From owner-freebsd-questions@FreeBSD.ORG Thu Oct 30 18:18:45 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D21F51065673 for ; Thu, 30 Oct 2008 18:18:45 +0000 (UTC) (envelope-from mdh_lists@yahoo.com) Received: from web56806.mail.re3.yahoo.com (web56806.mail.re3.yahoo.com [66.196.97.80]) by mx1.freebsd.org (Postfix) with SMTP id 7C1608FC25 for ; Thu, 30 Oct 2008 18:18:45 +0000 (UTC) (envelope-from mdh_lists@yahoo.com) Received: (qmail 61428 invoked by uid 60001); 30 Oct 2008 18:18:43 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Message-ID; b=cu8tp1e5+eDhSr1ShMC7Dc1nZwJDBf+8HveFZlRc0lehbebveQ7RvL6X3xt5XUW4m2dEn8xBc3nvPAOediUoIGpo9eQKXWff9ErCey8m6pOFM51+1zx3jYyGw4toF7ig4oloqp9x/AbsmYkg9QCqHi0pYDvixCO9qcNBnVgAIN4=; X-YMail-OSG: gzsYuGsVM1mKlxll7g_LYcqMvJ0BHNlskCK7T2UkQVsGy4LXW6vRgSP9RuLq94.jBk8_GbDybLuMr6HWpToxVciLtUcU7mUKAG4gmiX7j2ysX0LXLd.SBEAnafrg12qnEwniizV.11n0BJ4vNO1ylgJg1lakgtA6IibGVKYBvfpJI88- Received: from [71.61.220.126] by web56806.mail.re3.yahoo.com via HTTP; Thu, 30 Oct 2008 11:18:43 PDT X-Mailer: YahooMailWebService/0.7.247.3 Date: Thu, 30 Oct 2008 11:18:43 -0700 (PDT) From: mdh To: Jeremy Chadwick In-Reply-To: <20081030032547.GA93923@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Message-ID: <367168.61424.qm@web56806.mail.re3.yahoo.com> Cc: Freebsd questions Subject: Re: Firewalls in FreeBSD? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: mdh_lists@yahoo.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2008 18:18:45 -0000 --- On Wed, 10/29/08, Jeremy Chadwick wrote: > From: Jeremy Chadwick > Subject: Re: Firewalls in FreeBSD? > To: "Terry Sposato" > Cc: jackbarnett@gmail.com, "Polytropon" , "Freebsd questions" > Date: Wednesday, October 29, 2008, 11:25 PM > On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato > wrote: > > > It is most likely caused by your ruleset not being > stateful. If packets > > are going out certain sessions and your firewall > isn't then allowing back > > in you would see the issue you are seeing. I am not > sure how this is > > accomplished via ipfw as I use pf but there would be a > tonne of > > documentation out there on how to make your rules > stateful. > > Are you sure about that? Read his statement once more: > > >> For example, I load up a client (game) and it > connects out on XYZ > >> port. The server will send data back on ABC. > > I assume based on this, the following is happening: > > - 192.168.x.x:aaaaa sends packet to gameserver:xyz > > - NAT gateway translates packet (where "natgw" is > a public WAN IP) > > 192.168.x.x:aaaaa <--> natgw:bbbbb <--> > gameserver:xyz > > - gameserver sees packet to port xyz, and initiates new > connection > to natgw:abc > > - NAT gateway drops packet destined to WAN IP port abc, > because the > gameserver:abc connection is *new*, and does not relate > to the > previous NAT'd gameserver:xyz connection. > > If this is **truly** how the protocol works (the OP will > need to be > absolutely 100% positive of that fact; I recommend he > reconfirm how it > works), then the only solution is to set up a port forward > on the NAT > gateway for port abc to point to 192.168.x.x. > > This also means that only one computer on the LAN will be > capable of > playing this game. Not much one can do about that, other > than write > the authors of the game and explain that their protocol is > absolutely > disgusting. Does the game support IPv6? This may be a work-around for you, since you can get a relatively large chunk of IPs for free via any one of a number of tunnel brokers. If possible, ask your IP provider if they provide native IPv6 transport first. A few do, in North America and Europe, and a surprising lot do in Asia, especially Japan and South Korea. If you're on a North American consumer ISP, chances are a tunnel broker is your only option for v6 connectivity, however. If the game doesn't support IPv6, however, then you are likely stuck with playing with port forwarding from the public routable address, however. It stinks, so feel free to lobby your ISP, the game's designers, and any other involved parties, about supporting IPv6 connectivity. In essence, a problem like the one Mr. Chadwick is eluding to is one of the primary motivating forces behind the adoption of IPv6 to begin with. - mdh