# playstation behind ipfw/natd - getting games to work



## kvi (Apr 26, 2010)

Hi,

it's always difficult for me to come up with a good title for a thread, I hope you'll understand what Im trying to say here. 

Im setting up a freebsd firewall. The firewall has a dynamic IP on {oif} and my private network uses 10.0.0.x addresses (10.0.0.1 being the {iif} of the firewall). 

I have a playstation 3 game console and I need to get it work so that games can be played on playstation network. Im using Modern Warfare 2 to test the firewall. This is what I've come up for now:

*1)* I tried this on the firewall:


```
ipfw add 2950 pass udp from me to any keep-state
```

games didn't work, I took one line from tcpdump and wrote it down. It goes like this:


```
16:33:12.631644 IP 10.0.0.8.3074 > 69.60.4.116.3074: UDP, length 4
```

that 10.0.0.8 is the IP of my playstation3

*2)* So next I try:


```
ipfw add 2950 pass udp from 10.0.0.8 to any keep-state
```

games (well, MW2) don't work, I take a longer copy&paste from tcpdump:


```
16:35:59.034213 IP service.playstation.net.5223 > 10.0.0.8.57813: Flags [.], ack 1426, win 82, length 0
16:35:59.517413 IP 10.0.0.8.3074 > 69.60.4.116.3074: UDP, length 3
16:36:03.054766 IP 10.0.0.8.49569 > 239.255.255.250.1900: UDP, length 132
```
*3)* Now Im starting to think about that port 3074 that is seen in pretty much all lines from tcpdump and I make the rule like this:


```
ipfw add 2950 pass udp from any 3000-5000 to any 3000-5000
```

I start the game and try to join some game on PSN and it works. tcpdump gives stuff like this:


```
16:41:32.040522 IP ALagny-155-1-18-126.w90-3.abo.wanadoo.fr.3074 > 10.0.0.8.3074: UDP, length 29
16:41:32.055734 IP 10.0.0.8.3074 > ALagny-155-1-18-126.w90-3.abo.wanadoo.fr.3074: UDP, length 17
16:41:32.055806 IP 10.0.0.8.3074 > 5ac78946.bb.sky.com.3074: UDP, length 17
16:41:32.064659 IP brn29-2-88-164-42-56.fbx.proxad.net.3074 > 10.0.0.8.3074: UDP, length 29
16:41:32.067126 IP 130.241.2-93.rev.gaoland.net.3076 > 10.0.0.8.3074: UDP, length 29
```

So I kinda get MW2 to work, but Im not 100% satisfied as now I have to open UDP ports for incoming connections and I guess I have to make each game it's own rules to the firewall. Is there anyone who could help me out? How can I make a ruleset that won't allow that much incoming connections and would (most likely) work with all games without the need to always make new rules with new games.


----------



## SirDice (Apr 26, 2010)

The multicast to port 1900 shows the PS3 uses UPnP. Not sure about ipfw but for PF you can install net/miniupnpd.


----------



## kvi (Apr 26, 2010)

Seems ipfw support is under development according to miniupnpd web site. I'll try reading about multicast from wikipedia and see if I get anything useful out of it. I'll add my whole set of firewall rules here, as they probably are useful in helping me out.


```
ipfw list
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from 10.0.0.1 to any in via rl0
00500 deny ip from any to 10.0.0.0/8 via rl0
00600 deny ip from any to 172.16.0.0/12 via rl0
00700 deny ip from any to 192.168.0.0/16 via rl0
00800 deny ip from any to 0.0.0.0/8 via rl0
00900 deny ip from any to 169.254.0.0/16 via rl0
01000 deny ip from any to 192.0.2.0/24 via rl0
01100 deny ip from any to 224.0.0.0/4 via rl0
01200 deny ip from any to 240.0.0.0/4 via rl0
01300 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv re0
01400 divert 8668 ip from any to any via rl0
01500 deny ip from 10.0.0.0/8 to any via rl0
01600 deny ip from 172.16.0.0/12 to any via rl0
01700 deny ip from 192.168.0.0/16 to any via rl0
01800 deny ip from 0.0.0.0/8 to any via rl0
01900 deny ip from 169.254.0.0/16 to any via rl0
02000 deny ip from 192.0.2.0/24 to any via rl0
02100 deny ip from 224.0.0.0/4 to any via rl0
02200 deny ip from 240.0.0.0/4 to any via rl0
02300 allow tcp from any to any established
02400 allow ip from any to any frag
02500 allow tcp from any to me dst-port 53 via re0 setup
02600 allow udp from any to me dst-port 53 via re0
02700 allow udp from me 53 to any via re0
02800 allow tcp from any to me dst-port 10022 setup
02900 deny log tcp from any to any in via rl0 setup
03000 allow tcp from any to any setup
03100 allow udp from me to any dst-port 53 keep-state
03200 allow udp from me to any dst-port 123 keep-state
65535 deny ip from any to any
```


----------



## SirDice (Apr 26, 2010)

kvi said:
			
		

> I'll try reading about multicast from wikipedia and see if I get anything useful out of it.


Multicast is irrelevant. Look into UPnP IGD.

http://en.wikipedia.org/wiki/Internet_Gateway_Device_Protocol


----------



## kvi (Apr 26, 2010)

Yeah. I've been reading and googling and Im already reading tutorials on PF as Im wondering if I should switch to PF instead of IPFW. That way I could get that miniupnpdt in use. I also wonder if I could make some port-forwarding in my natd.conf as I wouldn't be too worried about some static forwards to the ps3.


----------



## kvi (May 7, 2010)

So it's been quite some while since I last time used freebsd (I don't think I ever got to try out 5.x back then). Now I decided to play around with my 8.0 and learn and remember all I once knew about freebsd and what has changed since then. Finally I wiped my HD clean and reinstalled the whole operating system and now I have my router setup. 

About this issue with PS3 and MW2, I solved it by choosing PF instead of IPFW. I installed miniupnpd, but I don't know if modern warfare 2 knows how to use it. I found a link (posted by SirDice if I remember correctly) from another thread in this forum where was something about MW2 and broken UPNP support. But even if it doesn't know how to use UPNP, my PS3 let's me still join and play games of MW2 on playstation network even though MW2 says I have a "strict nat". I guess it just means I can't be the host of the game, but Im capable of joining other peoples games. 

I know UPNP is working because I tried this test with a Windows Vista:

http://www.microsoft.com/windows/using/tools/igd/default.mspx



Anyways, I'll hand out my pf.conf if someone happens to be interested in it. It's not really tight, but blocks incoming connections nicely and all computers on my homenetwork have their own software firewalls anyways. I don't fully understand that multicast thing, but I took it from miniupnpd-forums where it had solved the same problem I had with miniupnpd. 


```
#################################################################
# macro definitions

extif = "rl0"
intif = "re0"
vpnif = "tun0"
intnet = "{ x.x.x.x/28 }"

privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

table <multicast> persist { 224/4 } 

#################################################################
# options: "set"

set loginterface $extif

#################################################################
# scrub rules: "scrub"

scrub in on $extif all

#################################################################
# NAT rules: "rdr", "nat", "binat"

nat on $extif from $intif:network to any -> ($extif)

# redirect HTTP to squid
rdr on $intif proto tcp from any to any port 80 -> 127.0.0.1 port 3128

# miniupnpd
rdr-anchor "miniupnpd"

#################################################################
# filtering rules: "antispoof", "block", "pass"

# First the default stuff...
block log
pass quick on lo0 all

block drop in on $extif from $privnets to any
block drop in on $extif from any to $privnets

# SSH
pass in on $extif proto tcp from any to any port 22 flags S/SA

# Allow VPN
pass in on $vpnif from any to any keep state
pass out on $vpnif from any to any keep state

# Allow all on localnet
pass in on $intif from $intif:network to any keep state
pass out on $intif from any to $intif:network keep state

# This is for miniupnpd
pass out on $intif inet proto udp from any to <multicast> keep state
anchor "miniupnpd" 

# Allow all traffic out from the firewall
pass out on $extif all keep state
```


----------

