RE: RES: RE: RES: RE: RES: RE: Spooky filter problem! Tom?

• From: "Mark Hippenstiel" <m.hippenstiel@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 12 Feb 2003 09:26:58 +0100

Well.. I would agree with others and say it's only a game(-server) why
bother. But since we are talking about a technical problem it's interesting
to find out what the problem is - at least to a certain extent.

You know enough about ISA to be aware that there are technical limitations
that btw apply to any firewall. So there's really no need to discuss if ISA
is suited for that kind of application. I would say it is. The problem lies
in the communication, I would advise you to look for articles from
firewalled CS users for instance on expert exchange.

If you only used CS to test for the availability of your HLDS, I would say
that this is not enough. The thread topic you choose implies that you assume
that the problem could be caused by an unknown bug in the filtering
mechanisms... I recommend that you get a port scanner and scan for all open
ports once from within your network and once from external. I bet there's a
port or two missing. Further you might want to have a closer look at
low-level network communications on the external machine to see what's
really happening.

And you could contact Valvesoftware (I believe it is) and ask if they can
provide you with more information.

It's like I said - if you don't know enough about the protocol being used
you're bound to test and try. It's a lot of work.

If I can help you in any other way let me know. Good Luck!
Mark

Ps Did you try to change the UDP filter properties? I would set SendReceive
for 'incoming' and ReceiveSend for 'outgoing'

> -----Original Message-----
> From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> Sent: Wednesday, February 12, 2003 4:10 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RES: RE: RES: RE: RES: RE: Spooky filter
> problem! Tom?
>
>
> http://www.ISAserver.org
>
>
> Mark,
>
> I've already created these rules (which allow HLDS's
> communications with game server announcers and other services).
>
> Yup, 60684 is a randomly assigned port, a
> nd 27015 is available on my external interface. The same
> issue happens even if I change HLDS's port from 27015 to
> 27016, for an example.
>
> If I connect from my internal network with CS on my server's
> internal IP address, on port 27015, It works. If I connect
> from outside my firewall with CS on the external IP address
> on port 27015, it fails.
>
> What do you think? Let's leave it alone?? =)
>
> Tiago de Aviz
> -----------------------
> tiago@xxxxxxxxxxxxxxx
> www.softsell.com.br
> -----------------------
>
>
> -----Mensagem original-----
> De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> Enviada em: terça-feira, 11 de fevereiro de 2003 17:29
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] RE: RES: RE: RES: RE: Spooky filter problem! Tom?
>
> http://www.ISAserver.org
>
>
> Tiago,
>
> After a short search I found the following information:
>
>
> --- quote ---
> 7) I am behind a firewall.  What ports need to be opened for hlds?
>
> Incoming UDP to local destination 27015.
> Outgoing UDP to remote destination 27010, 27012.
> Outgoing TCP to remote destination 5273.
> Outgoing TCP to remote destination 7002.
> --- /quote ---
>
> The port 60684 that you mention is obviously used form ICMP
> messages and randomly assigned. By which means did you check
> for availabilty of the 27015 port?? Using CS? From within
> your network? With a port scanner from an external machine?
>
>
> Mark
>
>
> > -----Original Message-----
> > From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> > Sent: Tuesday, February 11, 2003 9:38 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RES: RE: RES: RE: Spooky filter problem! Tom?
> >
> >
> > http://www.ISAserver.org
> >
> >
> > Sure, you got that right. It's like running an http Server.
> >
> > Here's what I did: I bound the application to my internal
> Interface,
> > published it, and created an IP Packet filter to allow
> connections to
> > this port. It's working, but on the wrong port. Instead of external
> > interface local port 27016 UDP, it's running on port 60684.
> >
> > On the internal interface, it runs on port 27016 as it should. This
> > only happens when I publish it.
> >
> > Well, I guess this is everything. If you need to know
> anything else,
> > at your orders!
> >
> >
> > Tiago de Aviz
> > -----------------------
> > tiago@xxxxxxxxxxxxxxx
> > www.softsell.com.br
> > -----------------------
> >
> >
> > -----Mensagem original-----
> > De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > Enviada em: terça-feira, 11 de fevereiro de 2003 16:28
> > Para: [ISAserver.org Discussion List]
> > Assunto: [isalist] RE: RES: RE: Spooky filter problem! Tom?
> >
> > http://www.ISAserver.org
> >
> >
> > I did not follow the thread completely here. One thing that
> is to be
> > said is that Jim's right about the variable/dynamically assigned
> > ports, that would never function. But if I understood you
> right, there
> > is only one
> > (server) port users can connect to, much like running a
> http server,
> > right?
> >
> > In this case you would have to make shure that your
> appplication only
> > binds to the internal interface. Further you would have to
> use server
> > publishing to make the port available on the external
> interface. And
> > you may have to define a packet filter to allow traffic to your
> > internal interface - but I'm not too shure about this last point. I
> > understand that this is a must when the "server" to be
> > published runs on the ISA box, but maybe Tom can help out here.
> >
> > You'd have to change service dependencies only if your application
> > does not support binding to a specific NIC. This way I got the
> > Shoutcast server to run - but you may experience other
> problems on a
> > higher level. E.g. if the protocol that is being used carries
> > connection information like IP adresses and the like for further
> > communication (in the way FTP does), every attempt will
> fail because
> > ISA will not be able to translate this. Well, you could
> write your own
> > application filter however :)
> >
> > Hope I could help
> > Mark
> >
> > > -----Original Message-----
> > > From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> > > Sent: Tuesday, February 11, 2003 1:39 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RES: RE: Spooky filter problem!
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Finally!
> > >
> > > Mark, my application is running in my ISA Box. I can bind the
> > > application directly into the internal or external interface. One
> > > thing i could do: bind the application into my internal
> > interface and
> > > publish it into my external interface?
> > >
> > > Now all that i'm doing is binding the application to my external
> > > interface and creating the IP Packet filters in order to allow
> > > connections to the application's port.
> > >
> > > Thanks for your reply!
> > >
> > > Tiago de Aviz
> > > -----------------------
> > > tiago@xxxxxxxxxxxxxxx
> > > www.softsell.com.br
> > > -----------------------
> > >
> > >
> > > -----Mensagem original-----
> > > De: Mark Hippenstiel [mailto:m.hippenstiel@xxxxxxxxxxxx]
> > > Enviada em: segunda-feira, 10 de fevereiro de 2003 18:14
> > > Para: [ISAserver.org Discussion List]
> > > Assunto: [isalist] RE: Spooky filter problem!
> > >
> > > http://www.ISAserver.org
> > >
> > >
> > > Tiago,
> > >
> > > I re-read your original post. It seems to me what you are
> > facing here
> > > is that your application comes up before ISA services
> start and it
> > > seems to claim the port(s) in question. Maybe you can see
> > an error in
> > > the eventlog stating that server publishing failed.
> > >
> > > I had that once with the IIS FTP services, in a different
> setup - I
> > > could just not understand why FTP should be available with
> > chaniging
> > > IP adresses without me running a script to change server
> publishing
> > > (remember that one Tom?). It took me ages to find out that
> > FTP would
> > > claim the port and ISA would just "fail" there.
> > >
> > > I solved the problem by changing the dependencies of the
> services,
> > > making sure that any other "internet" service started
> > *after* all ISA
> > > services.
> > >
> > > Maybe this helps,
> > > Mark
> > >
> > >
> > > > -----Original Message-----
> > > > From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
> > > > Sent: Sunday, February 09, 2003 12:19 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] Spooky filter problem!
> > > >
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > >
> > > > Hey folks,
> > > >
> > > > I'm running a Counter-Strike Server on my ISA machine.
> I allowed
> > > > Access to all the ports required by the service, inbound
> > > and outbound.
> > > > And i set the Server to run on port 27016 UDP. However,
> > my external
> > > > users can only Access my Server on port 60684 (the game Server
> > > > annouces itself to some online game-searching utilities).
> > This port
> > > > doesn't change each time i restart the service.
> > > >
> > > > What is freakin' me out is that i didn't enable Access to
> > > this port! I
> > > > doný have any rule which allows Access to UDP port 60684 on my
> > > > external interface. However, if I, from the Internal
> > Network here,
> > > > Access the game Server at port 27016 as it should, it Works!
> > > >
> > > > What is going on? Any ideas?
> > > >
> > > > Tiago de Aviz
> > > > -----------------------
> > > > tiago@xxxxxxxxxxxxxxx
> > > > www.softsell.com.br
> > > > -----------------------
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Exchange Server Resource Site:
> http://www.msexchange.org/ Windows
> > > > Security Resource Site: http://www.windowsecurity.com/
> > > Windows 2000/NT
> > > > > Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> > Discussion List
> > > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > > $subst('Email.Unsub')
> > > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > > Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT
> > > > Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > as: mark@xxxxxxxxxxxx To unsubscribe send a blank email to
> > > $subst('Email.Unsub')
> > >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank
> > email to $subst('Email.Unsub')
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/ Windows
> > Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT
> > > Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> > to $subst('Email.Unsub')
> >
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank
> email to $subst('Email.Unsub')
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site:
> http://www.windowsecurity.com/ Windows 2000/NT > Fax Solutions:
> http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: mark@xxxxxxxxxxxx To unsubscribe send a blank email
> to $subst('Email.Unsub')
>

Other related posts:

• » RES: RE: RES: RE: RES: RE: Spooky filter problem! Tom?
• » RE: RES: RE: RES: RE: RES: RE: Spooky filter problem! Tom?
• » RE: RES: RE: RES: RE: RES: RE: Spooky filter problem! Tom?

1. Home
2. isalist
3. Archive
4. 02-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---