Kerio and a game Connection

Discussion in 'other firewalls' started by FireDancer, Aug 19, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi All

    Im running Kerio 2.1.5 and my firewall is all set up great but i am haveing a problem determining how to set up a game I play (Diablo II ) it seems that the game is wanting 2 differant connections one to log to the battle.net server
    and then another to create a game once logged into the server.

    I made my first rule this:

    TCP outbound local 1024-5000 remote any port 6112

    The first rule seems to be fine and dandy and consistant to port 6112 but the real problem that I see is that once I am logged to thier server, to be able to play you have to create a game which seems to dump you to another server (I assume whatever is available) and cannot determine a permanant port address that it might connect me too.

    Is there any way to solve this or a particular way to write the rule so I dont have a rule that is wide open? Or 25 differant rules!!! LOL. I would like to control the rule and keep it tight. Any help would be greatlt appreciated

    Regards,
    FireDancer :D
     
  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    While I am strict about system rules, gaming rules are another matter as they don't traditionally have all these exploits. So I actually suggest you make a bi-directional rule allowing the protocols it requres with no restrictions.

    You contact many servers, and on different ports. However one thing remains consistant, it always uses 6112 inbound if your hosting. If you really want to secure it, find the ports it uses outbound, then permit those to any address, and make a inbound rule to 6112 for when your hosting.

    Seriously, its not a huge security risk giving a game full access in, and out. Its not like a http server where they can access your files, and Kerio won't allow packets unless its listening on that port anyway. :cool:
     
  3. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi BlitzenZues,

    Thanks for the reply. I did a google search last night on "port 6112"
    and came up with a hit for battle.net port 6112. I found some recommendations at thier site concerning firewalls and this is what I came up with.

    Diablo II:

    * Allow port 6112 TCP out and allow established sessions in
    * Allow port 4000 TCP out (realm games)
    * Allow port 4000 TCP out and in (hosting open games only

    with this in mind I made a rule that looks like this can you please tell me if I made the rule poperly?

    DabloII TCP out local 1024-5000 any, remote address any (list of ports) 4000,6112.

    It states that I would need to allow tcp port 4000 in/out for (hosting only)so I did not make a rule for hosting purposes as I do not at any time host, I just create through thier realm. Before posting this back to you I set up the rule as you see it and tested it. The rule works the way it is set up giving me control of what ports on the local end that they are allowed acsess too and on the remote end as to what they are allowed to connect to. It gives me a little bit better feeling of control and rule setting as far as a understanding of what rules I am writing and why.

    In a previous post you eluded to the fact that research is a very importaint part of leaning and understanding and I have seen that now, as I was being lazy and was just hopeing for the answers.
    I appologize deeply for that as it is not my normal way of thinking I was just being inpatient. I only hope that my search served me well and I understood it compleatly.

    Your expertise is greatly appreciated.

    Very best regards,
    FireDancer
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    I do have a copy of the game here although I don't have it installed right now, but if that configuration works use it since it sounds like you got it figured out. If the game doesn't crash when trying this, you could always minimize the program, and check in the network status for what ports its currently using.

    BTW, I don't remember what we did for your icmp, but make sure you allow icmp 3 inbound. If you don't its possible that your computer could sit there waiting for packets that will never come back, and the icmp packet was there to tell it there was no listening port.
    Example ICMP Configuration

    When it comes to system rules, actual services like the always listening windows servers which are being exploited every minute when the same program is also listening for the time sync server response, I am very strict, but after making configurations for many games, it all comes down to they are 95% very clean applications which don't have all these exploits in other software. However in most cases, using a rule with any remote address, and ports you have found is uses is all you need except for a hosting rule, in which they usually only host on one port anyway in most cases. Unlike IM, and browser programs, games have very simple configurations.
     
  5. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi BlitzenZues,

    No, the game did not crash out, and let me logg in and create as many (realm games) as I wanted with no problems. But I will take your advise and use port explorer to double check if infact they are useing what I have determined in my rules. As far as my Ping command I do have ICMP inbound 3 allowed. See Jpeg below: I will post back a bit later with any results from PE if infact I find something other then what was specified. Again thank you for your input.

    Your advise is greatly appreciated :)


    Regards,
    FireDancer
     

    Attached Files:

    • Ping.jpg
      Ping.jpg
      File size:
      38.9 KB
      Views:
      877
  6. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I’ve always blocked ALL incoming ICMP Protocol (Type: 0-255 | Code: 0-255) and I never ever encountered any anomalies with Clients/Server Applications&Games delaying, freezing because of it.

    Well, okay except for the obvious ping, Tracert and so on, there even TCP, UDP port Scanners which uses ICMP Packets to verify the machine exists before attempting to Scan.

    The idea of authorizing ICMP Packets without Stateful Packet Inspection Technology is just ridiculous, for an example if you was on IRC and someone wanted to wipe you out the first thing they would do is send ICMP Flood packets with some of the common types (… 3, 8, 11…). With a Software Firewall allowing these you can be considered history in shorter time with your Machine taking action (In reference to reading and not replying) to these Flood Packets and all, and with ICMP’s being so regular people makes ICMP rules and disables the warning flag to avoid annoying notifications and when they are being attacked these people are stumped how they being Flooded and they cant see a damn thing…

    Make a rule to allow ICMP Ping reply and you think you are safe (In reference to blocking ALL malicious packets)? Nope easily one can send Flood packets to that Machine and in through your Software Firewall without even slightest notification because of silly rules like those for ICMP… ;)
     
  7. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Phatom, I've had games crash, yes crash because I was blocking inbound icmp 3. Once I allowed them, the game ran as it should, but it wasn't getting the icmp 3 closed responce for udp ports which was causing the problem.

    Just who is going to flood your machine? If they are going to flood the machine, they will, and it won't matter if you block them or not since they will eat up your inbound bandwidth anyway.

    BTW, please tell me with his configuration, how is it going to reply to icmp packets? He's not even pingable right now.

    Your just paranoid about ICMP, there is a difference in being prepared, and paranoid. Your over-prepared :D
     
  8. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    FireDancer, your allowing ICMP 3 outbound, this is something you shouldn't do.

    Kerio already shows you which programs are listening on which ports in the firewall status, its a built-in feature, and it seems you have it under control :)
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Your machine must have not been properly maintained which gave you the impression blocking ICMPs was the cause of your issue…

    I would be a fool to add Fuel to the fire and when creating these ICMP rules this is exactly what you doing, you create these rules you be taking out in shorter time then what you would if were blocking.

    There are various reasons why creating rules to allow Incoming ICMP’s is a bad idea, but I’ll let you figure it out on your own…

    Enjoy
     
  10. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    It was something the program was depending on, and your just generalizing where you shouldn't, aka assuming...

    Humm... After years of using similar rules, although not exactly the same as his configuration I haven't had any problems, even with playing online games, except for blocking inbound icmp 3 which was actually needed to show that a server wasn't taking new people anymore when it was on the current list of open games.

    If your wondering , I am aware of almost all current icmp exploits, and you have to have balance of functionality along with security when dealing with certain things.
     
  11. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    Are you saying that my rules are good and only need little adjustment as to outbound ICMP 3? If so I would think that my outbound rule would need to be changed to 0, 8
    instead of 0, 3, and 8. Am I correct? I will go back and re read the post more thouroghly, as I belive you said this should be possible to make the rule and have it NOT affect my game.

    FireDancer
     
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Correct, only change your outbound icmp to 0, and 8. Everything else seems like its working fine for you, and this will not effect your games by blocking it outbound.

    Normally these are only sent to your dns server because you can't reach an address in a stealth configuration, and using your hosts file or adblocking software can even cause these packets. Otherwise they would be used to send udp closed repsonse packets for their main use. If the logs bother you, make a rule to block just icmp 3 outbound above your icmp block all rule, but don't make it logging.
     
  13. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,

    Thank you for clarifying that I belive I now understand how ICMP 3 works. here is how the rules look now.
    BTW *WTF* is that stupid little sign that Phantom has up?
    "your isp is blah blah and your useing blah for a browser"?

    Thanks again for your help with understanding the rules for ICMP. I belive I do have it under control :) but I could be wrong and theres always room for improvment :)

    EDIT: whopps that rule needs to be up one more :)

    Regards,
    FireDancer
     

    Attached Files:

  14. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hehehehe need to move it up one !!!!

    Firedancer
     

    Attached Files:

  15. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    You got it.

    Not a big deal, but you can edit your attachemnts. Don't worry about it now, just remember next time. :cool:

    About that Image in Phantom's sig, it gets its data from:
    -Your ip address you must send to ask for something unless your communications are proxied.
    -Your browser sends out what is called a user-agent to sites, some sites actually use the data like windows update, and that does contain a short tag which can be used to find your OS.

    Its things like this bother some people when its mostly just harmless data, and blocking it can cause problems with sites also if you use any privacy software that does this. Some things try to scare you about what they know about your connection with data like this, its basicaly harmless.
     
  16. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    BlitzenZues,


    All works well the the new rules concerning ICMP,
    I am not experiancing any crashes concerning the game,
    Thanks for the input and the help

    Very Best Regards,
    FireDancer
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Though there’s no real Software Security threat in allowing ICMP “Echo Reply”, and "Time Exceeded for a Datagram" and even "Destination Unreachable" Inbounds it’s just the idea of remote end capable of sending malicious stuff in through your Software Firewall and normally not even being seen. And you have to consider these Inbounds gets read by the System and it wouldn’t take much efforts into sending Flood packets to overwhelm ones System & Internet Performance. With a Software Firewall blocking these you can withstand a much greater amount, and if anyone who IRC or hang elsewhere that your IP Informatics is pretty much giving to the world then we would most likely be concerned in this area.

    For me it’s not the Software Security I’m concerned about, it’s the idea of having the Control to Detect and Block all malicious packets. Sit back and Laugh at the lamer attempts, but obviously not everyone works like I do which is okay of course…

    Thanks FireDancer!

    I’m glad you like; I gave you a Karma cookie earlier today for that. :D

    Now you enjoy it okay? ;)
     
Loading...
Thread Status:
Not open for further replies.