The online racing simulator
Hosting for Dummies
(11 posts, started )
Hosting for Dummies
Hosting for Dummies

A beginners guide to hosting.
This little guide is written to help people understand the basics of hosting. I have tried to keep away from the technical babble, but some basic knowledge is needed, so lets go on to chapter one: Internet basics.
Internet Basics

All Internet communications is using 3 main parts: IP addresses: This is the address you have, or the address of the host you are connecting to. Ports are used to keep traffic separated, and give the ability to have several services (like http @ port 80, https @ port 443) or programs running at one IP-address. Protocols are the “language” used. For LFS we need TCP and UDP. TCP is using “Handshake” for each packet, so that every packed delivery is confirmed. This creates more traffic, but is reliable and sender knows that data was delivered. TCP also resends packets that were lost automatically. LFS uses TCP for control data, like race restarts. UDP is just sending packets, and hope they arrive at the recipient. It’s much quicker method, but unreliable. LFS uses UDP for sending car position data.
To be able to communicate we need some hardware: NIC: Network Interface Card, or for short: Network card. Routers keep track of where to send the traffic.
Some services: DNS Dynamic Name Server, this helps you to use names for hosts, so you just need to remember www.google.com, instead of 66.102.11.99 (Google’s IP-address) DNS is not necessary for LFS, but used for almost everything else …
Security: Firewall is a system or program used to only let approved traffic thru.
And finally, some other terms used: DHCP, Dynamic Host Configuration Protocol. This is assigning a unused IP-address automatically, helping to reduce the number of unused IP-addresses. Some ISPs force a new IP-address every now and then. Public IP is the IP-address you use to connect to the Internet, or the IP you connects to. This must be a unique address (You will be assigned this from your ISP using your ISP’s DHCP-server) Also called “outside” Private IP Your home router assigns you a Private IP, this address is within some specific ranges, a common used range is: 10.x.x.x , the second range, the most common default for your typical home router is 192.168.x.x, The third range is 172.16-31.x.x. Also called “inside” NAT Network address Translation. This is a very clever system; it protects you very well from the Internet, and gives you the possibility to have several PC’s on the “Inside” [PC1] --> [PC2] --> [Router with NAT] --> Internet [PC3] --> When using NAT your Private IP address is translated to your Public IP, making it possible for you to get on the net Lots of stuff, and new words, but its needed to understand why you need port-mapping.
Lets move on to “How it works”
How the Internet works

A simple sample, direct connection to the Internet: [PC1] --> [Internet] --> [www.google.com]
Your PC has a valid Public IP, and you want to browse google’s web pages Your PC first makes a DNS lookup to find Google’s Public IP. Http is using Port 80, so your PC connects to Google’s public IP at port 80 and you can read the page. What you don’t see is that your PC is using an unused port above 1024 to connect to google, lets say, port 1050, so what really happens is: Your PC opens port 1050 for outgoing traffic, and sends a “Get” request to google’s web server at port 80. The server opens the file and sends it back to your client at port 1050.
A sample with NAT, Connection with a router: [PC1] --> [PC2] -- [Router with NAT] --> [Internet] --> [www.google.com] [PC3] –
Your PC has a valid private IP, and your Router has a valid Public IP Your PC request a page at Google, it uses a port over 1024, lets reuse 1050. The request goes thru your Router, and is translated to your routers public IP, with a new port, lets say the request that reaches google.com is from your routers public IP at port 23050. Google answers back to your routers public IP at port 23050, and it remember that it was your PC, at its Private IP and at port 1050 the request came from and sends the data back to your PC’s Private IP at port 1050.
LFS's default server port is 63392, which means your PC uses a port higher than 1024 and connects to the LFS hosts IP at port 63392. LFS can be set to use any port.
Still hanging on? Lets move on to Security
Security

Security is a BIG issue when connected to the Internet. “Out there” you have hackers and Internet spreading viruses that wants to spoil your fun, it’s just like the demo servers To protect yourself you must use a firewall.
The most common thing is the built in firewall in Windows XP. This is turned on when enabling the Internet connection sharing function. Windows XP SP2 also turns the firewall on by default.
Another common solution is a “Personal Firewall” This is an application you run on your computer. Making sure that only approved programs can access the Internet. The usual way is: when a “new program” request a internet connection, a dialog pops up asking you to grant or deny access, or grant a permanent access.
Another solution is to have an extra “box”, a PC or a “Black box” (black box is a term for a system running a “unknown” OS with a “unknown” firewall).
At home this is most commonly your home gateway. It’s a small box with lots of lights on it. It can also run on a separate PC, using Linux (or other Unix-like OS, FreeBSD is very secure and quite popular), but if you have that solution you probably are no dummy and don’t need to read this guide.
Most external router/firewall solutions come with NAT. The default behaviour of NAT makes sure that NO connections from the outside makes it thru the router, but ANY connection from the inside will be let out.
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Still hanging around? Wanna be crazy? Go on to “Security, the tuff stuff” Or just a little bit crazy? Check out, “LFS hosting with a firewall”
Or move on to “why we need port mapping”
Security the tuff stuff ...

WARNING This chapter may make you feel dizzy or fall asleep
The problem with an external firewall is that it doesn’t see which application that is requesting Internet access. It needs rules for the traffic. The first rule is usually “DENY ALL” everything is closed if not a specific rule allows it. New sample: [PC1] --> [PC2] --> [Router with NAT and Firewall] --> [Internet] --> [LFS Host@port 63392] [PC3] -->
PC1 wants to connect to a LFS host at the Host IP and port 63392. To get this traffic thru the router, the router must have a rule that: Allow PC1 to connect to the LFS host, at its IP address and port 63392.
But, there is not only one LFS host out there so the rule needs an update: Allow PC1 to connect to ANY host at port 63392
And then someone else in your company wants to try LFS, new update: Allow ANY pc to connect to ANY host at port 63392
OK, not too bad. Outbound traffic to a specific port is usually granted already (e.g. to be able to browse the Internet you must be able to use port 80 (http)).
But LFS can use any port and now you will dig a real hole in the firewall: Allow ANY pc to connect to ANY host at ANY port.
Most company firewall operators do not want to use “Any”, as this gives no control. 3x ANY in one line is something you really don’t want. Therefore, playing LFS behind a company firewall can be very hard. Hosting LFS behind a company firewall will usually be impossible...
Allow all out deny all in setup is actually a very good firewall for home use, but if you download a program, lets call it Crack.exe, that really is a small program recording your bank account information, and sending it to a host outside, you will never see it, without a Personal Firewall. But … who runs software downloaded from the net without running a virus-scan?
Lets move on to “Hosting LFS with a firewall”.
LFS Hosting with a firewall

WARNING This chapter is also tuff one...
Because of DENY ALL IN rule, you must set up a rule for your LFS host. Your firewall must let incoming traffic to port 63392 (default LFS, or any other port you decided to use in server configuration) pass thru. Remember that LFS is using both TCP and UDP protocols. The rule will look something like: Allow ANY Source IP to connect to your LFS host IP at port 63392 (using both TCP and UDP).
Some firewalls have problems with UDP. If this is the issue, your host will be visible on the master list, but no one will be able to connect.
I would recommend to disable the personal firewall when testing, especially if you are behind a router with NAT. Just remember to enable it when done testing. (For home users with residential gateways this would mean pulling cables and changing setups. I wouldn’t recommend that. If you are setting up the server behind a home gateway, I guess the best way to test would be to have a friend that you can call and ask to try and connect to your server.)
Problems with the firewall can be hard to diagnose, very often it “just don’t work” with no error messages. You might be able to see blocked traffic in your routers log though, look for message that packet sent to port 63392 (or your chosen LFS port) was blocked.
Now we should be able to understand “why we need port mapping”
Why we need port mapping

When hosting, you want other people to be able to connect to your LFS host. Going back to the Router with NAT example: [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] –
The router just blocks all traffic from the outside. So we need to create a port mapping to tell the router that this is traffic we want to deal with. A port mapping tells the router that all traffic from the outside to port 63392 (default for LFS) will be sent to an IP on the inside at port 63392. [PC1] -- [PC2] -- [Router with NAT] <-- [Internet] <-- [Computer running LFS] [PC3] <--
Remember: The port mapping must include both TCP and UDP
How this is set up depends on your router. Most home routers provide a web interface to configure the router; some have a separate program running on your PC for configuration. Some routers also have the possibility to use “telnet” to change the configuration (start – run – cmd – telnet 10.0.0.1 (or 192.168.0.1 or 192.168.1.1 or any other IP address of your router)) Read the manual, check your ISP's faq, ask your ISP.
Most home gateways will let you set them up via web interface. Open your web browser and enter http://192.168.0.1 (or other possible addresses). You will almost certainly be asked for username and password by the router.
If you don’t know the password for your router configuration you have three options: 1) Your password is the default factory one: Check you router manual to find out the default password and change it. 2) Your password is not default one and you never changed it yourself: This is most common with routers that were provided by your ISP as part of the service. ISP sometimes sets their own passwords, so that you cannot change the configuration and complain to customer support about it. You will have to talk to your ISP customer support in that case. 3) You changed your password, but forgot it: This is the worst case. You can reset the password by doing the “hard reset” procedure on router to reset to defaults. DON’T DO THIS UNLESS YOU KNOW ALL ABOUT YOUR ROUTER! Resetting the router means all configuration needs to be entered again.
See the “routers guide” and check if your router is in there.
Problems? LFS is using a very high port. Some routers use a high range for “outgoing NAT”. Some ISPs also reserve these high ports for their internal use. If your router/ISP does this you must: Exclude the “LFS range” from the “outgoing NAT” range or Use a lower port for LFS
Some ISPs force your router to change IP every now and then. This is not good for the clients connected when this happens, but (AFAIK) the LFS host reconnects to the master server and updates its new IP.
Routers guide

Here I have a plan to add guides to set up port mapping on specific routers...
See here how to forward ports on your hardware firewall/router
http://portforward.com/routers.htm
Netopia 4542 router
D-link 804HV Setting up a LFS Host
Technical background Here I have tried to collect some words about hosting, and LFS..
TCP and UDP in LFS (By Scawen) The TCP connection of course has to work because the in-sync game code relies on TCP, as everything needs to match, and stay in sync.
But the position updates (PosPackets) don't match perfectly, because they are run without delay (there is always "error" in remote car positions - seen as warping - because of inevitable time delay) and that system uses UDP packets because they are quicker but do suffer from packet loss and it's better to forget about ones that didn't arrive and just use the next packet that does arrive). However, guests which are failing to receive UDP packets can request the host to send TCP PosPackets to the guest, and it will do so. But guests *never* send TCP PosPackets to the host.
That's because sometimes guests are behind firewalls and for some reason can't receive UDP packets sent back to them - and another problem that a UDP connection that worked at first can later be "forgotten" by the router for some reason. However, they can always *send* UDP packets to the host, because the host must be properly set up on the internet, so the problem of losing the UDP connection in that direction shouldn't arise.
So... in summary, it can work if the guest can't *receive* UDP packets, in which case it will request the PosPackets to be sent to it in TCP packets, but it must be able to *send* UDP packets because there is no fallback system in that direction.
Ranges used for LAN games (aka. IETF private IP ranges): (By Scawen) These are the ranges :
10.x.x.x 192.168.x.x 172.16-31.x.x
More info: http://www.suse.de/~mha/linux-ip-nat/diplom/
Why other ranges do not work: (by scawen) That's because direct connection is restricted to local networks. It's a security measure so that people who want to play on the Internet must go through the master server (not connect direct by IP, but they can simply connect by “name” to a "hidden" game for the same effect - this stops people with a hacked version being able to happily race over the internet). So I’ve researched the special IP addresses, which are reserved for local networks and allowed direct connection for those addresses.
I don't really know why your network is using addresses outside the reserved IP address ranges. I guess there may be a good reason or else someone just chose the 200.x.x.x range because it sounded good? Don't know much about that really but you might not be able to connect to some "real" IP addresses in that range, and I guess that's why there are some special reserved ranges.
tl;dr: open your frigging ports.
Guess my post got deleted but not sure why .
#4 - CSF
Not the same topic. He made 2 posts for some reason.
Alright, I've seen the other thread as well now.

a) This is not a very good guide.

b) See a.
Quote from CSF :Not the same topic. He made 2 posts for some reason.

meh.
Quote from CSF :Not the same topic. He made 2 posts for some reason.

lol i mad to difrent language postes
#8 - Fuse5
Quote from Tomrius :Hosting LFS behind a company firewall will usually be impossible...

If you don't have access to the firewall it is impossible yes. But for the rest, there still is "ESTABLISHED,RELATED" state of connection.

Let me explain.
When someone makes a connection to your server which you are hosting on port 69332 i.e. he makes a connection from a random port(usually) ranging from 1024-65535. Why not from 1? Because 1-1024 ports can only be opened up from users with special rights(root on *nix systems).
You could either:
a) open up the port range to any host, not a good idea
b) allow the connection out if it was already previously established or is related.
With b) no one can make the connection to the outside(except for allowed ports, i.e. 53, 80, 110, 143,...if you allow them) but connections that were first established "to the inside", to your LFS server will not get denied on their way back out.

I think this needs not to be explained further, because if you have access to company firewall, you probably already know this. If you still need explanation on this matter, please tell your boss to hire qualified sysadmins.



And TCP does not use "handshake" for each packet. Three-way handshake is the TCP connection establish greeting(which has a huge security hole in it btw) it goes like:
Client establishing connection sends SYN packet.
Server receives it and returns SYN,ACK packet.
Client receives that and returns ACK packet.
ACK being acknowledge SYN being sync(I think). This way a connection is established and ensures that the two sides are communicating with each other.
The "thingy" that TCP uses to ensure no loss of data and corruption of data are actually two:
Sequence numbers(ISN) which is agreed in the initial three-way handshake and each packet sent in any direction increments that number by 1. This ensures that duplicates are discarded, lost packets retransmitted etc.
And then there is error detection. TCP uses a weak 16bit checksum for it's header and data. Sender calculates the checksum of the packet that it is about to send and includes it in the actual sent packet. Receiver gets the packet and calculates it's checksum and then compares the two checksums, the one calculated and the one transmitted, if this is correct it almost assures data correctness. But even if this is a weak check we still have CRC or other integrity checks on layer two of OSI model.

If you want to:
And the security hole. One system can recieve only X number of SYN packets and it must wait for Y seconds to get the second ACK packet back. Not including any hosts or anything.
So let's say the system can hold only 10 SYN packets at a time(the number is much higher in reality) and it must wait at least 5 minutes(lower in reality).
I send 10 SYN packets to you in 1 second, I recieve 10 SYN,ACK packets from you back but refuse to return the final ACK packet to you. Now you need to wait 5 minutes before you can drop those 10 SYN packets and as a result no one can connect to you until those SYN packets are dropped or I decide to send you the final ACK packets.
lol you XD net serysly to read the term i did all this to host LsD and the server is up

Hosting for Dummies
(11 posts, started )
FGED GREDG RDFGDR GSFDG