Difference between revisions of "Configuring your hardware firewall"

From Second Life Wiki
Jump to navigation Jump to search
Line 99: Line 99:
== Server IP Addresses ==
== Server IP Addresses ==


For up-to-date information on IP addresses, see:
Current subnets for both Second Life and voice servers are:
* [[Linden_Lab_Official:What are Second Life's subnets|What are Second Life's subnets?]] for Second Life server IP addresses. 
* [[Can I use voice from behind a firewall|Can I use voice from behind a firewall?]] for voice server IP addresses.


You can subscribe to these articles to be notified when the article is updated.  
216.82.0.0/18 - SecondLife
64.94.252.0/23 - Voice
70.42.62.0/24 - Voice
74.201.98.0/23 - Voice


You may also use the Second Life Viewer to access virtual worlds hosted by organizations other than [[Linden Lab]]. Contact the hosting organization for the IP addresses used.
You may also use the Second Life Viewer to access virtual worlds hosted by organizations other than [[Linden Lab]]. Contact the hosting organization for the IP addresses used.


== Specific hardware manufacturers ==
== Specific hardware manufacturers ==

Revision as of 07:42, 10 February 2011

Overview

This article describes how to configure your firewall to allow use of the Second Life Viewer (client) within your home network or corporate intranet. It is intended for network administrators and others responsible for network security.

Firewalls are a fundamental component of a network security program. Following the "principle of least privilege," firewalls limit traffic between the local network and the public network to supported network applications. Thus, firewalls are generally configured for common applications such as Domain Name Service (DNS), email, and web browsing. However, Second Life uses a number of non-standard ports that most firewalls block by default.

Voice chat

Voice chat, like Second Life itself, is designed to work with "zero configuration" and should work with most firewalls. When you initially run the Second Life Viewer, your firewall may require you to permit internet access by "SLVoice.exe" or "SLVoiceAgent.exe".

If the SIP connection on port 5060 fails (as it might if the router is designed to provide VoIP services of its own) the Viewer will automatically retry on port 5062. So, on some restrictive firewalls, you may need to open port 5062. To enable people to use Second Life from inside the firewall, follow the procedures outlined in this document.

Procedure

Although the details depend on your specific firewall, follow this general procedure:

  1. Open outbound access for TCP ports - Second Life servers do not establish inbound TCP connections to client systems running the Second Life Viewer software. Instead, they use the "request / response" message pattern.
    • Enable outbound TCP access for ports 53, 80, 443, 12043, 12046 and 21002.
  2. Open outbound "session" access for UDP ports - Although UDP is a session-less transport, many firewalls block unsolicited incoming UDP traffic to a particular port unless it has seen recent outgoing UDP traffic from that same port.
    • Activate outbound UDP for ports 53, 3478, 3479, 5060, 5062, and 12000-29999.
  3. Monitor - The intricacies of modern firewalls make it difficult for one document to cover every network configuration. Use tools such as ntop and nprobe to monitor network flow between the Second Life Viewer and servers to identify network flows blocked by the firewall.

Ports

In addition to the standard ports for DNS lookup and web access, the Second Life Viewer requires the ports listed in the following table.

Port Protocol Used For
53 UDP and TCP DNS lookup
80 TCP Second Life web resources
443 TCP Second Life web resources/client authentication
3478 UDP Voice/STUN traffic
3479 UDP Voice/STUN traffic
5060 UDP Voice/SIP traffic
5062 UDP Voice/SIP traffic
12000-29999 UDP Voice/RTP traffic/Core protocol communication ** (see note below)
12043 UDP and TCP Capabilities/map services/simulator communication
12046 TCP Texture downloading
21002 TCP Voice signaling

Notes:

  • RTP: Real-time Transport Protocol
  • SIP: Session Initiation Protocol
  • ** Voice used to only require ports 12000-17000 UDP while Second Life needed 13000-13050 UDP. This combined range satisfies both requirements for UDP traffic.

Server IP Addresses

Current subnets for both Second Life and voice servers are:

216.82.0.0/18 - SecondLife
64.94.252.0/23 - Voice
70.42.62.0/24 - Voice
74.201.98.0/23 - Voice

You may also use the Second Life Viewer to access virtual worlds hosted by organizations other than Linden Lab. Contact the hosting organization for the IP addresses used.

Specific hardware manufacturers

Consult your firewall's documentation or the manufacturer's website, for instructions on how to configure your firewall.

Cisco

For a Cisco router/switch that uses reflexive access lists (IOS 11.0 or later), add these lines to your outbound access list:

permit tcp any any eq 443
permit udp any any eq 12035 reflect outbound-SL
permit udp any any eq 12036 reflect outbound-SL
permit udp any any range 13000 13050 reflect outbound-SL

Then, on your inbound access list, add:

permit tcp any any established
evaluate outbound-SL

After adding the above lines, apply these access lists.

Linux Killerwall

For a Linux system using Killerwall, add these lines to /etc/killerwall.acl:

IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 tcp TOPORT 443 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12035 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 12036 ACCEPT
IN IFACE <your lan interface> FROM 0.0.0.0/0 TO 0.0.0.0/0 udp TOPORT 13000-13050 ACCEPT

Then, restart Killerwall. Killerwall automatically tracks related reply packets, so Second Life will now work correctly.

Linux Firewall

For a Linux box that uses IPF (Linux Firewall), configure as follows:

pass out quick on rl0 proto tcp from any to any port = 443 flags S keep state
pass out quick on rl0 proto udp from any to any port = 12035
pass out quick on rl0 proto udp from any to any port = 12036
pass out quick on rl0 proto tcp from any to any port = 12043 flags S keep state
pass out quick on rl0 proto udp from any to any port 12999 <> 13051
pass in quick on rl0 proto tcp from any to any port = 443 flags S keep state
pass in quick on rl0 proto udp from any to any port = 12035
pass in quick on rl0 proto udp from any to any port = 12036
pass in quick on rl0 proto udp from any to any port 12999 <> 13051

FreeBSD IPFW

For a firewall based on Ipfirewall (ipfw), add the following lines to /etc/rc.firewall:

ipfw add allow tcp from any to any 443 setup
ipfw add allow udp from any to any 12035 keep-state
ipfw add allow udp from any to any 12036 keep-state
ipfw add allow tcp from any to any 12043 keep-state
ipfw add allow udp from any to any 12999-13051 keep-state

See also