# Packet filtering for a Quake3 engine game server



## naali (Nov 19, 2013)

Hello

I'm new to FreeBSD and would like some help with a problem. I'm currently planning to move my game server from a Linux to a FreeBSD server. The server would host a website, need SSH access and possibly, I might set up a mail server in it. For my other needs, I have found informative resources. But not for this particular firewall problem. The problem is that the game server is running an old Quake3 based game engine, which can be used to DDoS other servers. To stop this, I have both patched the server engine and applied similar to the following rules in my Linux server firewall:


```
iptables -N Q3_27960 
iptables -A Q3_27960 -m string ! --hex-string "|FF FF FF FF|" --algo bm --from 27 --to 30 -j ACCEPT
iptables -A Q3_27960 -m string --algo bm --string "getstatus" -m recent --set --name getstatus
iptables -A Q3_27960 -m recent --update --seconds 2 --hitcount 4 --name getstatus -j DROP
iptables -A Q3_27960 -j ACCEPT

iptables -A INPUT -p udp --dport 27960 -j Q3_27960
```
The first rule checks if the packet is an in-game packet and lets it pass through directly if it is. The in-game packets never have -1 as a 4 byte integer in the beginning of the UDP data. The following rules only check if the packet contains a getstatus request and limits the number of those requests. The DDOS exploitability is based on that whoever is doing it, can spoof the target IP in the packet and the server will respond with about 1.5 kB responses on each request. The request size is usually just 13 bytes inside the diagram. It is not possible to take the full load of the requests with the game server even if it is patched. It would stop responding but the players would still suffer from the packet load.

I have searched for similar things done with FreeBSD firewalls without finding any. I have found some posts that say this kind of text searching is not desired in the kernel. I'm seeking for help and suggestions how this could be solved and which one of the three firewalls would you recommend. I plan on picking one firewall and sticking with it unless it doesn't work for all the future purposes.


----------



## SirDice (Nov 21, 2013)

As far as I know neither PF or IPFW are capable of looking at the payload of a packet. So neither can be used to block traffic based on the contents of the payload. Firewalls usually work on layer 2/3/4 and you're looking for something that can filter on layer 7.


----------



## naali (Nov 21, 2013)

Could there be a way to add something in the userland in-between the firewall and the server application? This is actually not a highly critical issue as from my experiences, before applying the rules to the firewall, the in-game lags started with well more then 20 players on the server. And that was a long time ago with another server machine. Could even be that the patch I was using at that time couldn't handle enough IP addresses. I can't verify this because it was a third party binary edit on the engine. The server is not that popular anymore. But I would still like to map different possible options.


----------



## kpa (Nov 21, 2013)

Unfortunately PF comes from OpenBSD where the developers concentrate on security and correctness and that means that PF is deliberately left without any hooks to implement such functionality. I don't know what the story is with IPFW because I don't use it.

IPTables is superior in this regard but that's about the only area where it is preferrable over the other options IMO.


----------

