ipfw ruleset blocking game server

To: freebsd-ipfw@xxxxxxxxxxx
Subject: ipfw ruleset blocking game server
From: Reed Loefgren <rloef@xxxxxxxxxxxxx>
Date: Sun, 18 Dec 2005 15:54:54 -0700 (MST)
Delivered-to: freebsd-ipfw@xxxxxxxxxxx
List-archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-post: <mailto:freebsd-ipfw@freebsd.org>
List-subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
List-unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>, <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>

Hi all,

I have been using ipfw for a little while now and have recently changed toa ruleset copied off of the FreeBSD website's documentation of ipfw. Ichanged the pertinent stuff to match my network and ISP's namesevers andeverything works fine _except_ i seem to be blocking responses from a gameserver in (in this case) london, where my nine year old and his friends goto play a game called "Runescape".

Of course, access to this is inifintely more critical than the safety ofother things, like perhaps, our financial data, so I want to get thisstraightened out (really). Does anyone here have any ideas about whatport games such as this use to come back in? I'll also email the server'sadmin to see what the IP is for the server so I can write a rule for it.I've included below the 'inbound' section of the offending ruleset. Andthanks. Also, for what it's worth, I'm on a 56k dial-up connection usingtun0.


r.

#################################################################
# Interface facing Public Internet (Inbound Section)
# Interrogate packets originating from the public Internet
# destined for this gateway server or the private network.
#################################################################

# Deny all inbound traffic from non-routable reserved address spaces

$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918private IP$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918private IP$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918private IP

$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif        #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif            #loopback

$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCPauto-config$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reservedfor docs$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun clusterinterconnect$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &E multicast


# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios service. 137=name, 138=datagram, 139=session
# Netbios is MS/Windows sharing services.
# Block MS/Windows hosts2 name server requests 81
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny any late arriving packets
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic in from ISP's DHCP server. This rule must contain
# the IP address of your ISP.s DHCP server as it.s the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for .user ppp. type connection to
# the public Internet. This is the same IP address you captured
# and used in the outbound section.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow in standard www function because I have apache server
$cmd 00400 allow tcp from any to me in via xl0 setup limit src-addr 2
$cmd 00401 deny tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow in secure FTP, Telnet, and SCP from public Internet

###$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr2


# Allow in non-secure Telnet session from public Internet
# labeled non-secure because ID & PW are passed over public
# Internet as clear text.
# Delete this sample group if you do not have telnet server enabled.

##$cmd 00420 allow tcp from any to me 23 in via $pif setup limit src-addr2


# Reject & Log all incoming connections from the outside
$cmd 00499 deny log all from any to any in via $pif

# Everything else is denied by default
# deny and log all packets that fell through to see what they are
$cmd 00999 deny log all from any to any
################ End of IPFW rules file ###############################



----------
I'd rather flunk my Wassermann Test
Than read the poems of Edgar Guest.

                  - Auden

Follow-Ups:
- Re: ipfw ruleset blocking game server
  - From: Dennis Olvany

Prev by Date: Re: kern/60154: [ipfw] ipfw core (crash)
Next by Date: Re: ipfw ruleset blocking game server
Previous by thread: Re:ipfw table bad command (problem solved)
Next by thread: Re: ipfw ruleset blocking game server
Index(es):
- Date
- Thread