I'm running 4.0.1-b2950-ubuntu-lucid-1
I have setup a simple firewall using tw template 2 - i.e allow DNS/SSH to firewall, etc.
I have added a few other rules, changed the LAN device from eth0 to eth1 - the firewall is generally working o.k.
However I notice that lots of games which scan server lists get dropped packets on the firewall..
By default all outgoing access is allowed from the LAN but for some reason lots of games are getting packets dropped from the firewall.
My f/w lan ip is 192.168.0.60 - my client machine is 192.168.0.206 …
Jul 14 13:17:07 gateway-desktop kernel: RULE 7 - DENY IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4d:71:2e:7a:08:00 SRC=192.168.0.206 DST=255.255.255.255 LEN=39 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=7004 DPT=27913 LEN=19
Jul 14 13:17:07 gateway-desktop kernel: RULE 7 - DENY IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1a:4d:71:2e:7a:08:00 SRC=192.168.0.206 DST=255.255.255.255 LEN=39 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=7004 DPT=27914 LEN=19
Why is this being dropped ? All ports outgoing should be fine…
My setup is:-
Firewall - connects to intenet via ppp0 (usb adsl modem) and connects to the LAN via eth1
If I open up the ports used from LAN -> Firewall the packets do not get dropped - but I shouldn't need to as my client machine is meant to be connecting to the internet - it is like the fowarding isn'ty working 100% ?
example games are enemy territory and pantball2,
droped packets were sent to the broadcast address 255.255.255.255. If the rule that permits outgoing access from machines on internal LAN to the internet has "any" in destination, matching broadcast by this rule depends on the setting "assume firewall is part of any" in the firewall object settings dialog. If this option is "off", the rule won't match broadcasts.
The firewall as set to "assume firewall is part of any" - I tried disabling it (for a laugh) and the same thing happens.
It is possible that the games try to search in LAN as well as the internet ??
I am just worried that it is a symptom that something is setup incorrectly.
I guess I could open up all ports from LAN -> firewall … (not to good for security)
Previously I used the really good complete setup firewall IPFIRE (http://www.ipfire.org/en/index) - a much updated for of IPcop and this never occurred on that - it does create a bridge (ppp0 -> eth0) though.
I reason I stopped using IPfire is because I wanted a few extra packages (bind, etc) and I want to use the firewall to occasionally watch a film on, etc. (so choose Lubuntu + fwbuilder)
One thing I am massively missing about IPfire is any log analysis software - in Ipfire you can sort firewall hits per country/ip, etc
Can you recommend any software to easily view the FW logs ?
For anyone who just wants a complete ready to go firewall I would recommend IPfire to anyone (you do not need to know how to use Linux even - it does run linux (2.6.32) but can be completely operated via a web GUI)
I really do like fwbuilder (you have more control)
dropped packets that you see in the log were sent to broadcast address 255.255.255.255. Broadcasts are not forwarded by routers and by your firewall anyway, they can only reach machines on the same subnet. So, unless this is something that your firewall should reply to, dropping them is not going to break anything. Quick Google search seems to indicate that these ports may be used by some game servers. Do you run such server on the firewall ? If not, this should not be a problem.
I can't recomment any log analysis software. We plan to add this to fwbuilder in the future though.