RES: RE: RES: RE: RES: RE: Spooky filter problem! Tom?
- From: "Tiago de Aviz" <Tiago@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 12 Feb 2003 00:10:05 -0300
Mark,
I've already created these rules (which allow HLDS's communications with game
server announcers and other services).
Yup, 60684 is a randomly assigned port, a
nd 27015 is available on my external interface. The same issue happens even if
I change HLDS's port from 27015 to 27016, for an example.
If I connect from my internal network with CS on my server's internal IP
address, on port 27015, It works. If I connect from outside my firewall with CS
on the external IP address on port 27015, it fails.
What do you think? Let's leave it alone?? =)
Tiago de Aviz
-----------------------
tiago@xxxxxxxxxxxxxxx
www.softsell.com.br
-----------------------
-----Mensagem original-----
De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
Enviada em: terça-feira, 11 de fevereiro de 2003 17:29
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: RE: RES: RE: Spooky filter problem! Tom?
http://www.ISAserver.org
Tiago,
After a short search I found the following information:
--- quote ---
7) I am behind a firewall. What ports need to be opened for hlds?
Incoming UDP to local destination 27015.
Outgoing UDP to remote destination 27010, 27012.
Outgoing TCP to remote destination 5273.
Outgoing TCP to remote destination 7002.
--- /quote ---
The port 60684 that you mention is obviously used form ICMP messages and
randomly assigned. By which means did you check for availabilty of the 27015
port?? Using CS? From within your network? With a port scanner from an
external machine?
Mark
> -----Original Message-----
> From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> Sent: Tuesday, February 11, 2003 9:38 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RES: RE: RES: RE: Spooky filter problem! Tom?
>
>
> http://www.ISAserver.org
>
>
> Sure, you got that right. It's like running an http Server.
>
> Here's what I did: I bound the application to my internal
> Interface, published it, and created an IP Packet filter to
> allow connections to this port. It's working, but on the
> wrong port. Instead of external interface local port 27016
> UDP, it's running on port 60684.
>
> On the internal interface, it runs on port 27016 as it
> should. This only happens when I publish it.
>
> Well, I guess this is everything. If you need to know
> anything else, at your orders!
>
>
> Tiago de Aviz
> -----------------------
> tiago@xxxxxxxxxxxxxxx
> www.softsell.com.br
> -----------------------
>
>
> -----Mensagem original-----
> De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> Enviada em: terça-feira, 11 de fevereiro de 2003 16:28
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] RE: RES: RE: Spooky filter problem! Tom?
>
> http://www.ISAserver.org
>
>
> I did not follow the thread completely here. One thing that
> is to be said is that Jim's right about the
> variable/dynamically assigned ports, that would never
> function. But if I understood you right, there is only one
> (server) port users can connect to, much like running a http
> server, right?
>
> In this case you would have to make shure that your
> appplication only binds to the internal interface. Further
> you would have to use server publishing to make the port
> available on the external interface. And you may have to
> define a packet filter to allow traffic to your internal
> interface - but I'm not too shure about this last point. I
> understand that this is a must when the "server" to be
> published runs on the ISA box, but maybe Tom can help out here.
>
> You'd have to change service dependencies only if your
> application does not support binding to a specific NIC. This
> way I got the Shoutcast server to run - but you may
> experience other problems on a higher level. E.g. if the
> protocol that is being used carries connection information
> like IP adresses and the like for further communication (in
> the way FTP does), every attempt will fail because ISA will
> not be able to translate this. Well, you could write your own
> application filter however :)
>
> Hope I could help
> Mark
>
> > -----Original Message-----
> > From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> > Sent: Tuesday, February 11, 2003 1:39 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RES: RE: Spooky filter problem!
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Finally!
> >
> > Mark, my application is running in my ISA Box. I can bind the
> > application directly into the internal or external interface. One
> > thing i could do: bind the application into my internal
> interface and
> > publish it into my external interface?
> >
> > Now all that i'm doing is binding the application to my external
> > interface and creating the IP Packet filters in order to allow
> > connections to the application's port.
> >
> > Thanks for your reply!
> >
> > Tiago de Aviz
> > -----------------------
> > tiago@xxxxxxxxxxxxxxx
> > www.softsell.com.br
> > -----------------------
> >
> >
> > -----Mensagem original-----
> > De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > Enviada em: segunda-feira, 10 de fevereiro de 2003 18:14
> > Para: [ISAserver.org Discussion List]
> > Assunto: [isalist] RE: Spooky filter problem!
> >
> > http://www.ISAserver.org
> >
> >
> > Tiago,
> >
> > I re-read your original post. It seems to me what you are
> facing here
> > is that your application comes up before ISA services start and it
> > seems to claim the port(s) in question. Maybe you can see
> an error in
> > the eventlog stating that server publishing failed.
> >
> > I had that once with the IIS FTP services, in a different setup - I
> > could just not understand why FTP should be available with
> chaniging
> > IP adresses without me running a script to change server publishing
> > (remember that one Tom?). It took me ages to find out that
> FTP would
> > claim the port and ISA would just "fail" there.
> >
> > I solved the problem by changing the dependencies of the services,
> > making sure that any other "internet" service started
> *after* all ISA
> > services.
> >
> > Maybe this helps,
> > Mark
> >
> >
> > > -----Original Message-----
> > > From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> > > Sent: Sunday, February 09, 2003 12:19 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Spooky filter problem!
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Hey folks,
> > >
> > > I'm running a Counter-Strike Server on my ISA machine. I allowed
> > > Access to all the ports required by the service, inbound
> > and outbound.
> > > And i set the Server to run on port 27016 UDP. However,
> my external
> > > users can only Access my Server on port 60684 (the game Server
> > > annouces itself to some online game-searching utilities).
> This port
> > > doesn't change each time i restart the service.
> > >
> > > What is freakin' me out is that i didn't enable Access to
> > this port! I
> > > doný have any rule which allows Access to UDP port 60684 on my
> > > external interface. However, if I, from the Internal
> Network here,
> > > Access the game Server at port 27016 as it should, it Works!
> > >
> > > What is going on? Any ideas?
> > >
> > > Tiago de Aviz
> > > -----------------------
> > > tiago@xxxxxxxxxxxxxxx
> > > www.softsell.com.br
> > > -----------------------
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank
> > email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> > to $subst('Email.Unsub')
> >
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank
> email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> to $subst('Email.Unsub')
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
