FirewallBuilder
Firewall Builder Games
Setting up firewall to play DirectX online games
Erik Ohrnberger contributed a document that describes policy and NAT rules one needs to set up in Firewall Builder to permit DirectX based games through the firewall. Not only users on the local LAN can play games on the Internet, players can join games hosted on the server behind the firewall!
Thanks Erik!
fwbuilder rules for playing DirectX games through a NAT firewall
Version 1.1 2003-12-14 (hopefully more to come)
I've created a set of objects and policies so that a game can be hosted on the inside of the network, and allow others on the Internet to play in that DirectX game. Although I've not tested it, I believe that these objects and policies will allow the game machines on the inside of the firewall to play in Internet hosted games.
Current Status
I've tested the case where an internal machine behind this firewall is hosting a game and an Internet user connects and plays on that hosted game. I've not been able to test the case where an Internet based hosted game and one or more machines protected by this firewall connect to this game host. I hope to test this case soon, but I'm confident that it'll work with these rules.
Setting It Up
First you need the DXPort program (available at: http://www.puffinsoft.com/). This program forces the local machine's DirectX game to only use a subset of ports. This is important as we are trying to get multiple inside machines to play in a game hosted on another Internet node, so they have to share the DirectX port ranges. Each of these ranges will need to be filtered and forwarded to the game machine that they are intended to receive the traffic. The recommended DXPort port ranges are listed below:
DirectX-Range 01: 2302 - 2311
DirectX-Range 02: 2312 - 2321
DirectX-Range 03: 2322 - 2331
DirectX-Range 04: 2332 - 2341
DirectX-Range 05: 2342 - 2351
DirectX-Range 06: 2352 - 2361
DirectX-Range 07: 2362 - 2371
DirectX-Range 08: 2372 - 2381
DirectX-Range 09: 2382 - 2391
DirectX-Range 10: 2392 - 2400
So, create TCP and UDP protocol objects for each of these ranges, and name them as shown above (actually you can name them anything that you want, I wanted to use the names listed above). I also went and created protocol groups that comprise the TCP and UDP objects for each range. It make editing rules easier. Also create another Service Group object that contains all of these DirectX port ranges name it 'Game Services'. You'll need it later for the global policy. You can see the resulting TCP and UDP port range object below. It's just like what you'd expect.
Next, create host objects for the appropriate machines. I created the following hosts, you can create and name as many, or as few hosts as you want, and you can also call them whatever you want.
Do please note that your internal IP addresses may be different. All that's really important is that each IP address is specific to one machine. You don't have to create all those machines, but I did, just incase I end up hosting a LAN party someday.
Now, in the NAT table add the following rules:
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 01 | TSRC=fw Internal | TDST=DXPort 01 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 02 | TSRC=fw Internal | TDST=DXPort 02 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 03 | TSRC=fw Internal | TDST=DXPort 03 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 04 | TSRC=fw Internal | TDST=DXPort 04 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 05 | TSRC=fw Internal | TDST=DXPort 05 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 06 | TSRC=fw Internal | TDST=DXPort 06 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 07 | TSRC=fw Internal | TDST=DXPort 07 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 08 | TSRC=fw Internal | TDST=DXPort 08 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 09 | TSRC=fw Internal | TDST=DXPort 09 | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 10 | TSRC=fw Internal | TDST=DXPort 10 | TSRC=Orig |
These NAT rules are shown below:
In the Global Policy add the following rules:
| SRC=Internet-Net | DST=fw Ext | SRV=Game Services | ACTION=Accept |
| SRC=Any | DST=Any | SRV=Game Services | Action=Accept |
These rules are show below. Note the Game Services protocol group that I mentioned earlier.
I read (Tim's page http://www.u.arizona.edu/~trw/games/ports.htm and the Microsoft Knowledge Article and the Zone's Knowledge Article) and in order to host a game on the inside and allow Internet based players to access that game, that you'll need to redirect TCP 47624 and UDP 6073 for DirectX7 and UDP 6073 for DirectX8 from the outside of the firewall to the inside of the firewall directly to the game hosting machine. I created separate protocol group objects for each of these, and added them to the first NAT rule as the first DXHost machine as it's the target machine in my network. The specific requirements are quoted from the Microsoft Knowledgebase article in the tables below.
Using DirectX 7 method:
| Connection | Ports for Client Configuration | Ports for Host Configuration |
|---|---|---|
| Initial TCP Connection | 47624 Outbound | 47624 Inbound |
| Subsequent TCP Inbound | 2300-2400 | 2300-2400 |
| Subsequent TCP Outbound | 2300-2400 | 2300-2400 |
| Subsequent UDP Inbound | 2300-2400 | 2300-2400 |
| Subsequent UDP Outbound | 2300-2400 | 2300-2400 |
Using DirectX 8 method:
| Connection | Ports for Client Configuration | Ports for Host Configuration |
|---|---|---|
| Initial UDP Connection | 6073 Outbound | 6073 Inbound |
| Subsequent UDP Inbound | 2302-2400 | 2302-2400 |
| Subsequent UDP Outbound | 2302-2400 | 2302-2400 |
Revised Game Host NAT rule
As you can see, I've added the DirectX-7 and DirectX-8 game host services to the NAT rule for the machine hosting the internal games.
Hosting Mixed LAN / Internet Games
OK. So the this point you should be able to have multiple player on your local LAN connect to a game hosted by someone else out on the Internet. This is nice, but what about you hosting the game, have Internet players join your game, and have multiple local LAN players join your game also? This is where the current set of rules fall short. When I tried to host a game, then have Internet based player join that game, and finally adding a local LAN player to the game, the local LAN game complied about not supporting masqueraded game host. So, we need to make the local LAN game traffic appear to the game host as if it is coming from the Internet. I didn't know how to do this until Vadim Kurland mentioned the section in the fwbuilder User's Guide called DNAT back to the same LAN (page 127 as of the current version).
This changes the NAT rules to the following:
| OSRC=Internet-net | ODST=fw | OSRC=DirectX-Range xx | TSRC=fw Internal | TDST=DXPort xx | TSRC=Orig |
| OSRC=Any | ODST=fw Ext | OSRC=DirectX-Range 02 | TSRC=Orig | TDST=DXPort 02 | TSRC=Orig |
All the NAT rules are graphically shown below:
Important Note
It should be noted that each of the players on the Internet needs to use the DXPort program to specify their DirectX port range. If they don't and you have an overlap of the port ranges between two users, you'll have shared control over a single team, and the two players will fight for control over the game, so the players will need to agree on which port ranges that they'll use before the game is started.
Next Challenges
Another usage scenario would be to have multiple machines on two or more LANs be able to join the same Zone.com game. I've added the needed ports, but it does not seem to make the connection to the Zone lobby server. Again, if you have some hints or suggestions, do please let me know so that I can update this mini how-to so that everyone interested can benefit.
I Thank the developers of fwbuilder for such an excellent program with which to program my firewall. Much better than wrestling with scripts and low level rules.
Erik Ohrnberger, contributing fwbuilder user (you should too)
Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
Free CSS Templates.