[Firehol-devs] service definition for xbox

[Costa Tsaousis]

Andrew Schulman wrote:
> Following is the (complex) service definition function for xbox, the Xbox live
> service.  With this definition our Xbox connects and plays from behind a NAT
> firewall with no trouble.  Andrew.
>
> rules_xbox() {
> 	local mychain="${1}"; shift
> 	local type="${1}"; shift
>
> 	local in=in
> 	local out=out
> 	if [ "${type}" = "client" ]
> 	then
> 		in=out
> 		out=in
> 	fi
>
> 	local client_ports="${DEFAULT_CLIENT_PORTS}"
> 	if [ "${type}" = "client" -a "${work_cmd}" = "interface" ]
> 	then
> 		client_ports="${LOCAL_CLIENT_PORTS}"
> 	fi
>
> 	# ----------------------------------------------------------------------
>
> 	set_work_function "Setting up rules for Xbox live"
>
> 	rule ${in}          action "$@" chain "${in}_${mychain}"  proto udp \
> 		dport "88 3074" sport "${client_ports}" \
> 		state NEW,ESTABLISHED || return 1
> 	rule ${out} reverse action "$@" chain "${out}_${mychain}" proto udp \
> 		dport "88 3074" sport "${client_ports}" \
> 		state     ESTABLISHED || return 1
> 	
> 	rule ${in}          action "$@" chain "${in}_${mychain}"  proto tcp \
> 		dport 3074 sport "${client_ports}" \
> 		state NEW,ESTABLISHED || return 1
> 	rule ${out} reverse action "$@" chain "${out}_${mychain}" proto tcp \
> 		dport 3074 sport "${client_ports}" \
> 		state     ESTABLISHED || return 1
>
> 	rule ${in}          action "$@" chain "${in}_${mychain}"  proto udp \
> 		sport 3074 dport "${client_ports}" \
> 		state NEW,ESTABLISHED || return 1
> 	rule ${out} reverse action "$@" chain "${out}_${mychain}" proto udp \
> 		sport 3074 dport "${client_ports}" \
> 		state     ESTABLISHED || return 1
>
> 	return 0
> }
>
>   
Andrew,

I was trying to add this to firehol, when I realized that the last rule 
opens all unprivileged UDP ports to anyone from source port UDP 3074.
Example:

router myrouter
route xbox accept

generates this:

# Setting up rules for Xbox live
/sbin/iptables -t filter -A in_myrouter_xbox_s1 -p udp --sport 
1024:65535 --dport 88 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A in_myrouter_xbox_s1 -p udp --sport 
1024:65535 --dport 3074 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_myrouter_xbox_s1 -p udp --sport 88 
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_myrouter_xbox_s1 -p udp --sport 3074 
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

/sbin/iptables -t filter -A in_myrouter_xbox_s1 -p tcp --sport 
1024:65535 --dport 3074 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_myrouter_xbox_s1 -p tcp --sport 3074 
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

# THESE ARE A PROBLEM:
/sbin/iptables -t filter -A in_myrouter_xbox_s1 -p udp --sport 3074 
--dport 1024:65535 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_myrouter_xbox_s1 -p udp --sport 
1024:65535 --dport 3074 -m state --state ESTABLISHED -j ACCEPT

Are you sure this is correct?
Where did you find this information?

Costa