Sign in with
Sign up | Sign in
Your question

firewall help

Last response: in Video Games
Share
July 2, 2005 11:14:02 PM

Archived from groups: alt.games.everquest (More info?)

Hello, i'm curious if there is a way to get around a college firewall.... to
play EQ... I have recently used http-tunneling and sockscap32 .. which
enable me to access the everquest patch.... but i read somewhere where a
person wasn't able to play the game after he downloaded the patch..... (i'm
still downloading the patch at the time of this message).... anyone have any
ideas or where to point me ?

Blaz

More about : firewall

Anonymous
July 4, 2005 12:38:41 AM

Archived from groups: alt.games.everquest (More info?)

On Sat, 2 Jul 2005 19:14:02 -0500, "Blaze" wrote:

> Hello, i'm curious if there is a way to get around a college firewall.... to
> play EQ... I have recently used http-tunneling and sockscap32 .. which
> enable me to access the everquest patch.... but i read somewhere where a
> person wasn't able to play the game after he downloaded the patch..... (i'm
> still downloading the patch at the time of this message).... anyone have any
> ideas or where to point me ?

Http-tunneling will introduce far too much lag. Although you might be
able to get the game to work, I suspect it'll be unplayable.

Plus you're probably breaking the T&C of your college by using your
connection for gaming. That's certainly the case at the University where
I work.
Anonymous
July 5, 2005 12:46:53 AM

Archived from groups: alt.games.everquest (More info?)

Gary Beldon wrote:
> On Sat, 2 Jul 2005 19:14:02 -0500, "Blaze" wrote:
>
> > Hello, i'm curious if there is a way to get around a college firewall.... to
> > play EQ... I have recently used http-tunneling and sockscap32 .. which
> > enable me to access the everquest patch.... but i read somewhere where a
> > person wasn't able to play the game after he downloaded the patch..... (i'm
> > still downloading the patch at the time of this message).... anyone have any
> > ideas or where to point me ?
I thought for http tunneling..the service you are connecting to also
had to support http tunneling..does sony claim to support eq via http
tunneling?
Related resources
Anonymous
July 5, 2005 10:27:36 AM

Archived from groups: alt.games.everquest (More info?)

Gary Beldon wrote:
> On 4 Jul 2005 20:46:53 -0700, zigipha@hotmail.com wrote:
>
> > I thought for http tunneling..the service you are connecting to also
> > had to support http tunneling
>
> That depends on the way the proxy is set up, (IIRC) if SSL isn't tied to
> port 443 you can tunnel arbitrary connections. Also, not if you have a
> machine on the outside of the firewall to use as a relay.

So the user would be behind the firewall, and require the services of a
"friendly machine" beyond the firewall to translate the tunnel to
regular IP, which would then be forwarded to sony..correct?
Anonymous
July 5, 2005 11:58:52 AM

Archived from groups: alt.games.everquest (More info?)

On 4 Jul 2005 20:46:53 -0700, zigipha@hotmail.com wrote:

> I thought for http tunneling..the service you are connecting to also
> had to support http tunneling

That depends on the way the proxy is set up, (IIRC) if SSL isn't tied to
port 443 you can tunnel arbitrary connections. Also, not if you have a
machine on the outside of the firewall to use as a relay.


> ..does sony claim to support eq via http
> tunneling?

I very much doubt it...
Anonymous
July 5, 2005 10:25:02 PM

Archived from groups: alt.games.everquest (More info?)

On 5 Jul 2005 06:27:36 -0700, zigipha@hotmail.com wrote:

> Gary Beldon wrote:
> >
> > That depends on the way the proxy is set up, (IIRC) if SSL isn't tied to
> > port 443 you can tunnel arbitrary connections. Also, not if you have a
> > machine on the outside of the firewall to use as a relay.
>
> So the user would be behind the firewall, and require the services of a
> "friendly machine" beyond the firewall to translate the tunnel to
> regular IP, which would then be forwarded to sony..correct?

Yes, exactly that.

All you need on the outside is a machine with an SSH daemon listening on
port 443. Then you tunnel through with an SSH connection and forward
whatever ports you need to. AFAIK the only way to block this would be to
block access to that particular machine.
I've only ever used SSH & NNTP over a tunneled connection, but I can't
see why EQ wouldn't work in theory. Just that in practice I think there
would be far too much lag.
Anonymous
July 6, 2005 10:44:13 AM

Archived from groups: alt.games.everquest (More info?)

And where does one find such "friendly machines"? Are they publicly
available? I am sure that the campus would make one available for those
that need the service but would probably require password access...but
for the casual user, how does one access such a machine?
Anonymous
July 6, 2005 1:14:08 PM

Archived from groups: alt.games.everquest (More info?)

<zigipha@hotmail.com> wrote:
> And where does one find such "friendly machines"? Are they publicly
> available? I am sure that the campus would make one available for those
> that need the service but would probably require password access...but
> for the casual user, how does one access such a machine?

I am quite sure the campus would do no such thing, otherwise the restriction
wouldn't exist in the first place. =P

As far as your question goes, if you don't know the answer, you wouldn't be
able to use the answer. It would be more than a bit of a chore to get EQ to
run through a remote forwarder. In other words, that's not a solution "for
the casual user".
Anonymous
July 7, 2005 2:34:14 AM

Archived from groups: alt.games.everquest (More info?)

On 6 Jul 2005 06:44:13 -0700, zigipha@hotmail.com wrote:

> And where does one find such "friendly machines"? Are they publicly
> available?

AFAIK there are no _publicly_ available machines.
When I need to tunnel through a proxy I use my home machine (with a
permanent cable modem connection). If you could find a friendly sysadmin
with lots of bandwidth I guess they could set you up, but I don't know
of anybody.


> I am sure that the campus would make one available for those
> that need the service but would probably require password access...

I doubt that they would. If they're willing to allow you to play games,
they'll allow your PC to bypass the firewall. Ask the question and see
what they say. Anything other than a direct connection isn't really
going to be much use.
Anonymous
July 7, 2005 2:42:15 AM

Archived from groups: alt.games.everquest (More info?)

On Wed, 06 Jul 2005 09:14:08 -0500, Faned wrote:

> <zigipha@hotmail.com> wrote:
> > And where does one find such "friendly machines"? Are they publicly
> > available? I am sure that the campus would make one available for those
> > that need the service but would probably require password access...but
> > for the casual user, how does one access such a machine?
>
> I am quite sure the campus would do no such thing, otherwise the restriction
> wouldn't exist in the first place. =P

Exactly.

The problem with the place I work is that the 'network security' guys
really haven't got a clue, so they just lock everything down.
They would probably have a fit if they knew that I could tunnel through
their proxy, but my boss is happy with it so I don't care.


> As far as your question goes, if you don't know the answer, you wouldn't be
> able to use the answer. It would be more than a bit of a chore to get EQ to
> run through a remote forwarder. In other words, that's not a solution "for
> the casual user".

As I said previously, I really don't think EQ would be playable due to
the lag that tunneling would introduce. I think I'll have a go and see
what it's like. Just in the interest of research, at work, just in case,
you know... ;) 
July 7, 2005 3:16:38 PM

Archived from groups: alt.games.everquest (More info?)

Gary Beldon wrote:
> On Wed, 06 Jul 2005 09:14:08 -0500, Faned wrote:
>
> > <zigipha@hotmail.com> wrote:
> > > And where does one find such "friendly machines"? Are they publicly
> > > available? I am sure that the campus would make one available for those
> > > that need the service but would probably require password access...but
> > > for the casual user, how does one access such a machine?
> >
> > I am quite sure the campus would do no such thing, otherwise the restriction
> > wouldn't exist in the first place. =P
>
> Exactly.
>
> The problem with the place I work is that the 'network security' guys
> really haven't got a clue, so they just lock everything down.
> They would probably have a fit if they knew that I could tunnel through
> their proxy, but my boss is happy with it so I don't care.

Heh :) 

As a corporate Systems and Network Scurity professional, I can say this
is actually the correct way to do things: lock everything down, both
ways, then poke holes as neccessary. This gives the proper authorities
the ability to say what services may or may not be used on the company
(or school) network. Approved activities, such as web-browsing, go
through, while dissapproved activities, such as file swapping or game
playing, do not. Likewise, it also prevents unwanted incomming
connections, such as worms, from infecting the network, or in the event
a worm does somehow become introduced, greatly reduces if not
preventing it from spreading across network boundaries.

> > As far as your question goes, if you don't know the answer, you wouldn't be
> > able to use the answer. It would be more than a bit of a chore to get EQ to
> > run through a remote forwarder. In other words, that's not a solution "for
> > the casual user".
>
> As I said previously, I really don't think EQ would be playable due to
> the lag that tunneling would introduce. I think I'll have a go and see
> what it's like. Just in the interest of research, at work, just in case,
> you know... ;) 

There's more to it than that. ssh (port 22, not 443; 443 is https, but
properly configured either will work) tunnelling only supports and
forwards TCP packets, not UDP. This is fine for the patcher, which
uses TCP, however EverQuest itself uses a wide range of randomly
assigned UDP ports. I ran into precisely this problem when setting up
my house firewall. While UDP-over-TCP wrappers exist, using such
wrappers for the purpose of forwarding the EverQuest UDP packets over a
TCP connection, as mentioned elsewhere, introduces such a tremendous
ammount of latency as to render the connection useless for playing the
game.

Complete technical information is provided by SOE at:
http://help.station.sony.com/cgi-bin/soe.cfg/php/enduse...
(wow, that's a big URL)
While it's doubtful that you will ever convince your Network Admin to
arbitrarily open all state-established UDP connections over port 1023
(as this opens the network to being an out-going source of network
nasties), this is what needs to happen to realize your dream.
--
Xiphos - We SysAdmins tend to get pissy when we find out our network is
being used to send out malevolent material
July 7, 2005 6:43:52 PM

Archived from groups: alt.games.everquest (More info?)

Gary Beldon wrote:
> On 7 Jul 2005 11:16:38 -0700, "Xiphos" wrote:
>
> > As a corporate Systems and Network Scurity professional, I can say this
> > is actually the correct way to do things: lock everything down, both
> > ways, then poke holes as neccessary. This gives the proper authorities
> > the ability to say what services may or may not be used on the company
> > (or school) network.
>
> Which is fine if the relevant people know what they're doing. It took
> them 18 months to get streamed quicktime movies working through the
> proxy, even though a lecturer needed it for a part of the course she was
> teaching.
> And the recent classic, they couldn't be bothered to wait for a SAN
> array to check itself after a power outage, so just reset it. It was 2
> days before it was working properly again.

Wow. OK, yeah, these people are probably working at a Uni for a
reason, then ;) 

> > There's more to it than that. ssh (port 22, not 443; 443 is https, but
> > properly configured either will work) tunnelling only supports and
> > forwards TCP packets, not UDP.
>
> A lot of proxies only allow SSL/HTTPS connections on port 443, hence
> you need to connect ssh through port 443. If the proxy allows SSL
> connections on any port you no longer need a relay machine, and can
> tunnel to anywhere.

Never been on a network with a proxy/firewall that blocked port 22, but
I could see where that would be an issue.

> I didn't realise it was limited to TCP.

Yep. The major drawbck to using SSH tunelling. UDP-over-TCP wrappers
exist, but they're cumbersome.

> I guess everything I've tried only uses TCP.

Probably because most worthwhile network services, besides games, use
TCP over UDP :) 

> Couldn't you make a VPN connection through the tunnel,
> and then send UDP through that? I think I'll have a play...

An excellent question. Let me know how that goes for you, I'm curious
as to the answer.

I still suspect it would end up introducing far too much latency to be
useful for playing EQ, and there's still the issue of finding the
all-important external proxy host. Perhaps the original poster could
set up a small proxy system at a friend or relatives abode? An old,
cheap AMD K6 or P-II should do nicely.
--
Xiphos - Never lived in the dorms. Stories like this reinforce the
notion I missed nothing.
Anonymous
July 8, 2005 1:04:33 AM

Archived from groups: alt.games.everquest (More info?)

On 7 Jul 2005 11:16:38 -0700, "Xiphos" wrote:

> As a corporate Systems and Network Scurity professional, I can say this
> is actually the correct way to do things: lock everything down, both
> ways, then poke holes as neccessary. This gives the proper authorities
> the ability to say what services may or may not be used on the company
> (or school) network.

Which is fine if the relevant people know what they're doing. It took
them 18 months to get streamed quicktime movies working through the
proxy, even though a lecturer needed it for a part of the course she was
teaching.
And the recent classic, they couldn't be bothered to wait for a SAN
array to check itself after a power outage, so just reset it. It was 2
days before it was working properly again.


> There's more to it than that. ssh (port 22, not 443; 443 is https, but
> properly configured either will work) tunnelling only supports and
> forwards TCP packets, not UDP.

A lot of proxies only allow SSL/HTTPS connections on port 443, hence
you need to connect ssh through port 443. If the proxy allows SSL
connections on any port you no longer need a relay machine, and can
tunnel to anywhere.

I didn't realise it was limited to TCP. I guess everything I've tried
only uses TCP. Couldn't you make a VPN connection through the tunnel,
and then send UDP through that? I think I'll have a play...
!