Agreed. My original post was based upon my deny-all policy needs. Which,
inversed may apply to your allow-all policy.
The conclusion for me was to allow connections to go OUT with a UDP source
port of 27960 (the default Q3A port). I did not have to create any addition
openings in my rules. This scares me as I have yet been able to determine
just how the hell its getting back into my network. If anyone has that
information, I would sure appreciate it if they shared it!
Anyway, that port can be modified, so if you DO have an allow-all policy,
good luck stopping things like this - which can be modified by the user.
Actually, I do know how you can primarily stop it. ID software runs 2
"master servers" that I am aware of. They act as a type of "browse list"
server for connection to Q3A servers. The servers are:
master.idsoftware.com (192.246.40.37) - satan
master3.idsoftware.com (192.246.40.56) - monster
(They are listed in the config file for Q3A)
You can block the 192.246.40.0 network and you should be able to effectively
block the "browse list" in Q3A from working. BUT, a user can still connect
directly to a server if they know its address and port. The ports can be
variable (default of 27960) so blocking all possibilities is likely an
impossibility.
HTH
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ron DuFresne
Sent: Friday, June 09, 2000 6:35 PM
To: Tony Driscoll
Cc: [EMAIL PROTECTED]
Subject: Re: Cisco ACL's to prevent Quake Arena?
This should only be difficult if your policy is based upon a allow all and
deny few perspective, if the reverse is the case; deny all, allow few,
then unless the quake ports match something else specificully allowed you
have no real problems other then folks trying to setup an internal quake
server on the inside <smile>.
Thanks,
Ron DuFresne
On Fri, 9 Jun 2000, Tony Driscoll wrote:
> Hi all,
> As a roundabout from yesterday's thread regarding Quake Arena: anyone know
of a decent way to PREVENT internal users from connecting to public Quake
Arena servers using ACL's or otherwise? I know little about the game itself
other than the fact that consultants shouldn't be using our T3 for
head-to-head play with their virtual buddies on the weekends! :-)
> It appears that the server port number can be random like most things from
what I've been reading making it possibly more challenging to lock down
outgoing traffic?
>
>
> TIA
> Tony Driscoll
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
