Difference between revisions of "Configuring your hardware firewall"
Jump to navigation
Jump to search
| Line 110: | Line 110: | ||
== Specific hardware manufacturers == | == Specific hardware manufacturers == | ||
Consult your firewall's documentation or the manufacturer's website | Consult your firewall's documentation or the manufacturer's website for instructions on how to configure your firewall. | ||
===Cisco=== | === Cisco === | ||
For a Cisco router/switch that uses reflexive access lists (IOS 11.0 or later), add these lines to your outbound access list: | For a Cisco router/switch that uses reflexive access lists (IOS 11.0 or later), add these lines to your outbound access list: | ||
permit tcp any any eq 53 | |||
permit tcp any any eq 80 | |||
permit tcp any any eq 443 | permit tcp any any eq 443 | ||
permit udp any any eq | permit tcp any any eq 12043 | ||
permit udp any any eq | permit tcp any any eq 12046 | ||
permit udp any any range | permit tcp any any eq 21002 | ||
permit udp any any eq 53 reflect outbound-SL | |||
permit udp any any eq 3478 reflect outbound-SL | |||
permit udp any any eq 3479 reflect outbound-SL | |||
permit udp any any eq 5060 reflect outbound-SL | |||
permit udp any any eq 5062 reflect outbound-SL | |||
permit udp any any range 12000 29999 reflect outbound-SL | |||
Then, on your inbound access list, add: | Then, on your inbound access list, add: | ||
| Line 126: | Line 134: | ||
evaluate outbound-SL | evaluate outbound-SL | ||
After adding the above lines, apply these access lists. | After adding the above lines, apply these access lists. | ||
===Linux Killerwall=== | === Linux Killerwall === | ||
For a Linux system using | For a Linux system using Killerwall, add these lines to /etc/killerwall.acl: | ||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 53 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 80 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 443 ACCEPT | IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 443 ACCEPT | ||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT | IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 12043 ACCEPT | ||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT | IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 12046 ACCEPT | ||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT | IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 21002 ACCEPT | ||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 53 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 3478 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 3479 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 5060 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 5062 ACCEPT | |||
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12000-29999 ACCEPT | |||
Then, restart Killerwall. | Then, restart Killerwall. Killerwall automatically tracks related reply packets, so Second Life will now work correctly. | ||
===Linux Firewall=== | === Linux Firewall === | ||
For a Linux box that uses IPF (Linux Firewall), configure as follows: | For a Linux box that uses IPF (Linux Firewall), configure as follows: | ||
pass out quick on rl0 proto tcp from any to any port = 53 flags S keep state | |||
pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state | |||
pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state | pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state | ||
pass out quick on rl0 proto tcp from any to any port = 12043 flags S keep state | pass out quick on rl0 proto tcp from any to any port = 12043 flags S keep state | ||
pass out quick on rl0 proto udp from any to any port | pass out quick on rl0 proto tcp from any to any port = 12046 flags S keep state | ||
pass out quick on rl0 proto tcp from any to any port = 21002 flags S keep state | |||
pass out quick on rl0 proto udp from any to any port = 53 | |||
pass out quick on rl0 proto udp from any to any port = 3478 | |||
pass out quick on rl0 proto udp from any to any port = 3479 | |||
pass out quick on rl0 proto udp from any to any port = 5060 | |||
pass out quick on rl0 proto udp from any to any port = 5062 | |||
pass out quick on rl0 proto udp from any to any port 11999 <> 30000 | |||
pass in quick on rl0 proto tcp from any to any port = 53 flags S keep state | |||
pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state | |||
pass in quick on rl0 proto tcp from any to any port = 443 flags S keep state | pass in quick on rl0 proto tcp from any to any port = 443 flags S keep state | ||
pass in quick on rl0 proto udp from any to any port = | pass in quick on rl0 proto tcp from any to any port = 12043 flags S keep state | ||
pass in quick on rl0 proto udp from any to any port = | pass in quick on rl0 proto tcp from any to any port = 12046 flags S keep state | ||
pass in quick on rl0 proto udp from any to any port | pass in quick on rl0 proto tcp from any to any port = 21002 flags S keep state | ||
pass in quick on rl0 proto udp from any to any port = 53 | |||
pass in quick on rl0 proto udp from any to any port = 3478 | |||
pass in quick on rl0 proto udp from any to any port = 3479 | |||
pass in quick on rl0 proto udp from any to any port = 5060 | |||
pass in quick on rl0 proto udp from any to any port = 5062 | |||
pass in quick on rl0 proto udp from any to any port 11999 <> 30000 | |||
===FreeBSD IPFW=== | === FreeBSD IPFW === | ||
For a firewall based on | For a firewall based on Ipfirewall (ipfw), add the following lines to /etc/rc.firewall: | ||
ipfw add allow tcp from any to any | ipfw add allow tcp from any to any 53 keep-state | ||
ipfw add allow | ipfw add allow tcp from any to any 80 keep-state | ||
ipfw add allow | ipfw add allow tcp from any to any 443 keep-state | ||
ipfw add allow tcp from any to any 12043 keep-state | ipfw add allow tcp from any to any 12043 keep-state | ||
ipfw add allow udp from any to any | ipfw add allow tcp from any to any 12046 keep-state | ||
ipfw add allow tcp from any to any 21002 keep-state | |||
ipfw add allow udp from any to any 53 keep-state | |||
ipfw add allow udp from any to any 3478 keep-state | |||
ipfw add allow udp from any to any 3479 keep-state | |||
ipfw add allow udp from any to any 5060 keep-state | |||
ipfw add allow udp from any to any 5062 keep-state | |||
ipfw add allow udp from any to any 11999-30000 keep-state | |||
== See also == | == See also == | ||
Revision as of 07:45, 10 February 2011
| Help Portal: |
Avatar | Bug Fixes | Communication | Community | Glossary | Land & Sim | Multimedia | Navigation | Object | Video Tutorials | Viewer | Wiki | Misc |
Overview
This article describes how to configure your firewall to allow use of the Second Life Viewer (client) within your home network or corporate intranet. It is intended for network administrators and others responsible for network security.
Firewalls are a fundamental component of a network security program. Following the "principle of least privilege," firewalls limit traffic between the local network and the public network to supported network applications. Thus, firewalls are generally configured for common applications such as Domain Name Service (DNS), email, and web browsing. However, Second Life uses a number of non-standard ports that most firewalls block by default.
Voice chat
Voice chat, like Second Life itself, is designed to work with "zero configuration" and should work with most firewalls. When you initially run the Second Life Viewer, your firewall may require you to permit internet access by "SLVoice.exe" or "SLVoiceAgent.exe".
If the SIP connection on port 5060 fails (as it might if the router is designed to provide VoIP services of its own) the Viewer will automatically retry on port 5062. So, on some restrictive firewalls, you may need to open port 5062. To enable people to use Second Life from inside the firewall, follow the procedures outlined in this document.
Procedure
Although the details depend on your specific firewall, follow this general procedure:
- Open outbound access for TCP ports - Second Life servers do not establish inbound TCP connections to client systems running the Second Life Viewer software. Instead, they use the "request / response" message pattern.
- Enable outbound TCP access for ports 53, 80, 443, 12043, 12046 and 21002.
- Open outbound "session" access for UDP ports - Although UDP is a session-less transport, many firewalls block unsolicited incoming UDP traffic to a particular port unless it has seen recent outgoing UDP traffic from that same port.
- Activate outbound UDP for ports 53, 3478, 3479, 5060, 5062, and 12000-29999.
- Monitor - The intricacies of modern firewalls make it difficult for one document to cover every network configuration. Use tools such as ntop and nprobe to monitor network flow between the Second Life Viewer and servers to identify network flows blocked by the firewall.
Ports
In addition to the standard ports for DNS lookup and web access, the Second Life Viewer requires the ports listed in the following table.
| Port | Protocol | Used For |
|---|---|---|
| 53 | UDP and TCP | DNS lookup |
| 80 | TCP | Second Life web resources |
| 443 | TCP | Second Life web resources/client authentication |
| 3478 | UDP | Voice/STUN traffic |
| 3479 | UDP | Voice/STUN traffic |
| 5060 | UDP | Voice/SIP traffic |
| 5062 | UDP | Voice/SIP traffic |
| 12000-29999 | UDP | Voice/RTP traffic/Core protocol communication ** (see note below) |
| 12043 | UDP and TCP | Capabilities/map services/simulator communication |
| 12046 | TCP | Texture downloading |
| 21002 | TCP | Voice signaling |
Notes:
- RTP: Real-time Transport Protocol
- SIP: Session Initiation Protocol
- ** Voice used to only require ports 12000-17000 UDP while Second Life needed 13000-13050 UDP. This combined range satisfies both requirements for UDP traffic.
Server IP Addresses
Current subnets for both Second Life and voice servers are:
216.82.0.0/18 - SecondLife 64.94.252.0/23 - Voice 70.42.62.0/24 - Voice 74.201.98.0/23 - Voice
You may also use the Second Life Viewer to access virtual worlds hosted by organizations other than Linden Lab. Contact the hosting organization for the IP addresses used.
Specific hardware manufacturers
Consult your firewall's documentation or the manufacturer's website for instructions on how to configure your firewall.
Cisco
For a Cisco router/switch that uses reflexive access lists (IOS 11.0 or later), add these lines to your outbound access list:
permit tcp any any eq 53 permit tcp any any eq 80 permit tcp any any eq 443 permit tcp any any eq 12043 permit tcp any any eq 12046 permit tcp any any eq 21002 permit udp any any eq 53 reflect outbound-SL permit udp any any eq 3478 reflect outbound-SL permit udp any any eq 3479 reflect outbound-SL permit udp any any eq 5060 reflect outbound-SL permit udp any any eq 5062 reflect outbound-SL permit udp any any range 12000 29999 reflect outbound-SL
Then, on your inbound access list, add:
permit tcp any any established evaluate outbound-SL
After adding the above lines, apply these access lists.
Linux Killerwall
For a Linux system using Killerwall, add these lines to /etc/killerwall.acl:
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 53 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 80 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 443 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 12043 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 12046 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 21002 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 53 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 3478 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 3479 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 5060 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 5062 ACCEPT IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12000-29999 ACCEPT
Then, restart Killerwall. Killerwall automatically tracks related reply packets, so Second Life will now work correctly.
Linux Firewall
For a Linux box that uses IPF (Linux Firewall), configure as follows:
pass out quick on rl0 proto tcp from any to any port = 53 flags S keep state pass out quick on rl0 proto tcp from any to any port = 80 flags S keep state pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state pass out quick on rl0 proto tcp from any to any port = 12043 flags S keep state pass out quick on rl0 proto tcp from any to any port = 12046 flags S keep state pass out quick on rl0 proto tcp from any to any port = 21002 flags S keep state pass out quick on rl0 proto udp from any to any port = 53 pass out quick on rl0 proto udp from any to any port = 3478 pass out quick on rl0 proto udp from any to any port = 3479 pass out quick on rl0 proto udp from any to any port = 5060 pass out quick on rl0 proto udp from any to any port = 5062 pass out quick on rl0 proto udp from any to any port 11999 <> 30000 pass in quick on rl0 proto tcp from any to any port = 53 flags S keep state pass in quick on rl0 proto tcp from any to any port = 80 flags S keep state pass in quick on rl0 proto tcp from any to any port = 443 flags S keep state pass in quick on rl0 proto tcp from any to any port = 12043 flags S keep state pass in quick on rl0 proto tcp from any to any port = 12046 flags S keep state pass in quick on rl0 proto tcp from any to any port = 21002 flags S keep state pass in quick on rl0 proto udp from any to any port = 53 pass in quick on rl0 proto udp from any to any port = 3478 pass in quick on rl0 proto udp from any to any port = 3479 pass in quick on rl0 proto udp from any to any port = 5060 pass in quick on rl0 proto udp from any to any port = 5062 pass in quick on rl0 proto udp from any to any port 11999 <> 30000
FreeBSD IPFW
For a firewall based on Ipfirewall (ipfw), add the following lines to /etc/rc.firewall:
ipfw add allow tcp from any to any 53 keep-state ipfw add allow tcp from any to any 80 keep-state ipfw add allow tcp from any to any 443 keep-state ipfw add allow tcp from any to any 12043 keep-state ipfw add allow tcp from any to any 12046 keep-state ipfw add allow tcp from any to any 21002 keep-state ipfw add allow udp from any to any 53 keep-state ipfw add allow udp from any to any 3478 keep-state ipfw add allow udp from any to any 3479 keep-state ipfw add allow udp from any to any 5060 keep-state ipfw add allow udp from any to any 5062 keep-state
ipfw add allow udp from any to any 11999-30000 keep-state