Jetico making me crazy.

You should disable UPnP. Make sure you have set Utorrent to use a fixed port. To verify,... run Utorrent,.. open Jetico "Applications" tab,.. find the Utorrent entry,... click the "+" sign next to Utorrent to open out the connections,... there should be a Utorrent entry for both "Listen" and "inbound connect",.. is the local port being used the same?, and both should be the same as the port settings you made in your rules.

The log entry you have posted is for UDP,.. not inbound connections.

Stem

 

Ok. I have disabled UPnP and confirmed that utorrent is configured using a fixed port (16456) for incoming connections.

And it is the screenshot when I started using utorrent to download a file.

I don't see any inbound connections.

http://xs208.xs.to/xs208/06451/utorrent.JPG

 

The pic does not help, as I cannot see what application is bound to port. (you may as well remove that pic from your post)
The pic shows 2 "listen datagram" are these both for Utorrent.

The problem for me, is the fact I have set up using Utorrent+Jetico with no problems. So cannot understand why the inbound is not allowed, unless there are incorrect settings.
What blocked inbound TCP "SYN" packets are showing in the log.

 

Hello ... Stem.

I've a little worry actually. I would like to open firewall for Nwn² but I don't know how I must setup correctly the rule.
The port are :

Code:

The following ports may need to be opened for GameSpy servers to see the game: 3658, 3659, 3660, 6500, 27900, 28910

GameSpy Arcade may also need the following TCP ports open in order to function properly:

- 6667 (IRC)
- 3783 (Voice Chat Port) 
- 27900 (Master Server UDP Heartbeat) 
- 28900 (Master Server List Request) 
- 29900 (GP Connection Manager) 
- 29901 (GP Search Manager) 
- 13139 (Custom UDP Pings) 
- 6515 (Dplay UDP)
- 6500 (Query Port)

You will also need to open the server port (5121 by default) and the following port for the game stats to be updated correctly: 29920 (Gamestats Server)

I'll tell you how it's happen when I launch the game and I accept ALL :

Application
Event the attacker is installing an interception of flue (hook)
Attacker C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe
Description Suspicious process activity



Application C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe
Event : the attacker is attacking from a hidden window
Attacker C:\Program Files\Atari\Neverwinter Nights 2\nwn2.exe
Description : Suspicious process activity



Application C:\Program Files\Atari\Neverwinter Nights 2\NWN2Launcher.exe
Event : access to network
Protocole : any
Description



Application C:\Program Files\Atari\Neverwinter Nights 2\nwn2.exe
Event : access to network
Protocole : tout
Description



Application C:\Program Files\Atari\Neverwinter Nights 2\nwn2main.exe
Event : acces to network
Protocole : any
Description



-------------------------------------------------------------------------------------------------------------

After, the online ... When I want to play online and checking the server list, Jetico ask me for many "SEND DATA PROGRAM" of the port 5121 and some others. The application is nwn2main.exe .

-------------------------------------------------------------------------------------------------------------

So please, help me. XD

I guess some ports are not necessary to only play the game tru internet. But I don't know what I should keep. I also don't know what I have to accept in the rules, what I must deny, what protocol I must apply, etc...
So, if you could help me, little by little, to setup a good rule, that way I could play correctly. And yes, I've still Jetico.

 

utorrent was having these 16 connections in the picture. It means the "listen datagram" connections are for utorrent too.

Here is the log when I used utorrent to download:

11/6/2006 13:36:50.885 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 81.232.87.113 TTL: 64; TOS: 0; ID: 84B1; ICMP type: 3, code: 3
11/6/2006 13:36:52.698 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 65.94.161.2 TTL: 64; TOS: 0; ID: 97B1; ICMP type: 3, code: 3
11/6/2006 13:37:21.209 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 213.161.253.187 TTL: 64; TOS: 0; ID: F6B2; ICMP type: 3, code: 3
11/6/2006 13:37:23.272 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 85.145.137.146 TTL: 64; TOS: 0; ID: 0FB3; ICMP type: 3, code: 3
11/6/2006 13:37:36.491 reject Block All not Processed IP Packets 157 ICMP outgoing packet 192.168.0.101 60.26.70.161 TTL: 64; TOS: 0; ID: B2B3; ICMP type: 3, code: 3
11/6/2006 13:37:46.375 reject Block All not Processed IP Packets 154 ICMP outgoing packet 192.168.0.101 76.171.255.188 TTL: 64; TOS: 0; ID: 25B4; ICMP type: 3, code: 3
11/6/2006 13:38:00.125 reject Block All not Processed IP Packets 157 ICMP outgoing packet 192.168.0.101 220.157.145.131 TTL: 64; TOS: 0; ID: D2B4; ICMP type: 3, code: 3
11/6/2006 13:38:15.036 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 217.77.133.68 TTL: 64; TOS: 0; ID: 8BB5; ICMP type: 3, code: 3
11/6/2006 13:38:24.970 reject Block All not Processed IP Packets 154 ICMP outgoing packet 192.168.0.101 210.192.183.115 TTL: 64; TOS: 0; ID: 04B6; ICMP type: 3, code: 3
11/6/2006 13:38:46.782 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 70.252.200.86 TTL: 64; TOS: 0; ID: 07B7; ICMP type: 3, code: 3
11/6/2006 13:38:54.403 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 65.24.121.39 TTL: 64; TOS: 0; ID: 62B7; ICMP type: 3, code: 3
11/6/2006 13:38:59.520 reject Block All not Processed IP Packets 162 ICMP outgoing packet 192.168.0.101 84.137.237.74 TTL: 64; TOS: 0; ID: A9B7; ICMP type: 3, code: 3
11/6/2006 13:39:20.140 reject Block All not Processed IP Packets 154 ICMP outgoing packet 192.168.0.101 193.77.47.3 TTL: 64; TOS: 0; ID: 9EB8; ICMP type: 3, code: 3
11/6/2006 13:39:44.855 reject Block All not Processed IP Packets 328 UDP incoming packet 0.0.0.0 255.255.255.255 68 67 TTL: 128; TOS: 0; ID: 0000
11/6/2006 18:08:34.338 reject Block All not Processed IP Packets 40 IGMP outgoing packet 192.168.0.101 224.0.0.22 TTL: 1; TOS: 0; ID: 6000
11/6/2006 18:08:35.179 reject Block All not Processed IP Packets 40 IGMP outgoing packet 192.168.0.101 224.0.0.22 TTL: 1; TOS: 0; ID: 6D00
11/6/2006 18:43:30.672 reject Block All not Processed IP Packets 558 TCP incoming packet 202.67.195.200 192.168.0.101 80 2588 TTL: 48; TOS: 0; ID: 36BC; Don't fragment; TCP flags: FIN PSH ACK ; TCP Seq: DDE3476E
11/6/2006 18:43:58.482 reject Block All not Processed IP Packets 558 TCP incoming packet 202.67.195.200 192.168.0.101 80 2588 TTL: 48; TOS: 0; ID: 38BC; Don't fragment; TCP flags: FIN PSH ACK ; TCP Seq: DDE3476E

 

@Taru

Create rules for the main game to:-
Allow outbound TCP local ports 1024-4999 remote ports 1024-30000
Allow send datagrams local ports 1024-4999 remote ports 1024-30000

This should allow all outbound for the program.

Tha attack module can be a problem for games, as the games will set global hooks, and may inject their own processes, and open hidden window during full screen (these being blocked can cause the game to crash)

For testing, and to check what is needed set an attack rule to "allow all" with logging, and place this at the top of the attack table,.. then run the game,... once it as run, you can check the logs to see what permissions are required for the game. This is not the best way to set this up,.. but is the easiest for you.

 

@Thomas123,

From the logging you have posted, these are ICMP outbound messages to say that your port is unreachable, which means the inbound for Utorrent is going to a closed port (no application is on that port),.. This indicates that the Utorrent port settings must be different to the rules you have created.

 

I have updated the log at 6:44 PM and added two events at the bottom of the log posted in #530



I am sure I have been using the rules for utorrent posted in #525

I will check my router if there is something wrong.

 

Hi again Stem.

I must allow the main game accessing to the network too I guess ? For the Launcher and the nwn.exe also ?
Btw, this rule doesn't work properly. For exemple when I enter my login and pass, the jetico windows appears :
send data - TCP/IP - local port : any // remote port : 6121 + 204.50.199.12 (bioware site)
receive data - TCP/IP - local port : 65535 + any // remot port : any + 204.50.199.12 (bioware site)
I accepted them in the rules. But the real problem comes...
I have to accept every "send data" even if I have put nwn2main.exe in handles as the rules...and there is many server, so I've to accept them all or what can I do ?

The first attack is about the flue and the hook, that I should block I guess, don't you think so ?
The 2nd attack is nwn2.exe wich attack nwn2main.exe, should I accept it, as it's the same game even if it's not the same .exe ?

Thanks.

 

@Taru,
The remote port range for the rules I posted, where to cover the port range that you included in your post#529. Just change this port range to suit. You can add rules to allow inbound as you need them (are you port forwarding these through a router).

The game will need to set a windows hook for the keyboad/mouse. Blocking this hook may cause problems,... but this is up to you.
You should allow the game to attack its own applications.

 

1° Everything works fine about the rules, I just don't understand why the Jetico's pop-ups don't stop spamming about nwn². I receive each servers, I can play on them...but I receive mostly this windows :

"nwn2main.exe
send data
local port : any
local adress : any
remote port : 5121 ( WICH IS ACCEPTED IN YOUR RULES FFS !! ^^)
remote adresse : 255.255.255.255"

And so many times. I even created a rules for it only and it still appears so often.



2° About Launch.exe and nwn.exe, should I accept their application for accessing to the network then ?

 

This is a broadcast,... make a rule to block this for that application.

They may need localhost comms,... so yes.

 

Ok, I put "Block all other" rules at the end. It works.
You meant this kind of rules ?

Thank you btw.

 

Thats o.k. if your game is now running online o.k. If you start to have problems, set the blocking rule to "log", so you will know what is being blocked.

 

Well, last question, I hope for you at least.

The range port is securised enough or I should set each port I told in the post#529 and set them ?
If I should set them for more security, the rule for each would be :

Code:

> Event | Protocol | Application | Local Port | Local Adress | Remote Port | Remote Adress

Access to the network | Any | nwn2main.exe 
Send data | TCP/IP | nwn2main.exe | 1024:4999 | any | the specific port | any
outbound | TCP/IP | nwn2main.exe | 1024:4999| any | the specifi port | any
...
...
Block All others

right ?

Ow, and I had to accept, in order to receive a data (when I give my login/pw) , the 65535 local port from the bioware site (so with an remote IP for the both even -send/receive-), is it ok ?^^

 

You can tighten the rules up if you want to,... the easiest way is to perform logging on the rules,.. log all the outbound TCP, then check what remote ports are being used,... then right click the outbound rule, and select "clone" (this makes a copy of the rule), then just edit the remote port. It can take a little time to create all the needed rules, but once done, you can move on to create the rules for UDP.

Allowing inbound,.. this you should be careful with,... but, if you say this is from the game server,.. then it is probably needed,... so yes, create a rule, but as you say, place the remote IP within the rule.

 

Thanks Stem, this time it works unlike uTorrent. About the port, I'll create a rules for nwn2main.exe application with each port I gave you in the post, I guess It'll work.
About the allowing inbound...it's what you did with the rules you gave me 1024:4999 no ? And yes, for send data/receive data, I fixed an ip adress, but there is more security to open the local port 65535 than "any" anyway, no ?
Last question, only to check if you really good xD :

fwsrv.exe (Jetico application) wants to access network, should I accept ?

 

But in your later posts, you mentioned port numbers that where not in your original list

NO, the rules I posted where to allow "outbound only"

You could block this to see if this causes problems, some inbound may only be needed if you are a "server", and inviting others to connect into your PC

Yes, (fwsrv.exe will only need "access to network", it does not require any outbound/inbound connections)

 

I don't understand what you mean. In my original post there are the mentionned ports to be able to play correctly. I just put each port (#529) in the rules : remote port (mentionned in the post) for "allow outbound/send data" with local port 1024:4999.

Yes, of course, but with a local port :
>

It's only needed during the identification when I enter my password/login. So I guess I'll let the rules :

> send data / local port : any / remote port : 5121 / IP of the site (bioware)
> receive data / local port : 65535 / remote port : any / IP of the site (bioware).

If there is the IP, I guess there is no problem...right ? Should I put the remote port 5121 in "receive data" for more security then ?

 

But are all these ports used?, which port uses which protocol (TCP or UDP) and the post (592) does not include remote port 65535.

 

You don't read me well Stem.
All these ports are used, yes. And my Jetico version doesn't care about TCP or UPD.
About the port 65535 : it's a local port. It send a data to the 5121 remote port (mentionned in the ports I give #592) from the IP of bioware and I receive a data to the 65535 local port from the same IP.

Read the post I just write again (#542, 544), please. There are some questions important (like this one :

 

Yes, sorry, a slip of the keyboard,.. I meant the remote port (in the same post)

What is UPD?
Jetico will only allow as the rules have been made, be it TCP,UDP or whatever protocol,.. if Jetico is allow all protocols through one rule then the rules is set that way,... to allow all.

But the info keeps changing:

 

Sorry I may had splited too.
Just let start properly.

Code:

[b][u]Remote port needed to play correctly[/b][/u]

3658-3660
6500
27900
28910
6667
3783
28900
29900-29901
13139
6515
6500
5121
29920

These remote port (not local then) must be in this kind of rule :

Accept
Application : nwn2main.exe (+access to network for this application)
Event : Allow outbound connection
Protocol : TCP/IP
Local port : 1024:4999
Local address : Any
Remote port : Each port I just give in the

Code:

 above.
[b][u]Remote address :[/b][/u] Any

[b][color=green]Accept[/color][/b]
[b][u]Application :[/b][/u] nwn2main.exe
[b][u]Event :[/b][/u] Send data
[b][u]Protocol :[/b][/u] TCP/IP
[b][u]Local port :[/b][/u] 1024:4999
[b][u]Local address :[/b][/u] Any
[b][u]Remote port :[/b][/u] Each port I just give in the [code] above.
[b][u]Remote address :[/b][/u] Any
[b][u]At the end of the rule :[/b][/u] Block all others.


Is that right ? If there is something wrong, please quote and tell what I have to do by a precise exemple.

-----------------------------------------------------------------------------------

*Launcher.exe and nwn2.exe must be accepted to access to the network.
*Nwn2main.exe attack must be accepted (hook).
*Nwn2.exe attacking Nwn2main.exe must be accepted.

Is that right ? If there is something wrong, please tell me by telling me an exemple and if possible with a quote.

------------------------------------------------------------------------------------

During the authentification, when I enter login and password, 2 Jetico's windows pops up :

[code]
1°
[b][u]Application :[/b][/u] nwn2main.exe
[b][u]Event :[/b][/u] Send data
[b][u]Protocol :[/b][/u] TCP/IP
[b][u]Local port :[/b][/u] Any
[b][u]Local address :[/b][/u] Any
[b][u]Remote port :[/b][/u] 6121
[b][u]Remote address :[/b][/u] 204.50.199.12 (nwn2master.bioware.com)

2°
[b][u]Application :[/b][/u] nwn2main.exe (+access to network for this application)
[b][u]Event :[/b][/u] Receive data
[b][u]Protocol :[/b][/u] TCP/IP
[b][u]Local port :[/b][/u] 65535
[b][u]Local address :[/b][/u] Any
[b][u]Remote port :[/b][/u] Any
[b][u]Remote address :[/b][/u] 204.50.199.12 (nwn2master.bioware.com)

If I don't accept, the authentification fails. Is there enough security with this rule as there is an IP ? Why the local port for receive data is dangerous as you said ?

 

Looks o.k.,.... but:

The "event" would be:-
outbound connection ( for TCP)
Send datagram (for UDP)

 

Yes it is my bad, I forget "outbound connection", I also did it. I'll edit for more visibility. You can check again.
Btw ...

*How can I set for TCP or UDP ? With Jetico, I only can chose TCP/IP as protocol.
*I don't need to set a specific local port for "allowing outbound connection/send data" then; 1024:4999 is enough ?

--------------------------------------------------------------------------

You know my english speaking ... So, if I understand right, open a local port only to receive data is not dangerous (-unlike "allowing inbound" -) and then the last rule I tell you in #548 is good; that's it ?




Thanks, you are now my official best helper !