Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[protege-discussion] Fwd: Router set up for Collaborative/Web Protege

Timothy Redmond tredmond at stanford.edu
Mon Jul 6 08:39:24 PDT 2009



Begin forwarded message:

> From: Timothy Redmond <tredmond at stanford.edu>
> Date: July 6, 2009 6:23:52 AM PDT
> To: adam at wyner.info
> Cc: noy at stanford.edu, jvendetti at stanford.edu, tudorache at stanford.edu
> Subject: Re: Router set up for Collaborative/Web Protege
>
>
> Hi -
>
> This is probably a question for me.  Tania knows enough (probably  
> with some help from Alex) but I am the one who wrote the black magic  
> tip and who has set this up before.  I will try to take a look later  
> this morning but otherwise I won't be in to work until tomorrow.
>
> You provide a lot of details (which is great!).
>
>>> See the second LinkSys screen "Gaming and Applications".  This is  
>>> the
>>> parallel for Belkin's Virtual Server.  The unclarity is that here  
>>> you
>>> apparently 'create' two applications 'collab1' and 'collab2'; what  
>>> are
>>> these, where were they created, and how should others do this?
>
>
> You need to forward the port for the rmiregistry and the port for  
> the protege server.  These are the same as the ports set in the  
> protege server script:
>
>> PORTOPTS="-Dprotege.rmi.server.port=5200 - 
>> Dprotege.rmi.registry.port=5100"
>
>> One last question.  Suppose I get all these ports set up and people
>> can access and work with Collaborative/Web Protege....  Can you
>> clarify the security issues with respect to running Protege?  How  
>> have
>> you secured the design of the software so that trojans, viruses, etc
>> cannot infect the machine?  I have a Linux machine, so there may be
>> less of a problem, but still I'd like to know this has been
>> considered.....
>
> As for Protege in particular - I am not sure and to the truly  
> security minded this is a bad sign.  You are opening ports to the  
> protege server which could come under attack.  In particular any  
> buffer overflow will give the attacker full access to the account  
> that Protege is running under.  This would be a jvm bug but perhaps  
> attackers know something like this.
>
> But Protege can be run in user space.   if security is an issue this  
> can be used to confine the risks somewhat.  In particular you can  
> make a fake user account. It is known that full access to even a  
> fake user account can be bad but the risks are now going down  
> dramatically.  It really depends how careful you want to be.  (I  
> have a security background and can be paranoid.)
>
> In general, opening ports on a router or firewall is always  
> dangerous.  But if you are doing it you probably know what you are  
> doing.
>
> -Timothy
>
>
> On Jul 6, 2009, at 4:11 AM, adam at wyner.info wrote:
>
>> Hi All,
>>
>> I'm forwarding the following message to you directly as I got an odd
>> 'bounced/message not delivered' email when I sent the email to the
>> discussion list.
>>
>> Rinke and I are very much looking forward to setting up Collaborative
>> Protege/WebProtege on our machines.
>>
>> Cheers,
>> Adam Wyner
>>
>> ----- Forwarded message from adam at wyner.info -----
>>    Date: Mon, 06 Jul 2009 10:44:35 +0000
>>    From: adam at wyner.info
>> Reply-To: adam at wyner.info
>> Subject: Router set up for Collaborative/Web Protege
>>      To: Protege Discussion <protege-discussion at lists.stanford.edu>
>>      Cc: Rinke Hoekstra <hoekstra at uva.nl>, Roshan Sembacuttiaratch
>> <roshan at sembacuttiaratchy.com>
>>
>> Hi Protege Community,
>>
>> Rinke Hoekstra and I are trying to set up Collaborative/Web Protege,
>> but we are having difficulty configuring the router correctly.  The
>> instructions on these matters are not clear.  And we have a security
>> concern.  Perhaps there is something we don't understand about the
>> setup, but the setup information does not help us get it running.
>>
>> We've looked carefully through all the available documentation,
>> including discussion lists.  If we have missed something, please let
>> me know.  BTW -- where are the slides from the Protege Conference
>> Tutorial on this topic?
>>
>> I am working at home with a router; Rinke is working via a university
>> system.  So, we are both working behind firewalls, and I'm sure most
>> people will be.  We'd prefer not to require users to ssh into our
>> machines to access protege, but rather to use port forwarding.  This
>> is very common for web-based services and games:
>>
>> http://portforward.com/
>>
>> In fact, this page has information which will be helpful to users
>> setting up protege on their home machines as it gives step by step
>> directions for a range of routers.  In general, we imagine that most
>> people will be behind firewalls and want relatively open access to
>> collaborative/web protege (which is the point, no?)  So, how to
>> securely set up port forwarding should be very clear and helpfully
>> laid out.  It should not, in principle, be any more threatening to
>> security or more difficult to accomplish than the many games etc out
>> there....
>>
>> So far as we can tell, the port forwarding solution is Black Magic
>> Trick #2 on the protege info on RMI:
>>
>> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI
>>
>> It is not clear to me that NAT is the relevant point here; we made  
>> the
>> changes recommended and it didn't work.  Rather, the focus of the
>> remaining problems seem to be on the relation between the WAN IP
>> address-Router Ports-Computer Ports.
>>
>> On my router (a Belkin), I need to know **exactly** which ports to  
>> set
>> up on the Virtual Server....  Again, this is a very common thing to  
>> do
>> for gamers, and I can follow the directions from portforward.com.
>> True, it does open up a vulnerability, but this depends on which port
>> and whether the software has been designed intelligently to protect
>> the host computer from abuse.
>>
>> Now, about the selection of the ports.  The installation instructions
>> need to be clearer.  First of all, the 'non-advanced' instructions  
>> are
>> very likely not going to work for most people (who have a firewall).
>> People should be told of these issues early on as otherwise the
>> installation seems easy, but cannot be done.  So, the instructions on
>> ports cannot be buried as an 'advanced' topic:
>>
>> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_Tutorial_Advanced
>>
>> Second, let's look at the specifics on the ports.  I am using Ubuntu
>> 9.04 (windows folks can derive info from this discussion presumably).
>> Look at the Working with Firewalls section.  Yes, the protege server
>> is going to run from inside a firewall, so I need two ports....  In
>> the running example, we have one port 5100 for the rmiregistry and
>> another port 5200 for the Protege server.  However, as noted, the
>> default for rmiregistry is 1099.  Why was the default not used?  And
>> how was port 5200 selected?  By the same token, if I use the  
>> 'default'
>> of 1099 for rmiregistry, what is the recommended port for the Protege
>> server?  With the correct port information, I can edit the
>> run_protege_server script....
>>
>> Third, in the section (above Configuration Settings) on NAT, the
>> hostname information should be a lot clearer.  This should be (so far
>> as I can tell), the IP address of the WAN, not the internal network
>> address (starting with 192.168....).  This information should be set
>> out like the other code changes.  But, I don't understand why this is
>> relevant since even with these settings, we are unable to connect.   
>> Or
>> is RMI somehow supposed to deal with this?  Rather, what we believe  
>> we
>> must do is work directly with the router and forward ports from the
>> router to the appropriate computer on the network.
>> To port forward, I consult portforward.com; I look up my router (a
>> Belkin model) and the application I want to connect (MythTV as an
>> example):
>>
>> http://portforward.com/english/routers/port_forwarding/Belkin/F5D7632-4/MythTV.htm
>>
>> This tells me step by step what to do **and** gives the ports and
>> protocol types (given that my computers have static IP addresses on
>> the LAN and that I can find them).  Here I need the static IP, the
>> Protocol Type (TCP or UCP or both), the LAN Port (the port on the
>> router) and the Public Port (the port on the LAN internal computer).
>>
>> Rinke has found the following information about the ports with  
>> respect
>> to defaults for RMI:
>>
>> 1098 tcp rmiactivation RMI Activation
>> 1098 udp rmiactivation RMI Activation
>> 1099 tcp rmiregistry RMI Registry
>> 1099 udp rmiregistry RMI Registry
>> 3306 tcp mysql MySQL
>> 3306 udp mysql MySQL
>> 80   tcp http World Wide Web HTTP
>> 80   udp http World Wide Web HTTP
>> 8080 tcp http-alt HTTP Alternate (see port 80)
>>
>> Taken from http://www.neohapsis.com/neolabs/neo-ports/neo-ports.html
>>
>> Are these acceptable??  These are not the ports on portforward.com
>> (which is mostly for gaming).  Indeed, one cannot find either Protege
>> or rmiregistry listed here:
>>
>> http://www.portforward.com/cports.htm
>>
>> I might assume that these are the ports for both the LAN and Public  
>> Ports.
>> Even so, I still need a port for the Protege server.
>>
>> Notice one last unclarity in the install instructions under Black
>> Magic Trick #2.  I think a mistake crept in here.  First, back at the
>> Working with Firewalls page, we are told to modify the
>> run_protege_server script with:
>>
>> PORTOPTS="-Dprotege.rmi.server.port=5200 - 
>> Dprotege.rmi.registry.port=5100"
>>
>> Yet, when we come to Trick #2, we have some unclarity and a switch  
>> (again):
>>
>> http://protegewiki.stanford.edu/index.php/Protege_Client_Server_RMI
>>
>> See the second LinkSys screen "Gaming and Applications".  This is the
>> parallel for Belkin's Virtual Server.  The unclarity is that here you
>> apparently 'create' two applications 'collab1' and 'collab2'; what  
>> are
>> these, where were they created, and how should others do this?  The
>> switch is for the Port numbers -- now for collab1, we have 5200,  
>> which
>> is the setting for rmi server port.  But, then we have port 5300.
>> What is that??  The graphic (see box labelled Private Network) has  
>> the
>> rmi registry as port 5300, but wasn't this 5100 in the
>> run_protege_server script?  Finally, in the instruction just after  
>> the
>> graphic, the run_protege_server script should have the hostname
>> modified -- I presume that 24.4.236.98 is the WAN IP address of the
>> example.  So, other people must use their WAN IP address.
>>
>> One last question.  Suppose I get all these ports set up and people
>> can access and work with Collaborative/Web Protege....  Can you
>> clarify the security issues with respect to running Protege?  How  
>> have
>> you secured the design of the software so that trojans, viruses, etc
>> cannot infect the machine?  I have a Linux machine, so there may be
>> less of a problem, but still I'd like to know this has been
>> considered.....
>>
>> Just so it is said -- I really like Protege, and I'm looking forward
>> to using it collaboratively.
>>
>> Best,
>> Adam Wyner
>>
>>
>> ----- End forwarded message -----
>>
>>
>>
>> ----- End forwarded message -----
>>
>




More information about the protege-discussion mailing list