Difference between revisions of "How do I configure my hardware firewall"
Lexie Linden (talk | contribs) m |
|||
Line 43: | Line 43: | ||
===Linux Firewall=== | ===Linux Firewall=== | ||
If your hardware firewall is a Linux box that uses IPF (Linux Firewall) | If your hardware firewall is a Linux box that uses IPF (Linux Firewall): | ||
pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state | pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state | ||
Line 63: | Line 63: | ||
pass in quick on rl0 proto udp from any to any port 12999 <> 13051 | pass in quick on rl0 proto udp from any to any port 12999 <> 13051 | ||
===FreeBSD IPFW=== | |||
If you use a firewall based on the ipfw tool, the following commands will allow access: | |||
ipfw add allow tcp from any to any 443 setup | |||
ipfw add allow udp from any to any 12035 keep-state | |||
ipfw add allow udp from any to any 12036 keep-state | |||
ipfw add allow tcp from any to any 12043 keep-state | |||
ipfw add allow udp from any to any 12999-13051 keep-state | |||
You can add these to the file /etc/rc.firewall | |||
===Can I use voice from behind a firewall?=== | ===Can I use voice from behind a firewall?=== |
Revision as of 09:04, 17 November 2008
How do I configure my hardware firewall (such as a router)?
Hardware firewalls need to allow access on certain network ports. Second Life needs to connect to ports 443/TCP, 12035/UDP, 12036/UDP, 12043/TCP, and 13000-13050/UDP. You should configure your firewall to allow outbound traffic on those ports, and related inbound traffic. You'll need to consult your firewall's documentation, or the manufacturer's website, for instructions on how to make these changes to your firewall. As of Version 1.13.2, released Jan. 10th, 2007, you may need to enable UDP/TCP in order to access Second Life.
Cisco
If your hardware firewall is a Cisco router/switch that uses reflexive access lists (IOS 11.0 or later), add these lines to your outbound access list:
permit tcp any any eq 443
permit udp any any eq 12035 reflect outbound-SL
permit udp any any eq 12036 reflect outbound-SL
permit udp any any range 13000 13050 reflect outbound-SL
Then, on your inbound access list, add:
permit tcp any any established
evaluate outbound-SL
Then, apply these access lists. SL should now be able to communicate through this router.
Linux Killerwall
If your hardware firewall is a Linux box that uses Killerwall, add these lines to your /etc/killerwall.acl:
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 443 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12035 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12036 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 13000-13050 ACCEPT
Then, restart Killerwall. Killerwall automatically tracks related reply packets, so SL should now work correctly.
Linux Firewall
If your hardware firewall is a Linux box that uses IPF (Linux Firewall):
pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state
pass out quick on rl0 proto udp from any to any port = 12035
pass out quick on rl0 proto udp from any to any port = 12036
pass out quick on rl0 proto tcp from any to any port = 12043 flags S keep state
pass out quick on rl0 proto udp from any to any port 12999 <> 13051
pass in quick on rl0 proto tcp from any to any port = 443 flags S keep state
pass in quick on rl0 proto udp from any to any port = 12035
pass in quick on rl0 proto udp from any to any port = 12036
pass in quick on rl0 proto udp from any to any port 12999 <> 13051
FreeBSD IPFW
If you use a firewall based on the ipfw tool, the following commands will allow access:
ipfw add allow tcp from any to any 443 setup
ipfw add allow udp from any to any 12035 keep-state
ipfw add allow udp from any to any 12036 keep-state
ipfw add allow tcp from any to any 12043 keep-state
ipfw add allow udp from any to any 12999-13051 keep-state
You can add these to the file /etc/rc.firewall
Can I use voice from behind a firewall?
Voice, like Second Life itself, is designed to work with "zero configuration" and should work with most firewalls. Your firewall sofware may request permission to let "SLVoice.exe" and "SLVoiceAgent.exe" access the internet on their first execution; you should allow this access.
- The following ports need to be reachable through any firewall infrastructure:
o Port 21002 - TCP - for voice control signals
o Ports 12000-13000 - UDP - for voice media
o Port 80/443 - TCP - for Web server
o Ports 5060 or 5062 - UDP - for voice control signals
- Second Life also has voice servers at the following IPs (this list will grow over time):
o 64.127.123.194 to 64.127.123.254
o 64.147.180.130 to 64.147.180.142
o 69.80.215.226
o 64.127.112.106
o 70.42.62.21-25
It's also true that if the SIP connection on port 5060 fails (as it might if the router is designed to provide VoIP services of its own) our software will automatically retry on port 5062. This means that port 5062 may need to be opened on some restrictive firewalls in rare instances.
You can verify if your firewall is configured for voice by visiting this website to identify common problems.