[jhb_airlines] Re: Ports

  • From: "Paul Reynolds" <paul@xxxxxxxxxxxxxxxxxxx>
  • To: <jhb_airlines@xxxxxxxxxxxxx>
  • Date: Mon, 2 Oct 2006 01:51:50 +0100

Peter,

If I understand what your asking then my belief is the multiplayer port
(23456) would only be used to connect directly ie. I gave you my IP address
and you linked to it directly.  I believe what we get with Pilot Club is
subtley different in that we connect to an external source which then tells
us (via port 16810) the IP addresses to "talk" to.  We then link directly to
them using port 16400.  It is the need to pass on the data from your machine
to those within flying range or monitoring you on radar that means we have
to open port 16400 for forwarding to the flying machine.  In other words,
the other pilots machines send their data packets directly to your machine.
It is because of this that in the past there have been scare stories about
online services opening back doors to the system.

With your setup, having opened up the 16000 to 17000 range anything within
this range will be broadcast across the network and consequently may be used
by any machine.  If you wanted greater security then you could narrow down
the range of ports to only the specific ports required by Pilot Club.  My
understanding is that the only ports you need for PCF are:

15000 UDP for Voice,
16400 UDP for all multiplayer aircraft,
16810 TCP/IP for Traffic,
16830 TCP/IP for Weather.

If controlling then others may be needed, you'ld need to check.

Consequently, you could restrict your open ports to the range 16400 to 16830
inclusive as well as 15000 for voice.  Alternatively just open the 4
individual ports.

In this respect, different router/modem combinations will give different
results.  Ideally you should restrict the open port list to minimum
necessary for you to do what you need to do, this provides the best
security.  Finding the combination that works for you is trial and error I'm
afraid.

The key issues are that information is not being blocked travelling back and
forth on the ports mentioned and specifically that any data sent to port
16400 is sent to your FS machine.  With NATs, AV, Anti-Spyware, Ad-aware,
and firewalls all potentially blocking data to or from the internet, the
range of ways we can be prevented from getting our machines talking to Pilot
Club and, through them, to each other is huge.  Hence the difficulties in
narrowing down the causes when someone can't connect, hear or see traffic.

Probably not the best/clearest explanation in the world but I hope it makes
sense.

Paul

PS. Remember, if you use the internet for alternative connections eg. To
Rory's MP server or to connect to VATSim then they will also need ports open
and these may well be different to Pilot Club.  The principle is the same
though, restrict all ports unless you know you need them open.


-----Original Message-----
From: jhb_airlines-bounce@xxxxxxxxxxxxx
[mailto:jhb_airlines-bounce@xxxxxxxxxxxxx] On Behalf Of Peter Dodds
Sent: 02 October 2006 00:35
To: jhb_airlines@xxxxxxxxxxxxx
Cc: pdodds@xxxxxxxxxxxxx
Subject: [jhb_airlines] Re: Ports


Mike - you may be able to answer this one then.  My Zyxel 660H router has a
configurable NAT address table, which allows
specific port ranges in, but will only direct packets from that port or
ports to a single identified LAN address - 1 PC,
whereas as the Firewall is configured separately.  Its rules allows an
external source with known address to pass to a
range of LAN addresses, using a specific "service".  Some services are
preconfigured, such as TCP on port 80 for HTTP,
and some you configure yourself.

I have created a "Service" called Pilot Club with TCP/UDP and ports
16000-17000, accessible by all four of the networked
PCs, because I entered a range of LAN addresses to which the rule applies.
I also have some entries in the NAT table
for things like FS multiplayer (23456) directed to my FS PC = although I
often run FS on the laptop, for which the NAT
setting for FS won't apply as it has the "wrong" LAN address.  Nevertheless,
my laptop works in Multiplayer.
Consequently, I am coming to the view that NAT configuration is unnecessary
and it can all be done in Firewall rules.
Any comments?

(One day I'll undertsand all this networking stuff - my system works more by
accident than design!.)

Peter







Other related posts: