Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[protege-discussion] Router set up for Collaborative/Web Protege

Timothy Redmond tredmond at stanford.edu
Mon Jul 6 08:18:42 PDT 2009 

> I'm forwarding the following message to you directly as I got an odd
> 'bounced/message not delivered' email when I sent the email to the
> discussion list.


This should really be on the list (and later added to the wiki).  Are  
you subscribed?  See

	https://mailman.stanford.edu/mailman/listinfo/protege-discussion.



I will add some trouble shooting tips at the end after responding to  
your points.  First the wiki is using the settings

> PORTOPTS="-Dprotege.rmi.server.port=5200 - 
> Dprotege.rmi.registry.port=5300"

I need to clarify this on the wiki (it will take longer to change the  
diagrams...).

> So far as we can tell, the port forwarding solution is Black Magic
> Trick #2 on the protege info on RMI:
>
> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI
>
> It is not clear to me that NAT is the relevant point here; we made the
> changes recommended and it didn't work.  Rather, the focus of the
> remaining problems seem to be on the relation between the WAN IP
> address-Router Ports-Computer Ports.


I think that NAT is exactly the relevant point here (no??).  In the  
simple firewall case, the machines inside the firewall are still  
addressable inside the protected network even if they cannot be  
accessed.  Thus for instance, in the case of

	smi-tredmond-li.stanford.edu

attempts to access the open ssh port will be blocked en-route to the  
smi-tredmond-li machine.  To open access to ssh, all that needs to be  
done at the firewall is to open the port.

In contrast, my home machine has an ip address of 192.168.2.62.  If  
you try to access this address it will simply fail.  No router  
(outside my home network) will know how to send this to my home  
machine and no firewall is involved.  Instead you need to access the  
router that is at the entrance to my home site (elliptic.dyndns.org)  
and this will forward ssh requests to the machine that cannot be  
otherwise addressed.

If you are using the black magic tricks you need to be certain that  
you are in case #2 (address translation) rather than case #1.  My  
default  guess would be that a university would tend to use firewalls  
rather than NAT but they may have run out of ip addresses.  Even if  
you are running NAT, I would wonder if there is a firewall outside the  
NAT router.

The web site

	http://www.dslreports.com/whois

will allow you to distinguish these two cases.  If the address shown  
is not your own then there is a NAT router doing address translation  
between you and the www.dslreports.com host.  Otherwise you have a  
simple (well maybe not so simple...) firewall.

> However, as noted, the
> default for rmiregistry is 1099.  Why was the default not used?  And
> how was port 5200 selected?  By the same token, if I use the 'default'
> of 1099 for rmiregistry, what is the recommended port for the Protege
> server?

The ports don't really matter and 1099 is fine.  But one small  
comment.  If you open a standard port, attackers will know what this  
means and will direct rmiregistry attacks at that port.  If you use a  
non-standard port, an attacker will have to do a bit more (not too  
much) work.  Many of the attackers of open ports are trojans (e.g.  
viruses, worms) so they may not actually be that intelligent.   There  
is no recommended port for the protege server either.

> True, it does open up a vulnerability, but this depends on which port
> and whether the software has been designed intelligently to protect
> the host computer from abuse.

Yes - I would agree with you in theory.  But any software will put you  
at risk.  Even ssh (which I use extensively and in which I have great  
trust) has had (fixed) vulnerabilities which have been actively  
attacked.  I don't know how secure the jvm architecture is with  
respect to security threats.  I also don't know if the Protege  
architecture adds any risks.

> See the second LinkSys screen "Gaming and Applications".  This is the
> parallel for Belkin's Virtual Server.  The unclarity is that here you
> apparently 'create' two applications 'collab1' and 'collab2'; what are
> these, where were they created, and how should others do this?

If you look at the start of this page (How does RMI work?) you can see  
that there are two connections made by the client.  One is to the  
rmiregistry and one is to the protege server.  These two connections  
have different ports.  I think, btw, that linksys's use of the word  
"application" to describe these port forwarding rules is misleading.

> The
> switch is for the Port numbers -- now for collab1, we have 5200, which
> is the setting for rmi server port.  But, then we have port 5300.
> What is that??

This is the Protege server port.

> The graphic (see box labelled Private Network) has the
> rmi registry as port 5300, but wasn't this 5100 in the
> run_protege_server script?

I should add a comment at the beginning of this wiki page about using  
5200 and 5300.

> Finally, in the instruction just after the
> graphic, the run_protege_server script should have the hostname
> modified -- I presume that 24.4.236.98 is the WAN IP address of the
> example.  So, other people must use their WAN IP address.


Yes.

Troubleshooting:

First of all, it would help if we know what you mean by we still can't  
connect.  Exactly what steps are taken? What is on the console?  There  
have been some changes in the latest Protege 3.4 to printout some  
useful information on the console when a connection fails.

Second, you can check with telnet if all the port forwarding is  
working.  First you can check on the machine hosting the rmiregistry  
and the server.  In the case on the wiki the wiki, you would run

	telnet localhost 5300

on the protege server machine to see if you can connect to the  
rmiregistry and

	telnet localhost 5200

to see if you can connect to the protege server.  You should see a  
connect message.  If this doesn't work then the rmiregistry or the  
server are not set up correctly.  The network routing configuration is  
not yet the issue.

Then you can try outside the NAT router.  Again in the wiki example,  
from outside the router you can try

	telnet 24.4.236.98 5300

to see if you are forwarded to the rmiregistry and

	telnet 24.4.236.98 5200

to see if you are fowarded to the protege server.  If this doesn't  
work but the first one does then there is a problem with the  
forwarding and network settings and Protege is not (yet) involved in  
the problem.

Cheers,

-Timothy

On Jul 6, 2009, at 4:11 AM, adam at wyner.info wrote:

> Hi All,
>
> I'm forwarding the following message to you directly as I got an odd
> 'bounced/message not delivered' email when I sent the email to the
> discussion list.
>
> Rinke and I are very much looking forward to setting up Collaborative
> Protege/WebProtege on our machines.
>
> Cheers,
> Adam Wyner
>
> ----- Forwarded message from adam at wyner.info -----
>    Date: Mon, 06 Jul 2009 10:44:35 +0000
>    From: adam at wyner.info
> Reply-To: adam at wyner.info
> Subject: Router set up for Collaborative/Web Protege
>      To: Protege Discussion <protege-discussion at lists.stanford.edu>
>      Cc: Rinke Hoekstra <hoekstra at uva.nl>, Roshan Sembacuttiaratch
> <roshan at sembacuttiaratchy.com>
>
> Hi Protege Community,
>
> Rinke Hoekstra and I are trying to set up Collaborative/Web Protege,
> but we are having difficulty configuring the router correctly.  The
> instructions on these matters are not clear.  And we have a security
> concern.  Perhaps there is something we don't understand about the
> setup, but the setup information does not help us get it running.
>
> We've looked carefully through all the available documentation,
> including discussion lists.  If we have missed something, please let
> me know.  BTW -- where are the slides from the Protege Conference
> Tutorial on this topic?
>
> I am working at home with a router; Rinke is working via a university
> system.  So, we are both working behind firewalls, and I'm sure most
> people will be.  We'd prefer not to require users to ssh into our
> machines to access protege, but rather to use port forwarding.  This
> is very common for web-based services and games:
>
> http://portforward.com/
>
> In fact, this page has information which will be helpful to users
> setting up protege on their home machines as it gives step by step
> directions for a range of routers.  In general, we imagine that most
> people will be behind firewalls and want relatively open access to
> collaborative/web protege (which is the point, no?)  So, how to
> securely set up port forwarding should be very clear and helpfully
> laid out.  It should not, in principle, be any more threatening to
> security or more difficult to accomplish than the many games etc out
> there....
>
> So far as we can tell, the port forwarding solution is Black Magic
> Trick #2 on the protege info on RMI:
>
> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI
>
> It is not clear to me that NAT is the relevant point here; we made the
> changes recommended and it didn't work.  Rather, the focus of the
> remaining problems seem to be on the relation between the WAN IP
> address-Router Ports-Computer Ports.
>
> On my router (a Belkin), I need to know **exactly** which ports to set
> up on the Virtual Server....  Again, this is a very common thing to do
> for gamers, and I can follow the directions from portforward.com.
> True, it does open up a vulnerability, but this depends on which port
> and whether the software has been designed intelligently to protect
> the host computer from abuse.
>
> Now, about the selection of the ports.  The installation instructions
> need to be clearer.  First of all, the 'non-advanced' instructions are
> very likely not going to work for most people (who have a firewall).
> People should be told of these issues early on as otherwise the
> installation seems easy, but cannot be done.  So, the instructions on
> ports cannot be buried as an 'advanced' topic:
>
> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_Tutorial_Advanced
>
> Second, let's look at the specifics on the ports.  I am using Ubuntu
> 9.04 (windows folks can derive info from this discussion presumably).
> Look at the Working with Firewalls section.  Yes, the protege server
> is going to run from inside a firewall, so I need two ports....  In
> the running example, we have one port 5100 for the rmiregistry and
> another port 5200 for the Protege server.  However, as noted, the
> default for rmiregistry is 1099.  Why was the default not used?  And
> how was port 5200 selected?  By the same token, if I use the 'default'
> of 1099 for rmiregistry, what is the recommended port for the Protege
> server?  With the correct port information, I can edit the
> run_protege_server script....
>
> Third, in the section (above Configuration Settings) on NAT, the
> hostname information should be a lot clearer.  This should be (so far
> as I can tell), the IP address of the WAN, not the internal network
> address (starting with 192.168....).  This information should be set
> out like the other code changes.  But, I don't understand why this is
> relevant since even with these settings, we are unable to connect.  Or
> is RMI somehow supposed to deal with this?  Rather, what we believe we
> must do is work directly with the router and forward ports from the
> router to the appropriate computer on the network.
> To port forward, I consult portforward.com; I look up my router (a
> Belkin model) and the application I want to connect (MythTV as an
> example):
>
> http://portforward.com/english/routers/port_forwarding/Belkin/F5D7632-4/MythTV.htm
>
> This tells me step by step what to do **and** gives the ports and
> protocol types (given that my computers have static IP addresses on
> the LAN and that I can find them).  Here I need the static IP, the
> Protocol Type (TCP or UCP or both), the LAN Port (the port on the
> router) and the Public Port (the port on the LAN internal computer).
>
> Rinke has found the following information about the ports with respect
> to defaults for RMI:
>
> 1098 tcp rmiactivation RMI Activation
> 1098 udp rmiactivation RMI Activation
> 1099 tcp rmiregistry RMI Registry
> 1099 udp rmiregistry RMI Registry
> 3306 tcp mysql MySQL
> 3306 udp mysql MySQL
> 80   tcp http World Wide Web HTTP
> 80   udp http World Wide Web HTTP
> 8080 tcp http-alt HTTP Alternate (see port 80)
>
> Taken from http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
>
> Are these acceptable??  These are not the ports on portforward.com
> (which is mostly for gaming).  Indeed, one cannot find either Protege
> or rmiregistry listed here:
>
> http://www.portforward.com/cports.htm
>
> I might assume that these are the ports for both the LAN and Public  
> Ports.
> Even so, I still need a port for the Protege server.
>
> Notice one last unclarity in the install instructions under Black
> Magic Trick #2.  I think a mistake crept in here.  First, back at the
> Working with Firewalls page, we are told to modify the
> run_protege_server script with:
>
> PORTOPTS="-Dprotege.rmi.server.port=5200 - 
> Dprotege.rmi.registry.port=5100"
>
> Yet, when we come to Trick #2, we have some unclarity and a switch  
> (again):
>
> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI
>
> See the second LinkSys screen "Gaming and Applications".  This is the
> parallel for Belkin's Virtual Server.  The unclarity is that here you
> apparently 'create' two applications 'collab1' and 'collab2'; what are
> these, where were they created, and how should others do this?  The
> switch is for the Port numbers -- now for collab1, we have 5200, which
> is the setting for rmi server port.  But, then we have port 5300.
> What is that??  The graphic (see box labelled Private Network) has the
> rmi registry as port 5300, but wasn't this 5100 in the
> run_protege_server script?  Finally, in the instruction just after the
> graphic, the run_protege_server script should have the hostname
> modified -- I presume that 24.4.236.98 is the WAN IP address of the
> example.  So, other people must use their WAN IP address.
>
> One last question.  Suppose I get all these ports set up and people
> can access and work with Collaborative/Web Protege....  Can you
> clarify the security issues with respect to running Protege?  How have
> you secured the design of the software so that trojans, viruses, etc
> cannot infect the machine?  I have a Linux machine, so there may be
> less of a problem, but still I'd like to know this has been
> considered.....
>
> Just so it is said -- I really like Protege, and I'm looking forward
> to using it collaboratively.
>
> Best,
> Adam Wyner
>
>
> ----- End forwarded message -----
>
>
>
> ----- End forwarded message -----
>

More information about the protege-discussion mailing list