NAT-HOWTO for OpenVerse

This document gives some insight on how to run your OV server from behind a NAT firewall. This information was received in an email to me by one of the OpenVerse server administrators. These instructions pertain to how he set it up on his FreeBSD box. 

From: "Karl M. Joch" k.joch@kmjeuro.com
Date: Wed, 23 Feb 2000 18:47:27 GMT
Subject: Fwd: OpenVerse Patch
To: cruise@openverse.org

Hello Cruise,

enclosed Description and Patch. If there are errors in my english 
appologize in advance.

Best regards,

Karl


Instruction how to Setup OpenVerse on a FreeBSD 3.4 Server. I only had 
the chance to test it on FreeBSD, but basicly the instructions work in 
the same way on Linux and every other firewalled machine.

1. Apply the patch to server.tcl.

2. Create a User with no rights on the system. eg.: openverse with 
password :-). You should not run the server as root or as user with 
privileges. 

3. You should chown newuser:newgroup the OpenVerse Files/Directories 
witch the Server needs write acces to. As far as i have seen this are 
the rooms/rimage... directories.

4. if you have a system witch already uses the ports 11000-11999 then 
you need to change server.tcl:
    edit server_port,port_min,port_max to the best values you can use. 
(netstat -na should be your friend).

5. Create a openverse.sh file in your /usr/local/etc/rc.d directory 
(in FreeBSD all files with extension .sh in rc.d and a rightmask 7xx) 
are executed on startup. The file should look like this:
	
	#!/bin/sh
	su -l openverse << EOF # we want to use our dummy user
	## change to the OpenVerse Home Directory
	cd /
	## for each room you want to run on the server fire up the following 
commands:
      ipfw 0100 allow tcp from any to any 7000 setup     
	# change the port number if your cfg file is different. assuming you 
already have defined
	# ipfw nnnn allow tcp from any to any established
	# also take care that 0100 is in order to fit your rule set. if 0100 
is ok then you can use 
	# it for every rule following here
	ipfw 0100 allow tcp from any to any 11000-11999 setup
	# this opens the range defined in server.tcl and allows clients to 
transfer the pics and avs.
	# if you still want to have a good protected machine you should make 
sure that nothing else
	# runs on these ports.
	# now lets fire up the first room.
	./server.tcl room1.cfg > /dev/null &
      # you should have a running server now.
	EOF

There can be some differences on various systems, but basicly this 
should work everywhere. Maybe you have to setup the rules in a 
firewall script or on a nat system. then you have to allow the 
following traffic there:

for every room:

setup connections tcp on the server port (defaults to 7000)
setup connections tcp on the transfer ports (defaults to 11000-11999)
tcp traffic of established connections.

on nat systems or proxy servers you have to redirect the traffic of 
the above ports to the local machine running the server.

if you run more then one server i suggest to chance server.tcl and 
change the port range for every room. for sure you also have another 
base port. then repeate the above steps and you should be done.

	
Have Fun with OpenVerse.

[notes by cruise] This patch is for version 0.7-10 of the OpenVerse
server code. It may not patch older or newer code correctly.


>>>>>>>>>>>>>>>>>> Patch for restricting the used ports 
<<<<<<<<<<<<<<<<<<


> *** server.tcl.org    Tue Feb 22 20:19:59 2000
> --- server.tcl        Wed Feb 23 17:22:43 2000
> ***************
> *** 206,211 ****
> --- 206,227 ----
>       set MVS(captains) {}
>       set MVS(maxpushdistance) 100
>       set MVS(maxpushvelocity) 100
> +     set MVS(serv_port) 11000
> +     set MVS(port_min) 11000
> +     set MVS(port_max) 11999
> +
> +     # Restrict our ports between min/max defined in ReloadConfig
> +
> +     proc RestrictPort {} {
> +             global MVS
> +             incr MVS(serv_port)
> +             if {$MVS(serv_port) > $MVS(port_max)} {
> +                     set MVS(serv_port) $MVS(port_min)
> +             }
> +             LogIt "Restricted Port: $MVS(serv_port)"
> +
> +             return $MVS(serv_port)
> +     }

>       # Create required directories.

> ***************
> *** 1019,1028 ****

>               set size [file size $file]
>               set idx [incr MVS(dcc_num)]
> !             set sock [socket -server "Serv_acceptSend $idx" 0]

> !             if {[catch {fconfigure $sock -sockname} port]} {
> !                     LogIt "($who) (Serv_DCCSend) Cannot get port for 
server - $port"
>               }

>               lappend MVS(dcc_list) $idx
> --- 1035,1045 ----

>               set size [file size $file]
>               set idx [incr MVS(dcc_num)]
> !             set sock [socket -server "Serv_acceptSend $idx" 
[RestrictPort]]

> !             while {[catch {fconfigure $sock -sockname} port]} {
> !                     LogIt "Port was in use - $port (New Try)"
> !                     set sock [socket -server "Serv_acceptSend $idx" 
[RestrictPort]]
>               }

>               lappend MVS(dcc_list) $idx
> ***************
> *** 1239,1248 ****
>       set file "$MVS(avatars)/$what"  
>       
>       set idx [incr MVS(dcc_num)]
> !     set sock [socket -server "acceptGet $idx" 0]
> !     if {[catch {fconfigure $sock -sockname} port]} {
> !             LogIt "($who) (Serv_DCCSend) Cannot get port for server 
- $port"
>       }
>       lappend MVS(dcc_list) $idx
>       set MVS(DCC.$idx.sender) $who
>       set MVS(DCC.$idx.file) "$file"
> --- 1256,1268 ----
>       set file "$MVS(avatars)/$what"  
>       
>       set idx [incr MVS(dcc_num)]
> !
> !     set sock [socket -server "acceptGet $idx" [RestrictPort]]
> !     while {[catch {fconfigure $sock -sockname} port]} {
> !             LogIt "Port was in use - $port (New Try)"
> !             set sock [socket -server "Serv_acceptSend $idx" 
[RestrictPort]]
>       }
> +
>       lappend MVS(dcc_list) $idx
>       set MVS(DCC.$idx.sender) $who
>       set MVS(DCC.$idx.file) "$file"