Date: Fri, 31 Oct 2008 10:34:18 -0700 From: Jeremy Chadwick <koitsu@FreeBSD.org> To: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> Cc: Freebsd questions <freebsd-questions@freebsd.org> Subject: Re: Firewalls in FreeBSD? Message-ID: <20081031173418.GA37710@icarus.home.lan> In-Reply-To: <44iqr8broz.fsf@be-well.ilk.org> References: <367168.61424.qm@web56806.mail.re3.yahoo.com> <490A4487.8020101@gmail.com> <20081030233933.GB16747@icarus.home.lan> <448ws4da2f.fsf@be-well.ilk.org> <20081031160949.GA36045@icarus.home.lan> <444p2sd8od.fsf@be-well.ilk.org> <20081031170345.GA36712@icarus.home.lan> <44iqr8broz.fsf@be-well.ilk.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 31, 2008 at 01:27:40PM -0400, Lowell Gilbert wrote: > Jeremy Chadwick <koitsu@FreeBSD.org> writes: > > > On Fri, Oct 31, 2008 at 12:35:30PM -0400, Lowell Gilbert wrote: > > >> Okay, I guess I'm a little confused by the line about "ONLY allow data > >> back on these ports IF the windows box has established the connection > >> out first then deny everything else." I read that as saying that the > >> Windows box had sent a packet on the same connection (4-tuple, at > >> least) that should be later accepted heading *to* the Windows box. > >> That's just a stateful rule, and it seems to be at odds with what you > >> wrote in your first message in the thread. The apparent disagreement > >> was why I said anything in the first place; it sounds like there's > >> more than one model of how the game works. > > > > I understand the confusion. Here's the actual protocol that the game > > appears to be using (since the OP has stated forwarding a port range to > > his LAN PC solves the problem -- meaning, his original description of > > how the game protocol worked is accurate): > > I see. If that is the case, then the word "connection" in the line I > quoted from Jack Barnett does *not* mean a TCP session, but something > a little more nebulous. "Game session" might cover it. > > [I *was* aware of that possible confusion, which was why I specified > an address/port tuple as the definition of "connection."] > > Sorry for the distraction; I see that (short of a deep-inspection > snooping of the protocol), what has already been done is as good as > you can get. Nah, it's cool -- the misunderstanding is... understandable. :-) I've never seen a game behave this way (specifically, the gameserver initiating a *brand new connection* rather than utilising an existing one, or having the client initiate a connection to the server -- in which case, a stateful firewall will work perfectly and no firewall rules are needed). -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081031173418.GA37710>