Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 2429 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Lots of Steam "protocol" Drops in Firewall Live Log after adding DNAT for internal game server.

Tom E

Hello UTM Gurus,

I have been crawling the forum and looking at all the game server hosting threads that I can find but have not found an answer.

I recently spun up a dedicated Ubuntu server inside my network to host a server for myself and my friends. I was able to successfully configure a DNAT rule to allow connection to the server from the internet and my friend is able to connect to my server and play.

However, I am now getting A LOT of "Default DROP" hits in my Firewall Live Log from external IPv4 to external WAN IP on one of the ports used for the game/DNAT.

Live Log:

08:58:03	Default DROP	Steam	 76.84.56.154	:	58706 → MyWANIP	:	2457 len=53	ttl=114	tos=0x00	srcmac=00:01:5c:b3:a6:46	dstmac=MyWANMAC

Corresponding Firewall Log:

08:58:03 sutm ulogd[19577]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" mark="0x32bf" app="703" srcmac="00:01:5c:b3:a6:46" dstmac="MyWANMAC" srcip="76.84.56.154" dstip="MyWANIP" proto="17" length="53" tos="0x00" prec="0x20" ttl="114" srcport="58706" dstport="2457"

DNAT Rule:

!GameInbound = NetworkGroup with allowed Networks. (my brother's public IP and my "Internal (Network)" to allow connection from my workstation)

!Game Ports - Inbound = Service group with UDP 1:65535  →  2456:2458 (ports used by game)

Am I doing something wrong here? Is this just the nature of hosting a server? It looks like the boundary is being protected but it sure is a lot of noise in the logs for "Steam" on that DNAT port 2457.

Where does the "Steam" label come from in the Live Log?

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The rule id "60001" drop means it could be one of the following reason: 

    " The UTM can't forward traffic that is sent to a Masqueraded WAN IP address unless it was requested by a client behind the UTM, or there’s a NAT rule to redirect the traffic to an internal server (with the exception of services running on the UTM itself). If a packet arrives and isn’t for one of the UTM's services, and isn't part of an established connection, and there’s no NAT rule for it, it’ll be dropped as fwrule 60001.

    Most of the time, fwrule="60001" means that you need to configure a NAT rule (likely DNAT), or review the configuration of your existing NAT because the packet isn’t matching the intended rule. Check for Interface Binding, that the source and destination port are correct, that you’re matching the correct protocol (TCP, UDP, Both), and that the IP addresses are correct." 

    Try to add both UDP and TCP ports and see if that helps. 

    The "Steam" comes from the application control app="703"

    <M> h_patel:/etc/afc # cat applications | grep 703
    703,Games,Steam

    Thanks,

  • 0 in reply to FormerMember

    Thank you for the reply.

    So is all this rejected traffic just to be expected unless I expand the DNAT to more than just my friend's IP addresses into the server on my network?

    I tried adding TCP as well and the drops are still happening on the "Steam" tag. I have a feeling it has something to do with the game server having a server browser feature. Maybe all the hits are coming from the online server element trying to advertise itself to other players.

    Or is there a way to drop those Steam entries silently? 

  • FormerMember
    +1 FormerMember in reply to Tom E

    Hi ,

    If your friend is the only person who needs access to this game server, you don't have to add more IP addresses than you see in the logs. Yes, some external game services may be trying to make the connection to your game server. 

    If you don't want to see the log entries, you could turn off the firewall rule's log traffic. If the log traffic is turned off, you won't see any log entries for that firewall. 

    Thanks,

  • 0 in reply to Tom E

    Hi Tom and welcome to the UTM Community!

    Is that your friend's IP in the default drop log line?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    , That IP is just one of many being dropped, not my friend's IP. I can see the friend's IP get successfully identified by my DNAT rule and it gets forwarded as desired when he connects to my game server.

    But since adding the DNAT my log looks like this:

    Never had all those "Steam" hits before the DNAT was added to pass the friend through to my server.

    Thanks for the welcome! Your posts and others have been very helpful as I continue learning.

    ~Tom

  • 0 in reply to Tom E

    Perhaps I should look into changing the external port used and pick a random high port for my friends to point to and then DNAT that to the 2457 port on the inside.

  • 0 in reply to Tom E

    Check #2 in Rulz (last updated 2021-02-16) - DNATs come first, so you could make a firewall rule that drops or rejects the unwanted traffic without logging it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML