[Re: OpenBSD Firewall / Internal Quake III Server]

["patrick denton" <patrick_(_dot_)_denton_(_at_)_dataops_(_dot_)_net>]

I allowed the standard port 27960 upd inbound via ipf and nat
using the redirect rule.

rdr ex0 1.2.3.4/32 port 27960 -> 10.1.1.123 port 27960 udp

This didn't seem to cause an issue with folks connecting via the
master list server in q3.  I would see folks come and go on the server
so I can only assume it was visible form the outside with minimal
to no issues.  If you want your domain name or external IP address
to show in the q3 join screen you can edit your q3 motd line in the 
server configuration file to show it.  Understand the concern about
displaying internal IP's.  If it's a big issue you can always add
a dmz for the server.

Although when the q3server was running I did see lot's of blocked
inbound packets in the udp 15000's range but only while the server
was running.  These would show up in ipflog .  I didn't research 
further but perhaps q3 uses some random upd ports to obtain other
info about the server.

Good Luck and frag ya later.

Jason Hunt wrote:
> 
> Greetings all,
> 
> I am having a few problems getting my internal quake III
> server to work properly and I am little confused on why
> this is happening.
> 
> If somoene uses the specify function in Quake III, they
> can connect just fine to my internal server.  The problem
> seems to be with people connecting from gamespy or using
> the master server list.
> 
> I believe it could be something with the keep state.  I
> have the following in my /etc/ipnat.rules:
> 
> # maps tcp/udp connections on my netork through 1024:20000
> map xl0 192.168.x.x/24 -> xl0/32 portmap tcp/udp 10000:20000
> 
> # maps ICMP, etc
> map xl0 192.168.x.x/24 -> xl0/32
> rdr xl0 xl0/32 port 25 -> 192.168.x.x port 25
> rdr xl0 xl0/32 port 80 -> 192.168.x.x port 80
> rdr xl0 xl0/32 port 27960 -> 192.168.x.x port 27960 tcp/udp
> 
> the last rule is for connections to quake III.  I have
> some log files of where snort was running on my firewall
> and what it picked up:
> 
> Apr 13 20:18:12 212.110.163.229:27969 -> 24.160.xxx.xx:15042 UDP
> Apr 13 20:18:12 212.110.163.229:27960 -> 24.160.xxx.xx:15060 UDP
> Apr 13 20:18:13 212.110.163.229:27967 -> 24.160.xxx.xx:15110 UDP
> Apr 13 20:18:14 212.110.163.229:27963 -> 24.160.xxx.xx15127 UDP
> Apr 13 20:20:14 212.110.163.229:27969 -> 24.160.xxx.xx15042 UDP
> Apr 13 20:20:14 212.110.163.229:27960 -> 24.160.xxx.xx15060 UDP
> Apr 13 20:20:15 212.110.163.229:27967 -> 24.160.xxx.xx15110 UDP
> Apr 13 20:20:15 212.110.163.229:27963 -> 24.160.xxx.xx15127 UDP
> Apr 13 20:36:40 194.159.164.177:27977 -> 24.160.xxx.xx15248 UDP
> Apr 13 20:36:41 194.159.164.177:27983 -> 24.160.xxx.xx15276 UDP
> Apr 13 20:36:42 194.159.164.177:27963 -> 24.160.xxx.xx15358 UDP
> Apr 13 20:36:43 194.159.164.177:27967 -> 24.160.xxx.xx15378 UDP
> Apr 13 20:36:41 212.110.163.229:27966 -> 24.160.xxx.xx15277 UDP
> Apr 13 20:36:43 212.110.163.229:27969 -> 24.160.xxx.xx15385 UDP
> Apr 13 20:36:44 212.110.163.229:27960 -> 24.160.xxx.xx15403 UDP
> Apr 13 20:36:46 212.110.163.229:27967 -> 24.160.xxx.xx15452 UDP
> Apr 13 20:38:49 194.159.164.177:27977 -> 24.160.xxx.xx15248 UDP
> Apr 13 20:38:49 194.159.164.177:27983 -> 24.160.xxx.xx15276 UDP
> Apr 13 20:38:50 194.159.164.177:27963 -> 24.160.xxx.xx15358 UDP
> Apr 13 20:38:51 194.159.164.177:27967 -> 24.160.xxx.xx15378 UDP
> 
> it either seems I need to specify more ports to redirect, or
> they are going to the wrong UDP port on the internal machine
> when they are redirected.  This is where I need some help.
> 
> I thought that when the dedicated server started up, since it
> was reporting the 192.168.x.xx address to the master server
> list, this was the problem -- but apparently not since these
> people tried to connect to me.   This is another question,
> is there anyway to make it report the external IP?  I know
> there is not an option for q3ded server to do this, but I thought
> maybe there was another way one could go about this.  Any help on
> this topic would be greatly appreciated.  Sorry if this is a little
> off topic.