I found this to be rather interesting, and it explains a bit that I did not understand before. See my conclusion at the end. See my "aha!" comments at the end as well, I found this to be a very informative test though admittedly not an exhaustive or necessarily definitive test.
Disclaimer. This was not an exhaustive test, and I may have jumped to some incorrect conclusions. Corrections and comments welcome.
5:36 PM 9/30/2004 Put PC into DMZ. Disable router firewall. Install Steam HLDS, no mods, run hldsupdatetool, verify all is current Turn on firewall
autoexec.cfg contains: ----------------------- echo "--==*** Loading autoexec.cfg ***==--" map subtransit maxplayers 6 hostname "Ooks HLDS Port Test" -----------------------
hlds command line is:
hlds -console -port 27013
Start hlds:
Firewall output
'HLDS Launcher' from your computer wants to send UDP datagram to half-life.speakeasy-nyc.hlauth.net [216.254.95.155], port 27012 27013 -> 27012
(Interesting enough, it is connecting to port 27012 at the Steam auth servers. I guess that is not significant, since it's a remote port. Notice that it's using my local port 27013. This is an outgoing UDP connection, and does not require any rules that specify a remote port.)
Someone from evrtwa1.ar5-4.15.138.41.evertwa1.dsl-verizon.net [4.15.138.41], port 2783 wants to send UDP datagram to port 27013 owned by 'HLDS Launcher' on your computer 27013 <- 2783
(This is probably someone's server list pinging my server. I got a whole bunch of these until I created an incoming rule for this port, then they stopped because they all went into this port. Notice it's an incoming connection to my port 27013, which is the port I'm running the server on. My port 27013 absolutely must be open, or people won't be able to ping or join my server. Notice their port in the upper 2000 range, I believe this is a psuedo-random port, and it varied from connection to connection.)
Now, players try to connect to my server.
'HLDS Launcher' from your computer wants to connect to steam1.steampowered.com [207.173.177.11], port 27030 2902 -> 27030
(Notice my outgoing port is 2902. I believe this to be a psuedo-ramdom port. Notice that port 27030 is a REMOTE TCP port.)
'HLDS Launcher' from your computer wants to connect to steam1.steampowered.com [207.173.177.11], port 27033 2916 -> 27033
(Again, notice what appears to be a psuedo-random port on my end. Again notice the REMOTE port 27033. This is also TCP.)
Conclusion: Right about now I had one of those defining "aha!" moments. It looks like to me that ports 27020 (or so) to 27040 (or so) are REMOTE ports. Not local ports.
If I'm right, you don't forward these ports to your server, you create firewall rules that allow outgoing connections to this remote port, from any local port. You only forward local ports that hlds uses, and at no time did hlds use any local port in these higher ranges. Instead, it used a psuedo-random local port, and connected to this upper ranged port at the remote. The only local port that I saw that needed to be forwarded was 27013, the server primary port.
Am I right? Have we been misled all along when we were told to create rules forwarding ports 27020-27040 to our boxes? What I see indicates that hlds does not use this range locally, and to forward the ports would accomplish nothing as they are not used locally.
Final disclaimer. I'm sure someone else would like to do what I did and post there results, I'd be very interested in comparing results and seeing if I'm way off track, or if I'm on to something. Or if maybe I'm explaining what everyone else knew all along :-)
_______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
