 😄

@saghul would you know and be willing to confirm above or correct me? In exchange I'll make a contribution to the README to clarify this... 😄 If this is already explained on some other doc in the Jitsi project, I'd love to read it, and link it from the README.

[saghul]

... I'm guessing that ports 8000 & 8443 (which I'm about to change to 80 and 443...)

Correct. Those are for HTTP(S).

443 and 10000 must be open

Correct. Those are for RTP media over TCP and UDP.

but not those 5222/tcp, 5269/tcp, 5280/tcp, 5347/tcp on "prosody" - are those just internal among the containers, but not externally needed?

Correct, those are only internally used.

I've tried to figure this out staring at https://github.com/jitsi/docker-jitsi-meet#architecture, but I don't see the 4443 there ... plus there is 20000-20050 there, does that range need to be open? And does it mean only 50 clients can connect? 😄

4443 is not there for simplicity. Also, if UDP doesn't work the experience will be quite bad... As for the 20000-20050 that's the range for jigasi, in case you choose to deploy that to facilitate SIP access, but that's not necessary. If you choose to, 2 ports per active SIP call will be necessary.

In exchange I'll make a contribution to the README to clarify this... 😄

Thank you!

[vorburger]

OK so that means that (for a deployment without jigasi to facilitate SIP access) it's just 3-4 ports, namely:

• 80/tcp for Web UI HTTP (really just to redirect, after uncommenting ENABLE_HTTP_REDIRECT=1 in .env)
• 443/tcp for Web UI HTTPS
• 4443/tcp for RTP media over TCP
• 10000/udp for RTP media over UDP

Also, if UDP doesn't work the experience will be quite bad...

just to clarify / avoid misunderstanding, here you just meant the 10000/udp, right ?

[saghul]

just to clarify / avoid misunderstanding, here you just meant the 10000/udp, right ?

Correct.

[saghul]

Continuing on #205