Hello!
I do have ejabberd, which serves intranet users. I disabled port 5222 on firewall. Now looks like there is no way of users from another services to access local chatrooms, because they do need to connect to the server somehow. s2s is enabled, and it is possible to communicate with users of gmail, jabber.org etc.
So the question is - am I correct if suppose that c2s is needed for foreign users? Or I just didn't configure ejabberd correctly?
Thank you in advance.
As you originally thought,
As you originally thought, the remote server that has a remote user that want to join a room in your local MUC service doesn't need access to your C2S port 5222. So, your idea to firewall port 5222 should allow connections to your MUC from remote servers.
When 5222 is blocked, check if remote users can discover the server itself, and also other services like vjud, irc transport, echo service...
When 5222 is allowed, check if MUC and all the other things work correctly.
I suspect you may have this problem, which is completely unrelated to port 5222: http://www.ejabberd.im/subdomains