[Firewall] Firewall Digest, Vol 90, Issue 7

cmr at uniserve.com cmr at uniserve.com
Wed Jul 24 00:15:16 CEST 2013


Hi and thanks for the help. I ran into some issues / problems.

I'm working on a bit of a deadline so I will only point out the flaws ...

As pointed out, I installed linux-igd daemon on the router. In  
conjunction with arno's igd plugin, everything worked. Then I checked  
the upnpd log file...

What I found was, to me, disturbing. Windows machines on my network  
with ZERO internet access -- read firewalled, suddenly had internet  
access via the upnp daemon.

It resulted in a roll back and un-install of linux-igd until my return  
from the great white north! Since i won't be around to fix it for a  
couple of weeks and I don't wish to leave remote access on, i will  
simple say no xbox party YET!

In the mean time, reading and research are in order.

Other than disabling ssdp on my windows machines (last reasort), is  
this an AIF bug, because these three machines are not in  
NAT_INTERNAL_NET="" list and I took them out of the mac-address list;  
the results are the same ...

reading reading research and more reading ...

this is a snippet of the three win xp / 7 machines which are NOT  
supposed to reach the outside world...


 From host 192.168.1.zzz
2013-07-23 08:48:09 0xzzzzzzzzzzzz ssdp_server.c:814 Start of received  
multicast packet --------------------------------------------
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:"ssdp:discover"
MX:3


End of received multicast packet  
----------------------------------------------

snip snip snip

 From host 192.168.1.yyy
2013-07-23 08:49:45 0xyyyyyyyyyyyy ssdp_server.c:814 Start of received  
multicast packet --------------------------------------------
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:"ssdp:discover"
MX:3


End of received multicast packet  
----------------------------------------------

snip snip snip

 From host 192.168.1.www
2013-07-23 08:50:05 0xwwwwwwwwwwww ssdp_server.c:814 Start of received  
multicast packet --------------------------------------------
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:urn:schemas-upnp-org:device:InternetGatewayDevice:1
Man:"ssdp:discover"
MX:3


End of received multicast packet  
----------------------------------------------




Chris


Quoting firewall-request at rocky.eld.leidenuniv.nl:

> Send Firewall mailing list submissions to
> 	firewall at rocky.eld.leidenuniv.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> or, via email, send a message with subject or body 'help' to
> 	firewall-request at rocky.eld.leidenuniv.nl
>
> You can reach the person managing the list at
> 	firewall-owner at rocky.eld.leidenuniv.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Firewall digest..."
>
>
> Today's Topics:
>
>    1. Re: TCP / UPD port forwarding to multiple xBox's behind	the
>       firewall (Lonnie Abelbeck)
>    2. Re: TCP / UPD port forwarding to multiple xBox's behind the
>       firewall (Gustin Johnson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 21 Jul 2013 06:22:53 -0500
> From: Lonnie Abelbeck <lists at lonnie.abelbeck.com>
> To: Arno's IPTABLES firewall script <firewall at rocky.eld.leidenuniv.nl>
> Subject: Re: [Firewall] TCP / UPD port forwarding to multiple xBox's
> 	behind	the firewall
> Message-ID: <DCF89256-B41E-468E-84A6-8E75AD2B92A5 at lonnie.abelbeck.com>
> Content-Type: text/plain; charset=us-ascii
>
> Hi Chris,
>
> The AIF firewall.conf file is parsed as a shell script, such that...
> --
> FOO="1"
> FOO="2"
> FOO="3"
> --
> results in FOO having a value of only "3", what you want to do is  
> space separate the values...
> --
> FOO="1 2 3"
> --
>
> So, in your case:
> --
> NAT_FORWARD_TCP="53,80,2869,3074,5000>192.168.1.15  
> 53,80,2869,3074,5000>192.168.1.85 53,80,2869,3074,5000>192.168.1.86"
>
> NAT_FORWARD_UDP="53,88,1900,3074>192.168.1.15  
> 53,88,1900,3074>192.168.1.85 53,88,1900,3074>192.168.1.86"
> --
> etc. (the only spaces are separating multiple values within double-quotes).
>
> Lonnie
>
>
>
> On Jul 21, 2013, at 2:00 AM, cmr at uniserve.com wrote:
>
>> A couple of weeks back I asked about a nat issue and port  
>> forwarding to an xbox.
>>
>> I found my answer in the firewall.conf file, something several of  
>> you pointed out. Other than the fact my ISP blocks inbound port 80,  
>> that solution worked flawlessly.
>>
>> it was these to lines and the UPnP IGD plugin that solved my problem:
>> NAT_FORWARD_TCP="53,80,2869,3074,5000>192.168.1.15"
>> NAT_FORWARD_UDP="53,88,1900,3074>192.168.1.15"
>>
>> ... now for today's problem ...
>>
>> I'm fortunate enough to have a wired house with several large tv's  
>> located in several areas of the house. One of my kids wants to host  
>> an xbox live tourney on the lan. Specifically, his friends bring  
>> over their own equipment, my dhcp server assigns addresses as  
>> needed and nat needs to be open for each xbox.
>>
>> The server will assign static dhcp addresses in the range of  
>> 192.168.1.85 to 192.168.1.95 based on each machines mac address.
>>
>> would I use the NAT_STATIC_IP="" because if I use multiple lines  
>> similar to the following it does not work for any unit other than  
>> the first one.
>>
>> NAT_FORWARD_TCP="53,80,2869,3074,5000>192.168.1.15"
>> NAT_FORWARD_TCP="53,80,2869,3074,5000>192.168.1.85"
>> NAT_FORWARD_TCP="53,80,2869,3074,5000>192.168.1.86"
>> ...
>>
>> NAT_FORWARD_UDP="53,88,1900,3074>192.168.1.15"
>> NAT_FORWARD_UDP="53,88,1900,3074>192.168.1.85"
>> NAT_FORWARD_UDP="53,88,1900,3074>192.168.1.86"
>> ...
>>
>> I currently use two plugins, the UPnP IGD and the mac address plugins.
>>
>> Something tells me this has an easy solution, I'm just unsure of  
>> where to look or start looking!
>>
>> Chris
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 21 Jul 2013 05:55:58 -0600
> From: Gustin Johnson <gustin at meganerd.ca>
> To: "Arno's IPTABLES firewall script"
> 	<firewall at rocky.eld.leidenuniv.nl>
> Subject: Re: [Firewall] TCP / UPD port forwarding to multiple xBox's
> 	behind the firewall
> Message-ID:
> 	<CAPM=hj4HuG-dA=M0YaRB6Hdkd9jQ-wzeA4ofE2-B40kmK+uVjg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> You cannot port forward the same ports to more than one IP on the LAN side.
>
> What you probably want to do is look into UPnP which is what the other
> Xboxes support when they need ports forwarded.  UPnP auto negotiates the
> port forwarding so you do not need to add the other xboxes anyway.
>
> In addition to what you already have, you will need to install and
> configure a UPnP daemon on the router.
>
> Hth,
>
>
> On Sun, Jul 21, 2013 at 1:00 AM, <cmr at uniserve.com> wrote:
>
>> A couple of weeks back I asked about a nat issue and port forwarding to an
>> xbox.
>>
>> I found my answer in the firewall.conf file, something several of you
>> pointed out. Other than the fact my ISP blocks inbound port 80, that
>> solution worked flawlessly.
>>
>> it was these to lines and the UPnP IGD plugin that solved my problem:
>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.15"
>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.15"
>>
>> ... now for today's problem ...
>>
>> I'm fortunate enough to have a wired house with several large tv's located
>> in several areas of the house. One of my kids wants to host an xbox live
>> tourney on the lan. Specifically, his friends bring over their own
>> equipment, my dhcp server assigns addresses as needed and nat needs to be
>> open for each xbox.
>>
>> The server will assign static dhcp addresses in the range of 192.168.1.85
>> to 192.168.1.95 based on each machines mac address.
>>
>> would I use the NAT_STATIC_IP="" because if I use multiple lines similar
>> to the following it does not work for any unit other than the first one.
>>
>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.15"
>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.85"
>> NAT_FORWARD_TCP="53,80,2869,**3074,5000>192.168.1.86"
>> ...
>>
>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.15"
>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.85"
>> NAT_FORWARD_UDP="53,88,1900,**3074>192.168.1.86"
>> ...
>>
>> I currently use two plugins, the UPnP IGD and the mac address plugins.
>>
>> Something tells me this has an easy solution, I'm just unsure of where to
>> look or start looking!
>>
>> Chris
>>
>>
>>
>> ______________________________**_________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.**nl <Firewall at rocky.eld.leidenuniv.nl>
>> http://rocky.eld.leidenuniv.**nl/mailman/listinfo/firewall<http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall>
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:  
> <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130721/1906945a/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>
>
> End of Firewall Digest, Vol 90, Issue 7
> ***************************************
>





More information about the Firewall mailing list