If you have configured your firewall rules correctly then it's generally
safe to assume that iptables is doing its job. You should create rules
to allow specific protocols on specific ports and set the default policy
on your input chain to DROP. If you really want to test it, you can use
nmap with various combinations of options to run different tests against it.
- Dave
Daniel Nilsson wrote:
> Have followed your suggestion. Have also installed denyhost. How can i
> test my ports and security?
>
>
> //Daniel
>
>
>
> David A. Parker skrev:
>> Why lock down those ports to specific master server or update server
>> IPs? That really ties your hands if a server goes down or Valve decides
>> to change an IP address.
>>
>> Master server traffic is UDP, but I think downloading updates is done
>> over TCP. I have iptables rules on my game servers to allow the
>> following in and drop everything else:
>>
>> TCP 27015 (for rcon)
>> UDP 1200
>> UDP 27000-27015
>>
>> ICMP echo-request
>> ICMP echo-reply
>> ICMP destination-unreachable
>> ICMP time-exceeded
>>
>> TCP ESTABLISHED/RELATED
>> UDP ESTABLISHED/RELATED
>>
>> I don't block any outgoing traffic on these servers. This setup works
>> very well for me and I never seem to have any connectivity problems.
>>
>> - Dave
>>
>> Daniel Nilsson wrote:
>>
>>> Im in progress of securing my debian box with some well formatted lines
>>> of rules. What i would like to do is the following.
>>>
>>> 1. Block everything in and out
>>> 2. Allow needed things in and out.
>>>
>>> Atm im allowing udp connections to my server for my clients. Tcp
>>> connection is only allowed if the source is correct. (for the stats and
>>> some more)
>>>
>>> But i have some problems. Update will not work, neither connection to
>>> the master server.
>>>
>>> So the question is what ip´s does those update/masterservers have?
>>> And what ports do i need to open up so my server can be updated and
>>> connect to the master/update server?
>>> vac server ip?
>>> And also are those ip´s tcp or udp?
>>> More ip´s i need to open up against?
>>>
>>>
>>> //Daniel
>>>
>>>
>>> __________ Information from ESET NOD32 Antivirus, version of virus
>>> signature database 4706 (20091221) __________
>>>
>>> The message was checked by ESET NOD32 Antivirus.
>>>
>>> http://www.eset.com
>>>
>>>
>>>
>>> _______________________________________________
>>> To unsubscribe, edit your list preferences, or view the list archives,
>>> please visit:
>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>>>
>>>
>>
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 4710 (20091222) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> _______________________________________________
> To unsubscribe, edit your list preferences, or view the list archives, please
> visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
>
--
Dave Parker
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
