"James" <james@james-web.net> writes:
What kind of games specifically?
Like online Java games (Bejeweled)? Or games like Quake, Unreal, Tribes etc?
The latter is much easier, just block all traffic to/from the default ports which use them. A quick google would yield what they use. I'll give you a quick hint and say Quake3 is 29760-5 or so and Tribes1/2 is 28000-28005 or so.
Doesn't that cause trouble with occasionally blocking ephemeral ports? If you're not allowing incoming connections of any kind (including non-PASV FTP) it shouldn't matter, but blocking ports above 1024 always makes me nervous... ----ScottG.
It would make me nervous too. Plus, I hate when things stop working because then people call me and I have to talk to them :) But if a brand new packet is outbound to 29760, you know it is probably going to a Half Life server (I think that's the port). So wouldn't it be wise to deny that? Specifically it would be UDP 29760, not TCP. Doesn't FTP use TCP when negotiating a connection? - James -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Scott Gifford Sent: Sunday, January 06, 2002 9:45 PM To: James Cc: nanog@merit.edu Subject: Re: Blocking Internet Gaming "James" <james@james-web.net> writes:
What kind of games specifically?
Like online Java games (Bejeweled)? Or games like Quake, Unreal, Tribes etc?
The latter is much easier, just block all traffic to/from the default ports which use them. A quick google would yield what they use. I'll give you a quick hint and say Quake3 is 29760-5 or so and Tribes1/2 is 28000-28005 or so.
Doesn't that cause trouble with occasionally blocking ephemeral ports? If you're not allowing incoming connections of any kind (including non-PASV FTP) it shouldn't matter, but blocking ports above 1024 always makes me nervous... ----ScottG.
On Sun, Jan 06, 2002 at 09:54:13PM -0500, james@james-web.net said: [snip]
But if a brand new packet is outbound to 29760, you know it is probably going to a Half Life server (I think that's the port). So wouldn't it be wise to deny that? Specifically it would be UDP 29760, not TCP.
TCP 27015/27016 by default -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
On Sun, 6 Jan 2002, Scott Francis wrote:
On Sun, Jan 06, 2002 at 09:54:13PM -0500, james@james-web.net said: [snip]
But if a brand new packet is outbound to 29760, you know it is probably going to a Half Life server (I think that's the port). So wouldn't it be wise to deny that? Specifically it would be UDP 29760, not TCP.
TCP 27015/27016 by default
For Half-life, it's 27015/UDP, not TCP. Cheers. -a
:Doesn't that cause trouble with occasionally blocking ephemeral ports? :If you're not allowing incoming connections of any kind (including :non-PASV FTP) it shouldn't matter, but blocking ports above 1024 :always makes me nervous... That's what "permit tcp any any established" is for. cheers, brian
participants (5)
-
achen-nanog@micropixel.com -
Brian Wallingford -
James -
Scott Francis -
Scott Gifford