Hello, I''ll try to host a RedAlert 2 game on my Windows machine behind a shorewall firewall but it won''t work. I''ll see a lot of these lines in the log : Nov 17 22:53:01 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:50:bf:e1:08:47:00:10:67:00:f8:8e:08:00 SRC=80.56.33.125 DST=62.216.10.18 LEN=95 TOS=0x00 PREC=0x00 TTL=244 ID=3413 PROTO=UDP SPT=63082 DPT=1275 LEN=75 Why are the packets dropped ? Do I have to explicitly allow something ? Normally Red Alert should work behind a NAT router. Anybody got an idea ? -- Groeten, Peter -- What software license? --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org : 11 days, 0 hours and 32 minutes, 6 users logged in.
--On Sunday, November 17, 2002 11:20:45 PM +0100 Peter Lindeman <peter@lindeman.nl> wrote:> Hello, > > I''ll try to host a RedAlert 2 game on my Windows machine behind a > shorewall firewall but it won''t work. I''ll see a lot of these lines in > the log : > > Nov 17 22:53:01 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:50:bf:e1:08:47:00:10:67:00:f8:8e:08:00 SRC=80.56.33.125 > DST=62.216.10.18 LEN=95 TOS=0x00 PREC=0x00 TTL=244 ID=3413 PROTO=UDP > SPT=63082 DPT=1275 LEN=75 > > Why are the packets dropped ? Do I have to explicitly allow something ?The packets are dropped because Shorewall is a FIREWALL!!!!! Yes, you have to explicitly do something -- you have to include DNAT rules for those incoming ports that the game needs and you need to forward those ports the the computer where you play the game. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:>> I''ll try to host a RedAlert 2 game on my Windows machine behind a >> shorewall firewall but it won''t work. I''ll see a lot of these lines in >> the log : >> >> Nov 17 22:53:01 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT>> MAC=00:50:bf:e1:08:47:00:10:67:00:f8:8e:08:00 SRC=80.56.33.125 >> DST=62.216.10.18 LEN=95 TOS=0x00 PREC=0x00 TTL=244 ID=3413 PROTO=UDP >> SPT=63082 DPT=1275 LEN=75 >> >> Why are the packets dropped ? Do I have to explicitly allow something ? > > The packets are dropped because Shorewall is a FIREWALL!!!!! Yes, youI understand that.> have to explicitly do something -- you have to include DNAT rules for > those incoming ports that the game needs and you need to forward those > ports the the computer where you play the game.Today I looked again and the problem only occurs with the above host. So without changing anything in Shorewall cfg I can host a game and play it online. So I do not understand why this happens. If I should open ports then I have to do that in general and not specifically for one host, right ? If anybody got an idea it would be appreciated. -- Groeten, Peter -- WinErr: 103 Error buffer overflow - Too many errors encountered. Additional errors may not be displayed or recorded. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:12 days, 16 hours and 53 minutes, 4 users logged in.
--On Tuesday, November 19, 2002 03:42:05 PM +0100 Peter Lindeman <peter@lindeman.nl> wrote:> Tom Eastep wrote: > >>> I''ll try to host a RedAlert 2 game on my Windows machine behind a >>> shorewall firewall but it won''t work. I''ll see a lot of these lines in >>> the log : >>> >>> Nov 17 22:53:01 server kernel: Shorewall:net2all:DROP:IN=eth0 OUT>>> MAC=00:50:bf:e1:08:47:00:10:67:00:f8:8e:08:00 SRC=80.56.33.125 >>> DST=62.216.10.18 LEN=95 TOS=0x00 PREC=0x00 TTL=244 ID=3413 PROTO=UDP >>> SPT=63082 DPT=1275 LEN=75 >>> >>> Why are the packets dropped ? Do I have to explicitly allow something ? >> >> The packets are dropped because Shorewall is a FIREWALL!!!!! Yes, you > > I understand that. > >> have to explicitly do something -- you have to include DNAT rules for >> those incoming ports that the game needs and you need to forward those >> ports the the computer where you play the game. > > Today I looked again and the problem only occurs with the above host. So > without changing anything in Shorewall cfg I can host a game and play it > online. So I do not understand why this happens. If I should open ports > then I have to do that in general and not specifically for one host, > right ? If anybody got an idea it would be appreciated. >You can restrict a rule to a particular remote host. Assuming that the game uses port 63082, the problem here is with replies from this particular host. It is most likely the case that connection tracking in your firewall is timing out before the reply appears. If that is the case, you can try: DNAT net:80.56.33.125 loc:<game pc ip> udp - 63082 -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote: >> Today I looked again and the problem only occurs with the above host. So >> without changing anything in Shorewall cfg I can host a game and play it >> online. So I do not understand why this happens. If I should open ports >> then I have to do that in general and not specifically for one host, >> right ? If anybody got an idea it would be appreciated. >> > > You can restrict a rule to a particular remote host. Assuming that the game uses port 63082, the problem here is with replies from this particular host. It is most likely the case that connection tracking in your firewall is timing out before the reply appears. If that is the case, you can try: > > DNAT net:80.56.33.125 loc:<game pc ip> udp - 63082 So it is possible due to network errors that error occurs ? Going to try to make these rules, first trying to find out what ports are used by this game. Is it perhaps possible to set the timeout of connection tracking higher somewhere to see if that is the problem ? -- Groeten, Peter -- The port was not found. --- --- Heb je een Sony Digital video camera ? --- Kijk eens op http://www.dvin.org --- Kijk ook op http://www.lindeman.org --- ICQ 22383596 --- Uptime lindeman.org:12 days, 17 hours and 26 minutes, 5 users logged in.
--On Tuesday, November 19, 2002 4:14 PM +0100 Peter Lindeman <peter@lindeman.nl> wrote:> So it is possible due to network errors that error occurs ?Don''t know.> Going to try > to make these rules, first trying to find out what ports are used by this > game. Is it perhaps possible to set the timeout of connection tracking > higher somewhere to see if that is the problem ? >Netfilter doesn''t allow the timeouts to be adjusted. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://shorewall.sf.net ICQ: #60745924 \ teastep@shorewall.net