Date: Wed, 2 Jan 2002 09:41:26 +0100 From: luc wastiaux <wastia_l@epita.fr> To: freebsd-questions@freebsd.org Subject: Re: ipfw rules and counterstrike Message-ID: <20020102094126.A18238@kenny.epita.fr> In-Reply-To: <3C31F417.7060700@potentialtech.com>; from wmoran@potentialtech.com on Tue, Jan 01, 2002 at 12:38:31PM -0500 References: <20020101173713.A16349@kenny.epita.fr> <3C31E9DF.3040504@potentialtech.com> <20020101182244.A16402@kenny.epita.fr> <3C31F417.7060700@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have solved my problem by adding these 4 rules: #keep state rules are needed for online games $fwcmd add allow tcp from any to any via tun0 out keep-state $fwcmd add allow udp from any to any via tun0 out keep-state $fwcmd add allow tcp from any to any 1024-65000 via tun0 in keep-state $fwcmd add allow udp from any to any 1024-65000 via tun0 in keep-state this exposes the high ports, is this a big security threat ? On Tue, Jan 01, 2002 at 12:38:31PM -0500, Bill Moran wrote: > luc wastiaux wrote: > > On Tue, Jan 01, 2002 at 11:54:55AM -0500, Bill Moran wrote: > > > >>luc wastiaux wrote: > >> > >>>Hello, I have a 4.4R NAT box serving my ADSL connection, everything seems > >>>to be working fine except for couterstrike. > >>> > >>>when I attempt to connect to a server or refresh the server list, the > >>>console on the NAT box says "natd failed to write packet back (permission > >>>denied). > >>> > >>Somehow the firewall is blocking what you're trying to send. I recommend > >>manually running natd with the -v option to see exactly what is causing this > >>problem. My experience is that doing so usually clears up what's wrong > >>pretty quickly. > >> > > > > hmm in order to rerun natd after having killed it, I have to delete this > > rule otherwise natd tells me the divert interface is already in use > > add divert natd all from any to any via tun0 > > Hmmm ... haven't seen that before. > > > but even then when I run natd -v -dynamic -interface tun0, I get no output > > when attempting to connect to a counterstrike server. > > Then the error you describe above is unrelated to your problems with the > counterstrike server. > > > someone mentionned to me something about state option or something like > > that, will that help? (this person uses ipf some I'm not sure ipfw has > > this) > > Probably. You didn't have much in your rules concerning upd, so (other > than DNS traffic) all the udp traffic is being denied. Once you know what > udp ports counterstrike uses, you can add rules like: > > add pass udp from myip to any 76 keep-state > > Assuming that "myip" is your ip address and 76 is a port used by counterstrike. > > Figuring out what ports to allow is fairly simple. Temporarily set the > firewall to allow everything, then run tcpdump on the console and start > counterstrike. It will quickly become obvious which ports counterstrike > uses. > > -- > Bill Moran > Potential Technology > http://www.potentialtech.com > -- -luc | wastia_l@epita.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020102094126.A18238>