Firewall settings

[3dmatrix]

I am facing a problem with one multiplayer game that needs the firewall (ufw) to have a few open ports. My firewall is usually in deny all mode. When i open those ports, i can use the application well. When they are closed it can not be used. I am concerned about security issues in such cases. Can any one kindly advise me any better option say a better firewall tweeking for such cases.

[1clue]

Is there a specific server on the other end? You could open them only for that server.

[3dmatrix]

I am not sure about any specific server. Usually most games like on Steam or Urban Terror mention certain ports to be opened. They do not mention anything else. In that way i will have to keep a lot of ports open and that is unsafe. So what is a better alternative ?

[1clue]

Sorry if I'm absolutely, completely ignorant of current gaming.

Maybe you should google the game and "security" together, to see how people configure their firewalls.

I can think of these ways to reduce the likelihood of badness with open ports:

1. Reduce the number of locations you accept connections from. This means only open them to the remote box, not to the world.
2. Set up a proxy. This is complicated. The proxy needs to understand what protocol is being used, and know when it's not correct. Then it can block that traffic.
3. Alter the port number. This requires that the remote system know what the new ports are, which might not be practical with a central server or with random strangers at the other end.

The proxy will introduce a latency. You're adding a host in the middle, and that host is processing data. That might also be incompatible with gaming. However it gives you an extreme control over networking and security in general, assuming you know how to configure it and have appropriate filters.

[gerowen]

If you need a certain port to be open, especially for a gaming service like Steam where you might connect to a dozen different servers across those same ports, you're kind of limited as to how tightly you can lock it down. However, if you know specifically what IP addresses you will be connecting to across those ports, and you're confident those IPs won't change, such as when you and your buddies set up a Quake server and you only want that server to be allowed to access you on a specific port, or if you're hosting the server and you know what IP addresses your friends will be connecting from, then you can designate IP addresses that are allowed to access those ports. You can also tell it whether or not to log access requests on those ports so you can review your logs to see who has and has not been using those ports.

Using GUFW, also known as "Firewall Configuration" in the Ubuntu "System Settings" application, you can set up and tweak firewall rules to your heart's content. Be aware of this though. Unless you are running a game server, and you have forwarded those ports on your router to the computer running the server, then when anybody on the internet tries to access you, all they see is your router, and not your computer. Opening those ports on your local firewall allows applications you run to establish connections to outside computers, and once a line of communication is open then your programs will function fine, but your router plays the role of traffic cop in that instance. All the remote end sees is your router's IP address, and it sends the traffic to that IP address. Your router then does its job by "routing" that traffic to the appropriate machine on its local network. The only way people would be able to look directly at your computer would be if they compromised your router, if they were on the same network as you, or if you configured your router to specifically forward certain ports to your computer. Because of this, routers can also be referred to as hardware firewalls, because it is a device that physically separates you from the internet, gives you a private IP address, and can be programmed to perform certain actions on traffic that goes through it as it passes between the internet and your internal network.

Anyway, I've babbled enough. Just poke around in gufw and I'm sure you'll find all the options you need. Here's a screenshot of some of the "Advanced" options available.
gufw-advanced.jpg

[3dmatrix]

Thanks for your reply. I am ofcourse behind a router. But for steam can you tell me which port to open so that i do not have trouble accessing the servers.
On this page : https://support.steampowered.com/kb_...8571-GLVN-8711
It mentions a lot of servers, rather a full range of servers. When i open the first range i still find that during login it gets stuck. But after login it can work. So may be it uses multiple ports to work. Can you kindly give some advise regarding this. Moreover, i would like to know if it is possible (in gufw) to restrict only the Steam client to access that port, if so how and will it be of any use (added security) ?

[3rdalbum]

Thanks for your reply. I am ofcourse behind a router.

Then you've already got a firewall in the router, and you don't need to be using a personal firewall too. Simply turn GUFW off (or "Allow all") and you'll remain just as safe.

Also, just because a port isn't explicitly blocked, doesn't mean that it's "open"; let me use an analogy.

Using a router's firewall AND a personal firewall is like unplugging your phone, AND THEN taking the phone off the hook. Obviously, taking the unplugged phone off the hook is not going to help, you're already not going to receive any phone calls because the phone is unplugged!

If the phone was plugged in and on the hook, you can receive phone calls. There's nothing blocking that. But if the phone rings and nobody's at home, or nobody's listening, then nobody will pick up the phone and so the call won't actually be connected. Same thing with the firewall - if a port is not blocked, but there's no program currently listening on that port, there will not be a connection to your computer. The end result, really, is the same as if you had the port blocked, or if you had your telephone unplugged.

Just because somebody can dial the number and make your phone ring, doesn't mean that they can speak to you. They can only speak to you if you're home, and currently listening for an incoming call, and actually pick up the receiver. If any of these things is not true, they can't speak to you. If the program isn't running, or the program isn't listening for an incoming call, or the program decides not to pick up, then no attacker can connect to your computer on that port.

If in doubt, you should read up a bit more about what a firewall actually does and how network connections ("sockets") work. I'm sure Google can hook you up with an article.

[1clue]

First, I disagree with 3rdalbum's statement that redundant firewalls are unnecessary. Defense in depth. If they get through your router and hit some other box on your LAN then having that second firewall right on the box helps a bunch. EVERY medium or large business has at least two firewalls, and then some of them want your server to have its own security complete with an audit by a different IT office inside the company. IBM was like that when I worked there. They had a firewall protecting their demilitarized zone, then they had another one protecting their normal network. The normal network rules were that no connections could originate from outside.

Second, if you're using a cloud VM or real hardware at linode or similar AND your users are all known to you, they might have two-factor authentication as an option with your hosting company. Then before you connect your game, you connect the VPN. The hosting service calls your cell phone, you enter a code and then you get access. If you have a limited number of users, you can give each user a VPN account and register their phones.

In this option, you don't have ANY ports open to the net. You're exposing a VPN endpoint, which is designed to be pretty secure and would be handled by somebody else anyway, but not your game and not directly on your server.

[3dmatrix]

I am just an ordinary user, not a corporate but i would certainly not like any one to barge in to my system. So i am a little concerned about my privacy. Is it possible in any way to configure GUFW to allow only the Steam client to use the port open for it ? Does that makes it secure in any way ?

[3rdalbum]

First, I disagree with 3rdalbum's statement that redundant firewalls are unnecessary. Defense in depth. If they get through your router and hit some other box on your LAN then having that second firewall right on the box helps a bunch.

Dude, this is a guy wanting to do some online gaming, and he's posted to Absolute Beginners Section. We're not talking about a corporate network holding industrial secrets, we're talking about a desktop user with maybe a little home network. If the user's router is set up to forward the desired port(s) and deny incoming connections on all the others, there's no "getting past the router and targetting another box on the LAN".

3dmatrix: No, there's no application-level capabilities in the Linux firewall. However, you might be making things more difficult than they really need to be. Your computer will not listen for any incoming connections, unless a program is specifically listening on a particular port. If you're talking about an outgoing port, then just allow all outgoing ports. Outgoing connections can only be initiated from within your computer anyway, and if you don't trust everything running on your computer then you'd better wipe it and reinstall.