--- On Wed, 10/29/08, Jeremy Chadwick <[EMAIL PROTECTED]> wrote:
> From: Jeremy Chadwick <[EMAIL PROTECTED]>
> Subject: Re: Firewalls in FreeBSD?
> To: "Terry Sposato" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED], "Polytropon" <[EMAIL PROTECTED]>, "Freebsd questions" 
> <freebsd-questions@freebsd.org>
> Date: Wednesday, October 29, 2008, 11:25 PM
> On Thu, Oct 30, 2008 at 01:36:58PM +1100, Terry Sposato
> wrote:
> > It is most likely caused by your ruleset not being
> stateful. If packets 
> > are going out certain sessions and your firewall
> isn't then allowing back 
> > in you would see the issue you are seeing. I am not
> sure how this is 
> > accomplished via ipfw as I use pf but there would be a
> tonne of 
> > documentation out there on how to make your rules
> stateful.
> Are you sure about that?  Read his statement once more:
> >>    For example, I load up a client (game) and it
> connects out on XYZ
> >>    port.  The server will send data back on ABC.
> I assume based on this, the following is happening:
> - 192.168.x.x:aaaaa sends packet to gameserver:xyz
> - NAT gateway translates packet (where "natgw" is
> a public WAN IP)
>   192.168.x.x:aaaaa <--> natgw:bbbbb <-->
> gameserver:xyz
> - gameserver sees packet to port xyz, and initiates new
> connection
>   to natgw:abc
> - NAT gateway drops packet destined to WAN IP port abc,
> because the
>   gameserver:abc connection is *new*, and does not relate
> to the
>   previous NAT'd gameserver:xyz connection.
> If this is **truly** how the protocol works (the OP will
> need to be
> absolutely 100% positive of that fact; I recommend he
> reconfirm how it
> works), then the only solution is to set up a port forward
> on the NAT
> gateway for port abc to point to 192.168.x.x.
> This also means that only one computer on the LAN will be
> capable of
> playing this game.  Not much one can do about that, other
> than write
> the authors of the game and explain that their protocol is
> absolutely
> disgusting.

Does the game support IPv6?  This may be a work-around for you, since you can 
get a relatively large chunk of IPs for free via any one of a number of tunnel 
brokers.  If possible, ask your IP provider if they provide native IPv6 
transport first.  A few do, in North America and Europe, and a surprising lot 
do in Asia, especially Japan and South Korea.  If you're on a North American 
consumer ISP, chances are a tunnel broker is your only option for v6 
connectivity, however.  

If the game doesn't support IPv6, however, then you are likely stuck with 
playing with port forwarding from the public routable address, however.  It 
stinks, so feel free to lobby your ISP, the game's designers, and any other 
involved parties, about supporting IPv6 connectivity.  

In essence, a problem like the one Mr. Chadwick is eluding to is one of the 
primary motivating forces behind the adoption of IPv6 to begin with.  

- mdh

freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to