MTM2.com

A forum for mtm2 discussion
FAQ :: Search :: Members :: Groups :: Register
Login
It is currently Mon Nov 25, 2024 4:55 am



Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Firewall etc. for (private) internet races?
PostPosted: Sat Feb 12, 2005 5:47 pm 
Member

Joined: Sun Sep 08, 2002 2:01 pm
Posts: 205
Location: Switzerland
:?:
So far I've done multiplayer exclusively over LANs. But now I would like to host a private race over the internet and I have a couple of questions.
    - To be able to play over the internet through a router one must set its own computer as DMZ
    - The software firewall must be configured to allow MTM2 to reach the internet.
    - Doing so will automatically allow MTM2 to use all the port(s) it needs.
    - Will these open ports be vulnerable for intrusions?
    (My feeling is 'No', because not the system as a whole is not acting as a server, only MTM2, and the game would not respond to messages unrelated to the game and from IPs other than those of the racers. But that's just a guess from a newbie [umm] and I'd like to get some comfort on this issue).


Can someone point me towards the answers?
Thanks


Top
 Profile  
 
 Post subject:
PostPosted: Sat Feb 12, 2005 6:16 pm 
Glow Ball
User avatar

Joined: Tue Feb 02, 1999 7:00 pm
Posts: 23
- To be able to play over the internet through a router one must set its own computer as DMZ

Using DMZ is the easiest solution because you don't need to worry about configuring ports.

DirectX: Ports Required to Play on a Network
http://support.microsoft.com/default.as ... -us;240429

Special Application Port List
http://www.practicallynetworked.com/sha ... t_list.htm


- The software firewall must be configured to allow MTM2 to reach the internet.

If you have a hardware firewall built into your router, you don't need a software firewall. But if you have one anyway, then yes, the game must be able to send and receive ip data.


- Doing so will automatically allow MTM2 to use all the port(s) it needs.

DMZ opens all standard ports, of which mtm2 will make good use. Yes.



- Will these open ports be vulnerable for intrusions?

Yes and no. Yes, in the same sense that any open port can be probed and exploited. No, in the sense that there are always some ports open no matter what, and that nobody will know to look for them on your address anyway.




> My feeling is 'No', because not the system as a whole is not acting as a server, only MTM2

It makes no difference if you're running server software or not. Worms and such find their way in regardless of what's running.



> and the game would not respond to messages unrelated to the game and from IPs other than those of the racers.

The game will only respond to other game commands. But that is not the issue. Your computer, game or no game, can still respond to non game commands through the open ports. This is why we don't run dmz all the time.



> But that's just a guess from a newbie and I'd like to get some comfort on this issue.

The trick is to open up dmz, run the races, then close it up again immediately once you're done. The process is as risk free as it gets because by the time anybody could discover the open ports, they'd be closed up right away anyway. I don't want to encourage complaisency, but you shouldn't have anything to worry about.

Tip. Don't post your ip address in a newsgroup. Fixed ip addresses pose more problems than dynamic ones.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Feb 12, 2005 7:13 pm 
Member

Joined: Sun Sep 08, 2002 2:01 pm
Posts: 205
Location: Switzerland
[thanx]
The IP address is dynamic and will be sent by e-mail to the participants just before the race starts, so that shouldn't be a problem.

Quote:
No, in the sense that there are always some ports open no matter what, and that nobody will know to look for them on your address anyway.

This I don't understand. Looking at the log list of ZoneAlarm when run without a router, and given the number of idiots playing around with portscanning software I am pretty sure that at some time someone will probe an open port, which brings me to your other comments:
Quote:
Worms and such find their way in regardless of what's running.

Quote:
Your computer, game or no game, can still respond to non game commands through the open ports.

I thought that the firewall prevents this kind of problems and only allows the specified application(s) to respond to whatever incoming packets? But apparently, that's the wrong view?


Top
 Profile  
 
 Post subject:
PostPosted: Sat Feb 12, 2005 9:07 pm 
Glow Ball
User avatar

Joined: Tue Feb 02, 1999 7:00 pm
Posts: 23
Say, for example, you are browsing the web and you visit here or google. Your computer, at a minimum, communicates through port 80. However, the programming is sufficient to disallow all but standard html header info as well as the type of throughput you could expect to encounter on a normal web page. If it encounters anything else, it's "usually" rejected. Same type of arrangement for ftp on port 21. The trouble begins when the computer doesn't know what type of info it will encounter on other ports, or if an intrusive program can spoof the appropriate protocols in order to gain access. So, you open the ports but you don't restrict the kind of traffic, the user info, or where it has access... and you certainly have no counterfeit detection.

The up side is that IP sniffers don't usually probe addresses randomly. There is a range of a trillion possible addresses. Working randomly, it is theoretically possible to probe to eternity and not hit on anything. And it's worse with dynamic addresses because what worked yesterday probably won't work today. Most look for fixed addresses or server addresses through hosting ranges or spidering newsgroups or forums or exploiting vulnerabilities in various scripted pages - like the last round of php attacks. They then feed off those openings. But finding those things is like threading a needle. More than looking for open ports, these guys look for ways to exploit the ports that are known to be already open. Eg 80 or 21.

In an ideal world, you could assign ports to activities. But the complexiteis are almost endless so that's not very practical in terms of the operating system or even just basic configuration... especially when you consider there are something like 65000 ports to cover. In sum, the further you get away from standard ports, the more vulnerable you become. Configuring the specific ports is safer than dmz, but usually much harder and more prone to errors. But because the risk is so slight, dmz has been a safe bet and I, personally, haven't heard of a problem.

I don't know how much that helps. I just reread what I've written and it seems clear as mud. Hopefully it's a start.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 14, 2005 5:35 am 
Member

Joined: Sun Sep 08, 2002 2:01 pm
Posts: 205
Location: Switzerland
Thanks Phin :D
Quote:
... and it seems clear as mud.

It's even better, lol.
From what I've read, doing the way you suggest may expose you to denial of service attacks. That's really not a big issue with dynamic IP addresses.
Or are there other known exploits for the directX ports?

If not, I think will try this way with the additional precaution of keeping track of all file and registry changes occuring during the on-line gaming session.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 14, 2005 6:53 am 
Member
User avatar

Joined: Thu Apr 19, 2001 2:01 pm
Posts: 695
Location: USA and Proud of it.
props dude, you run a tight ship.

_________________
Keep on MTMing,
CH_2005
<a href="http://ch.mtm2.com/">Visit my site</a>


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 14, 2005 1:33 pm 
Member

Joined: Mon Jan 27, 2003 2:01 pm
Posts: 65
A while back when we was trying to play mtm1 a few guys had built home networks and were using routers since they played last.

Now basically as far as I know they had all thier ports opened just to get something going and still couldn't connect.


My question here is that even tho a router has all the ports open there is still the issue of your actual IP.

Since your computers ip will be different than what actually goes out to the internet from the router can that be an issue also?

I suspect that thier ISP may use a proxy service, but thought I would ask in here just in case.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Feb 14, 2005 7:45 pm 
Glow Ball
User avatar

Joined: Tue Feb 02, 1999 7:00 pm
Posts: 23
>> That's really not a big issue with dynamic IP addresses.

That's correct. Especially so from a single user, compared to a server, point of view.

> with the additional precaution of keeping track of all file and registry changes

That won't hurt either. You should be okay, tho.

----------


When you say "built home networks" do you mean they bought something like a linksys or d-link router or did they program and configure their own?

> I suspect that thier ISP may use a proxy service

Very few isp's use proxies in the strictest sense anymore. I know of a couple universities that use them because they want to regulate internal and external traffic and make sure the interal networking functions regardless of what goes on the outside. The proxy is an added layer of protection. This would be the same as most large companies except that most companies are not their own isp whereas the big universities are. ISP's don't usually have this distinction and so they don't use proxies in the traditional sense. They can, however, have an elaborate caching system which can cause no end of problems. Also, places like aol have floating ip's, as opposed to the dynamic system, and that might cause problems too... tho I don't know as much about how it works.

> even tho a router has all the ports open there is still the issue of your actual IP.

That's correct.

> Since your computer's ip will be different than what actually goes out to the internet from the router can that be an issue also?

Yes, definitely.

For example, in the case of my linksys router, when I set my computer as DMZ host, the general belief is that I have a direct connection to the internet, but that's not true in the strictest sense because I still log into the router, and the router still controls the flow of traffic. So, what's happening is that the router relays or transfers the information to my computer "as if" it has a direct connection. Sort of translating the data and addresses in a seamless and transparent way. So, rather than a direct connection, there is actually a sophisticated set of instructions that are being executed all the time. My computer behaves as if it has a direct connection, and the net sees my computer as being connected directly, but the router is interfacing between the two in such a way to create this illusion.

Let's take a simpler example. I set my computer up as a web server. I configure the router to forward all requests on port 80 to my computer. All other requests are denied in the usual way, but port 80 requests get through and are forwarded to my computer, and no others, on the network. Welp, DMZ host is the equivalent of forwarding all ports, not just port 80, to my computer... but can still leave the other ports open to the other configured computers on the network.

So, if a person cannot connect to the game, then there is either a firewall problem at home (either software, hardware or operating system), the router is not configured correctly (eg. ports are being forwarded to other places on the network), the isp has a proxy system in place or is caching data or is deliberately blocking traffic on specific ports, or the host has some of these issues, or a combination of each. If, on the other hand, they are not using a store bought router but have created their own, then they would have to dig deep into the software that's doing the routing. For example, on a linux based system, they'd have to look into ipchains or iptables depending on the particular flavor they're running. And if, on the other hand yet again, they're using a cisco type router, then we've reached the end of my helpfulness. Routing is a very complicated business and manually configuring a cisco is more than I could do at this time.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 17, 2005 10:57 am 
Member

Joined: Mon Jan 27, 2003 2:01 pm
Posts: 65
Quote:
When you say "built home networks" do you mean they bought something like a linksys or d-link router


Yes, basically they bought the stuff and set it up themselves rather than trying to play at work or something like that.


Quote:
example, in the case of my linksys router, when I set my computer as DMZ host,



I use only a switch hub for the machines I play games with cause my isp allows me 3 direct ips. I plan on getting a router and that will probably be my third ip that just connects all my non gaming machines.

So is this "DMZ host" a setting in the router / firewall or something you set with in windows somewhere? If so, is this in all routers or only certain ones?


Top
 Profile  
 
 Post subject:
PostPosted: Thu Feb 17, 2005 5:36 pm 
Glow Ball
User avatar

Joined: Tue Feb 02, 1999 7:00 pm
Posts: 23
Quote:
I use only a switch hub for the machines I play games with cause my isp allows me 3 direct ips. I plan on getting a router and that will probably be my third ip that just connects all my non gaming machines.


With a router, you don't need extra ip addresses since it takes care of that for you - that's the routing part. However, if you are accessing the internet for gaming on more than one machine at a time (and you're allowed multiple ips), then the hub and switch would probably be easier and less problematic since the router usually only allows one computer to have full access.


Quote:
So is this "DMZ host" a setting in the router / firewall or something you set with in windows somewhere? If so, is this in all routers or only certain ones?


DMZ stands for Demilitarized Zone, which means that, by and large, you are without protection. It's a router setting and most routers today have it, or something equivalent to it.

To be clear, the term router is a bit misleading when describing today's "applicances". My linksys router also functions as a firewall, hub, switch and proxy. It has an html control panel so it's operating system independent (I've had two versions of windows and two version of linux plugged into it all at the same time). Mine has four ports but you can plug hubs into each port which would allow up to a couple hundred computers to use it safely.

Brands. D-link and netgear both make routers that appear to work similar to my linksys. I picked up the linksys back when it was the only one on the market and I've never had a problem with it. They still do firmware upgades on it too. The company is first rate for support and their web site has a ton of help and info.

http://www.linksys.com/edu/

I haven't been there in a while, but looks like they've been bought up by cisco (the big cheese in routing).

I don't mean to hype one brand over another, but I've had this for over five years and never had a problem with it.

Tip. Turn DHCP off and assign ip addresses per computer.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 68 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group