Getting games past a firewall

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
I just moved into a new house with a couple of freinds. We're in the same block of units with two other friends and have set up a p200 to act as a router so we can share a single cable connection between the five of us.

So far everything is going pretty well. Smoothwall lived up to its name providing a Linux based firewall/proxy/router/DHCP server/Web server with bout 20 min install time.
The net works fine, we can access the net, irc, join online games with no trouble. When it comes to hosting games, however, we come up against our firewall. We checked the game spy web page to see what ports needed to be opened and we thought we did it. But still noone can see our games from outside the firewall.

Any ideas would be apreciated. The next step is to build a game server on the other side of the firewall, we'd hope to avoid that if a cheaper option will work though.
 

Cliptin

Wannabe Storage Freak
Joined
Jan 22, 2002
Messages
1,206
Location
St. Elmo, TN
Website
www.whstrain.us
More than likely you will need to open the specific ports for the games as well as GS.

I have run several different games through SW running here but I've only hosted a few: AOEII, Rogue Spear, Ghost Recon and Roger Wilco.

What games are you trying to get to work?
 

The JoJo

Wannabe Storage Freak
Joined
Jan 25, 2002
Messages
1,490
Location
Finland, Turku
Website
www.thejojo.com
Double check the ports that need to be opened on the firewall, and check that the routing from the firewall to the game server on the inside works for those ports.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
We opened all the ports for UDP & TCP, routed them to the right pc and opened the port for medal of honour for tcp and udp as well. Still nothing.

In theory shouldn't you be able to see the game in gamespy but not be able to join if we open the gamespy ports but not the game port?

Do I need to open the port on which players ping the server? And if so does anyone know what that port might be?

Whats a good way to check if the routing works?

Thanks for the help guys.
 

James

Storage is cool
Joined
Jan 24, 2002
Messages
844
Location
Sydney, Australia
Perhaps the NAT isn't properly set up?

You can always test straight TCP connectivity by telneting to the destination PC and port.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
Well bizzarly it would seem that it is all working fine. Except that noone behind the firewall can see the game in gamespy. Other people can see it and join however, and since we can all see it locally everything is fine.
Strange, but fine.
 

Will Rickards WT

Learning Storage Performance
Joined
Jun 19, 2002
Messages
433
Location
Pennsylvania, USA
Website
www.willrickards.net
That isn't really strange.... it happens on a lot of networks I've been on.
We had some sort of server behind a router/firewall. Everybody on the inside had to use the internal IP. Everybody on the outside had to use the outside IP. I really don't know why the outside IP didn't resolve to the machine on the inside.
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
If your firewall has it, turn on STI (stateful packet inspection). I suspect that you still have a port blocked that shouldn't be. What STI does is to allow packets from inside to go out and remembers the IP and ports they use. When a computer replies (the packet from the same IP and port) it will allow that thru the firewall. Thus you need not know what ports need to be open as long as you have sourced the traffic.

On the risk side, you now open yourself up to the potential of a security breach once software gets inside the network because nothing stops stuff from leaving and getting replies.
 

Cliptin

Wannabe Storage Freak
Joined
Jan 22, 2002
Messages
1,206
Location
St. Elmo, TN
Website
www.whstrain.us
Sol said:
Well bizzarly it would seem that it is all working fine. Except that noone behind the firewall can see the game in gamespy. Other people can see it and join however, and since we can all see it locally everything is fine.
Strange, but fine.

If I understand your new quandry correctly, your new problem is that while people on the outside can connect to your RED (external) IP address you can not. However, you can connect to the NAT ip address of the game server.

This is normal. When you try to connect to the external IP address from the inside, the routing software will disregard the packet as non-sense. You will also not be able to connect to <external IP> port 80 from the inside. You have to use an anonymizer so that your packets have somewhere to go. You will find that, like games, you can connect to the internal IP address of the web server.
 

Sol

Storage is cool
Joined
Feb 10, 2002
Messages
960
Location
Cardiff (Wales)
Well that makes some sense then, thank for the info. Does make it hard to see if your game is working though, since few people will join near empty servers.
Guess I'll just have to do the standard wait a while test.
 

James

Storage is cool
Joined
Jan 24, 2002
Messages
844
Location
Sydney, Australia
P5-133XL said:
If your firewall has it, turn on STI (stateful packet inspection). I suspect that you still have a port blocked that shouldn't be. What STI does is to allow packets from inside to go out and remembers the IP and ports they use. When a computer replies (the packet from the same IP and port) it will allow that thru the firewall. Thus you need not know what ports need to be open as long as you have sourced the traffic.
That's not stateful packet inspection, that's NAT (network address translation). Stateful means that the firewall actually inspects the payload of incoming and outgoing packets to make sure that they're legitimate. It also looks at a packet stream in its entirety rather than considering packets individually, which makes it better able to detect DOS, address spoofing, and other such attacks that depend on the firewall being somewhat stupid. Non-stateful firewalls only look at the TCP/IP source and destination of the packet and apply rules accordingly.

With either system though, unless you have the firewall set up insecurely (ie. allow everything, deny X and Y, compared with deny everything, allow X and Y which is much more secure) you do need to explicitly set up rules allowing each type of incoming packet you require.

I agree with you fundamentally, though, Mark - it sounds like a NAT issue. NAT allows an internal (non-routable) IP to appear on the external IP address of the link, the NAT device looks after actually accepting incoming external packets destined for an internal machine and routing it to the appropriate internal address transparently.
 
Top