As it seems that setting up a firewalll brings many questions, especially while using games or on Linus Tricks, let"s look at one of the oldest Metaverse ancestors : Second life and using UFW to setup the firewall.
My configuration
-
ASUS Notebook TUF 15 / 32 GB RAM / NVIDIA 3070 8GB VRAM / NVME 1 TB
-
Manjaro KDE
-
Phoenix Firestorm viewer 6.6.3.67470
When setting up ufw
-
you look at the Manjaro firewalls page
-
you follow the explanations from the Second Life firewalls page
… and there are good chances that Second Life doesnt work as the Linux kernel doesn’t work like Windows etc. moreover nothing is done to make it simple as you need to do it by yourself.
So let’s look at the log to see what is not working fine when activating ufw firewall the normal way and leading to a stuck avatar and an inconstant 3D display.
journalctl | grep -i 'ufw block'
And i see that my port 443 is planting a problem.
Then searching on the web you will maybe find this link about the different ways ports are managed.
And at the end, the solution seems to be to define the parameters for port 443 not as mentionned in the firewall parameters but updating files
before.rules
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#TJA Accept everything from tcp 443
#TJA Stops ufw.log filling with 443 notices despite port 8080 being 'allowed'
#TJA https://serverfault.com/questions/957652/ufw-logging-a-block-on-a-permitted-port
-A ufw-before-input -p tcp --dport 443 -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
and before6.rules
# multicast ping replies are part of the ok icmp codes for INPUT (rfc4890,
# 4.4.1 and 4.4.2), but don't have an associated connection and are otherwise
# be marked INVALID, so allow here instead.
-A ufw6-before-input -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
#TJA Accept everything from tcp 443
#TJA Stops ufw.log filling with 443 notices despite port 443 being 'allowed'
#TJA https://serverfault.com/questions/957652/ufw-logging-a-block-on-a-permitted-port
-A ufw6-before-input -p tcp --dport 443 -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw6-before-input -m conntrack --ctstate INVALID -j ufw6-logging-deny
-A ufw6-before-input -m conntrack --ctstate INVALID -j DROP
Once those files updated just type
sudo ufw reload
To have the new parameters reloaded. And then Phoenix Firestorm working on the great refined environement Manjaro KDE and you have access to Second Life, at a quicker speed than Windows 11 by the way.
A few tricks to technically optimize your Second Life experience = use Firestorm preferences
-
to force your screen fps display at the correct speed if it is not so much modern with automatic features (by the way no need to have your graphic card working at 180fps if your screen is just 60Hz)
-
to set your bandwitdh correctly (it will avoid crashes or make it work quicker)
-
to set the viewer cache at the maximum size (your SSD is quicker than your optic fiber internet connection)
-
to set correctly the hardware of your graphics card (tno need to spend time reloading things that can stay in the VRAM)
etc.
If some know a better way to make it work … i am always open to learn, especially about firewalls as it is far from my domain of expertise. Have fun ! And if some are more specialized in the voice part of Linux Manjaro … for now it doesn’t worrk with Phoenix Firestorm and i hadn’t time to look at it.
PS: Think about using prime-run to speed up display … and an easy way to do so is to simply make a shortcut with ctrlalts to launch Second Life instantly.
PS2: Some would say “of course”, but you first need to have configured ufw firewall. Hereunder is a simple script to configure it, focused on Second Life parameters and to be used along the 2 files modifications that have been mentionned previously. It can be easily updated to add any other program (Skype, Whatsapp and so on ) If you modify it “as is” for some other use while using Second Life, just be careful not to configure port 443 as it is already defined in the “before rules”.
#! /bin/zsh
# created: 22-0928
# modified: 22-0928
echo ufw firewall configuration
echo --------------------------
echo .
echo see: https://wiki.manjaro.org/index.php/Firewalls
echo see: https://manpages.ubuntu.com/manpages/jammy/en/man8/ufw.8.html
echo .
echo to check if ufw is intalled
echo sudo ufw status
echo .
echo to innstall ufw on a Manjaro system
echo pamac install ufw
echo .
echo once ufw is intalled, restart and enable it
echo sudo ufw enable
echo sudo systemctl enable ufw.service
echo .
read -s -k $'?Press any key to continue or Ctl-C to stop.n'
echo .
#--------------------------------------
# usual parameters
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http comment "http"
sudo ufw allow https comment "https"
# to activate the ability to connect from outside
## sudo ufw allow ssh
#--------------------------------------
echo Set parameters for SecondLife
# https://community.secondlife.com/knowledgebase/english/using-second-life-with-a-firewall-or-closed-network-r599/
## tcp ports
sudo ufw allow 53/tcp comment "Second Life"
sudo ufw allow 80/tcp comment "Second Life"
sudo ufw allow 443/tcp comment "Second Life"
sudo ufw allow 12043/tcp comment "Second Life"
sudo ufw allow 12046/tcp comment "Second Life"
sudo ufw allow 21002/tcp comment "Second Life"
## udp ports
sudo ufw allow 53/udp comment "Second Life"
sudo ufw allow 3478/udp comment "Second Life"
sudo ufw aloow 3479/udp comment "Second Life"
sudo ufw allow 5060/udp comment "Second Life"
sudo ufw allow 5062/udp comment "Second Life"
sudo ufw allow 12000:29999/udp comment "Second Life"
#--------------------------------------
# echo disable ufw logging
# sudo ufw logging off
echo enable ufw logging
sudo ufw logging on
# -------------------------------------
# display status
echo .
sudo ufw status verbose numbered
Moderator edit: In the future, please use proper formatting: [HowTo] Post command output and file content as formatted text