From owner-freebsd-questions Wed Jan 2 0:41:46 2002 Delivered-To: freebsd-questions@freebsd.org Received: from hermes.epita.fr (hermes.epita.fr [163.5.255.10]) by hub.freebsd.org (Postfix) with ESMTP id A8AA637B41D for ; Wed, 2 Jan 2002 00:41:42 -0800 (PST) Received: from kenny (kenny [10.42.14.16]) by hermes.epita.fr id g028fRn19738 for freebsd-questions@freebsd.org EPITA Paris France Wed, 2 Jan 2002 09:41:28 +0100 (MET) Date: Wed, 2 Jan 2002 09:41:26 +0100 From: luc wastiaux To: freebsd-questions@freebsd.org Subject: Re: ipfw rules and counterstrike Message-ID: <20020102094126.A18238@kenny.epita.fr> References: <20020101173713.A16349@kenny.epita.fr> <3C31E9DF.3040504@potentialtech.com> <20020101182244.A16402@kenny.epita.fr> <3C31F417.7060700@potentialtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C31F417.7060700@potentialtech.com>; from wmoran@potentialtech.com on Tue, Jan 01, 2002 at 12:38:31PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I have solved my problem by adding these 4 rules: #keep state rules are needed for online games $fwcmd add allow tcp from any to any via tun0 out keep-state $fwcmd add allow udp from any to any via tun0 out keep-state $fwcmd add allow tcp from any to any 1024-65000 via tun0 in keep-state $fwcmd add allow udp from any to any 1024-65000 via tun0 in keep-state this exposes the high ports, is this a big security threat ? On Tue, Jan 01, 2002 at 12:38:31PM -0500, Bill Moran wrote: > luc wastiaux wrote: > > On Tue, Jan 01, 2002 at 11:54:55AM -0500, Bill Moran wrote: > > > >>luc wastiaux wrote: > >> > >>>Hello, I have a 4.4R NAT box serving my ADSL connection, everything seems > >>>to be working fine except for couterstrike. > >>> > >>>when I attempt to connect to a server or refresh the server list, the > >>>console on the NAT box says "natd failed to write packet back (permission > >>>denied). > >>> > >>Somehow the firewall is blocking what you're trying to send. I recommend > >>manually running natd with the -v option to see exactly what is causing this > >>problem. My experience is that doing so usually clears up what's wrong > >>pretty quickly. > >> > > > > hmm in order to rerun natd after having killed it, I have to delete this > > rule otherwise natd tells me the divert interface is already in use > > add divert natd all from any to any via tun0 > > Hmmm ... haven't seen that before. > > > but even then when I run natd -v -dynamic -interface tun0, I get no output > > when attempting to connect to a counterstrike server. > > Then the error you describe above is unrelated to your problems with the > counterstrike server. > > > someone mentionned to me something about state option or something like > > that, will that help? (this person uses ipf some I'm not sure ipfw has > > this) > > Probably. You didn't have much in your rules concerning upd, so (other > than DNS traffic) all the udp traffic is being denied. Once you know what > udp ports counterstrike uses, you can add rules like: > > add pass udp from myip to any 76 keep-state > > Assuming that "myip" is your ip address and 76 is a port used by counterstrike. > > Figuring out what ports to allow is fairly simple. Temporarily set the > firewall to allow everything, then run tcpdump on the console and start > counterstrike. It will quickly become obvious which ports counterstrike > uses. > > -- > Bill Moran > Potential Technology > http://www.potentialtech.com > -- -luc | wastia_l@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message