Configuring your hardware firewall

From Second Life Wiki
Jump to navigation Jump to search

Introduction

This article describes how to configure your firewall to allow use of the Second Life Viewer (client) within your intranet. It is intended for network administrators and others responsible for network security.

Firewalls are a fundamental component of a network security program. Following the "principle of least privilege," firewalls limit traffic between the corporate intranet and the public network to supported network applications. Thus, firewalls are generally configured for common applications such as Domain Name Service (DNS), email, and web browsing. However, Second Life uses a number of non-standard ports that most firewalls block by default.

To enable people to use Second Life from inside the firewall, follow the procedures outlined in this document.

Procedure

Although the details depend on your specific firewall, follow this general procedure:

  1. Open outbound access for TCP ports. Second Life servers do not establish inbound TCP connections to client systems running the Second Life Viewer software. Instead, they use the "request / response" message pattern.
    • Enable outbound TCP access for ports 80, 443, 5060, 5062, 12043 and 21002.
  2. Open outbound "session" access for UDP ports. Although UDP is a session-less transport, many firewalls block unsolicited incoming UDP traffic to a particular port unless it has seen recent outgoing UDP traffic from that same port.
    • Activate outbound UDP for ports 5060, 5062, and 12000-13050.
  3. Monitor. The intricacies of modern firewalls make it difficult for one document to cover every network configuration. Use tools such as ntop and nprobe to monitor network flow between the Second Life Viewer and servers to identify network flows that blocked by the firewall.

Ports

In addition to the standard ports for DNS lookup and web access, the Second Life Viewer requires the ports listed in the following table.

Port Protocol Used For
53 UDP/TCP DNS lookup
80 TCP Accessing Second Life related web resources
443 TCP Accessing Second Life related web resources and for client authentication
5060 UDP and TCP Voice / SIP traffic
5062 UDP and TCP Voice / (Session Initiation Protocol) SIP traffic
12000 - 15000 UDP Voice / RTP traffic
12035 UDP Core protocol communication
12043 UDP Simulator communication and map related functions
12043 TCP Capability-based simulator communication
13000-13050 UDP Core protocol communication
21002 TCP Voice signaling

Notes:

  • RTP: Real-time Transport Protocol
  • SIP: Session Initiation Protocol

Server IP Addresses

For up-to-date information on IP addresses, see:

You can subscribe to these articles to be notified when the article is updated.

You may also use the Second Life Viewer to access virtual worlds hosted by organizations other than Linden Lab. Contact the hosting organization for the IP addresses used.

See also