Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[protege-discussion] Router set up for Collaborative/Web Protege

adam at wyner.info adam at wyner.info
Mon Jul 6 03:44:35 PDT 2009 

Hi Protege Community,

Rinke Hoekstra and I are trying to set up Collaborative/Web Protege,  
but we are having difficulty configuring the router correctly.  The  
instructions on these matters are not clear.  And we have a security  
concern.  Perhaps there is something we don't understand about the  
setup, but the setup information does not help us get it running.

We've looked carefully through all the available documentation,  
including discussion lists.  If we have missed something, please let  
me know.  BTW -- where are the slides from the Protege Conference  
Tutorial on this topic?

I am working at home with a router; Rinke is working via a university  
system.  So, we are both working behind firewalls, and I'm sure most  
people will be.  We'd prefer not to require users to ssh into our  
machines to access protege, but rather to use port forwarding.  This  
is very common for web-based services and games:

http://portforward.com/

In fact, this page has information which will be helpful to users  
setting up protege on their home machines as it gives step by step  
directions for a range of routers.  In general, we imagine that most  
people will be behind firewalls and want relatively open access to  
collaborative/web protege (which is the point, no?)  So, how to  
securely set up port forwarding should be very clear and helpfully  
laid out.  It should not, in principle, be any more threatening to  
security or more difficult to accomplish than the many games etc out  
there....

So far as we can tell, the port forwarding solution is Black Magic  
Trick #2 on the protege info on RMI:

http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI

It is not clear to me that NAT is the relevant point here; we made the  
changes recommended and it didn't work.  Rather, the focus of the  
remaining problems seem to be on the relation between the WAN IP  
address-Router Ports-Computer Ports.

On my router (a Belkin), I need to know **exactly** which ports to set  
up on the Virtual Server....  Again, this is a very common thing to do  
for gamers, and I can follow the directions from portforward.com.   
True, it does open up a vulnerability, but this depends on which port  
and whether the software has been designed intelligently to protect  
the host computer from abuse.

Now, about the selection of the ports.  The installation instructions  
need to be clearer.  First of all, the 'non-advanced' instructions are  
very likely not going to work for most people (who have a firewall).   
People should be told of these issues early on as otherwise the  
installation seems easy, but cannot be done.  So, the instructions on  
ports cannot be buried as an 'advanced' topic:

http://protegewiki.stanford.edu/index.php/Protege_Client_Server_Tutorial_Advanced

Second, let's look at the specifics on the ports.  I am using Ubuntu  
9.04 (windows folks can derive info from this discussion presumably).   
Look at the Working with Firewalls section.  Yes, the protege server  
is going to run from inside a firewall, so I need two ports....  In  
the running example, we have one port 5100 for the rmiregistry and  
another port 5200 for the Protege server.  However, as noted, the  
default for rmiregistry is 1099.  Why was the default not used?  And  
how was port 5200 selected?  By the same token, if I use the 'default'  
of 1099 for rmiregistry, what is the recommended port for the Protege  
server?  With the correct port information, I can edit the  
run_protege_server script....

Third, in the section (above Configuration Settings) on NAT, the  
hostname information should be a lot clearer.  This should be (so far  
as I can tell), the IP address of the WAN, not the internal network  
address (starting with 192.168....).  This information should be set  
out like the other code changes.  But, I don't understand why this is  
relevant since even with these settings, we are unable to connect.  Or  
is RMI somehow supposed to deal with this?  Rather, what we believe we  
must do is work directly with the router and forward ports from the  
router to the appropriate computer on the network.
To port forward, I consult portforward.com; I look up my router (a  
Belkin model) and the application I want to connect (MythTV as an  
example):

http://portforward.com/english/routers/port_forwarding/Belkin/F5D7632-4/MythTV.htm

This tells me step by step what to do **and** gives the ports and  
protocol types (given that my computers have static IP addresses on  
the LAN and that I can find them).  Here I need the static IP, the  
Protocol Type (TCP or UCP or both), the LAN Port (the port on the  
router) and the Public Port (the port on the LAN internal computer).

Rinke has found the following information about the ports with respect  
to defaults for RMI:

1098 tcp rmiactivation RMI Activation
1098 udp rmiactivation RMI Activation
1099 tcp rmiregistry RMI Registry
1099 udp rmiregistry RMI Registry
3306 tcp mysql MySQL
3306 udp mysql MySQL
80   tcp http World Wide Web HTTP
80   udp http World Wide Web HTTP
8080 tcp http-alt HTTP Alternate (see port 80)

Taken from http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html

Are these acceptable??  These are not the ports on portforward.com  
(which is mostly for gaming).  Indeed, one cannot find either Protege  
or rmiregistry listed here:

http://www.portforward.com/cports.htm

I might assume that these are the ports for both the LAN and Public Ports.
Even so, I still need a port for the Protege server.

Notice one last unclarity in the install instructions under Black  
Magic Trick #2.  I think a mistake crept in here.  First, back at the  
Working with Firewalls page, we are told to modify the  
run_protege_server script with:

PORTOPTS="-Dprotege.rmi.server.port=5200 -Dprotege.rmi.registry.port=5100"

Yet, when we come to Trick #2, we have some unclarity and a switch (again):

http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI

See the second LinkSys screen "Gaming and Applications".  This is the  
parallel for Belkin's Virtual Server.  The unclarity is that here you  
apparently 'create' two applications 'collab1' and 'collab2'; what are  
these, where were they created, and how should others do this?  The  
switch is for the Port numbers -- now for collab1, we have 5200, which  
is the setting for rmi server port.  But, then we have port 5300.   
What is that??  The graphic (see box labelled Private Network) has the  
rmi registry as port 5300, but wasn't this 5100 in the  
run_protege_server script?  Finally, in the instruction just after the  
graphic, the run_protege_server script should have the hostname  
modified -- I presume that 24.4.236.98 is the WAN IP address of the  
example.  So, other people must use their WAN IP address.

One last question.  Suppose I get all these ports set up and people  
can access and work with Collaborative/Web Protege....  Can you  
clarify the security issues with respect to running Protege?  How have  
you secured the design of the software so that trojans, viruses, etc  
cannot infect the machine?  I have a Linux machine, so there may be  
less of a problem, but still I'd like to know this has been  
considered.....

Just so it is said -- I really like Protege, and I'm looking forward  
to using it collaboratively.

Best,
Adam Wyner

More information about the protege-discussion mailing list