<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    Due to the flexibility of iptables rules, I'm currently

    investigating doing the same logic that ServerArk does as a daemon

    with just iptables.&nbsp; It would require setting a rate limit on all

    packets, not just getstatus or getinfo packets (although their

    setting to 2/sec or maybe up it to 4/sec would still be in effect to

    prevent being used in a reflection attack).<br>

    <br>

    Geoff, if you would be so kind to share them, I'll see what I can do

    to enhance the set of rules to handle multiple UDP floods actually

    FROM a reflection attack (instead of just preventing being part of

    one).<br>

    <br>

    Thanks,<br>

    <br>

    &nbsp; <i>Boyd</i><br>

    <div class="moz-signature"><br>

    </div>

    <br>

    On 02/28/2012 05:09 AM, escapedturkey wrote:

    <blockquote

cite="mid:CALCvV0wOKZ6gQUFkMJtg+XDCej2tDFFu7vTCSm9mnRQN94we+g@mail.gmail.com"

      type="cite">

      <div>Can you please share your changes? I assumed the rules would

        cover multiple IP aliases. This is incorrect?<br>

      </div>

      <div><br>

      </div>

      <div>Thanks. =)</div>

      <br>

      <div class="gmail_quote">On Tue, Feb 28, 2012 at 2:47 AM, Geoff

        Goas <span dir="ltr">&lt;<a moz-do-not-send="true"

            href="mailto:gitman@gmail.com">gitman@gmail.com</a>&gt;</span>

        wrote:<br>

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">Well I can

          say the iptables rules have been running fantastically. I

          added a few tweaks such as not blocking the server's own set

          of IP's (there are quite a few internal queries going on), and

          also setting the hashlimit-mode to be based on source and

          destination IP since I have different server instances on

          different addresses, and I wanted a little more granularity to

          the matching. My ingress rates are still noticeably higher

          than they used to be, but at least the outbound bandwidth

          isn't being exploited anymore.<br>

          <br>

          Does anyone know the default value for

          hashlimit-htable-expire? I haven't been able to find it, so

          I've manually set it to 30 seconds.

          <div>

            <div class="h5"><br>

              <br>

              <div class="gmail_quote"><br>

                <blockquote class="gmail_quote" style="margin:0 0 0

                  .8ex;border-left:1px #ccc solid;padding-left:1ex">

                  <div bgcolor="white" link="blue" vlink="purple"

                    lang="NL">

                    <div>

                      <div>

                        <div>

                          <p class="MsoNormal">

                            On 02/24/2012 03:38 PM, River Hosting wrote:

                          </p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Hello

                              again guys,</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">I

                              was adding some new rules into the

                              firewall and it looks like

                              the flooding has stopped!</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Now

                              using;</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-

                              <i>serverark</i> (recently posted on this

                              list)</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-

                              <i>getstatus_ban.sh</i> (recently posted

                              aswell)</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">-

                              <i>iptables</i></span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Since

                              this morning the traffic dropped from 6

                              Mbit/s to 45 Kb/s.</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">When

                              filtering, shutting down all gameservers

                              running on your

                              box for about 24-48 hours may do the

                              trick. After that time just reboot them

                              and let the magic happen... :)</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <div>

                            <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Met

                                vriendelijke groeten,</span></p>

                            <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">With

                                kind regards,<br>

                                <br>

                                Julian Maartens<br>

                                River Hosting<br>

                                <br>

                              </span><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:gray"><a

                                  moz-do-not-send="true"

                                  href="mailto:info@riverhosting.nl"

                                  target="_blank"><span

                                    style="color:gray;text-decoration:none">info@riverhosting.nl</span></a></span><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#a6a6a6"><br>

                              </span><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:gray"><a

                                  moz-do-not-send="true"

                                  href="http://www.riverhosting.nl/"

                                  target="_blank"><span

                                    style="color:gray;text-decoration:none">http://www.riverhosting.nl</span></a></span></p>

                          </div>

                          <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">&nbsp;</span></p>

                          <div>

                            <div style="border:none;border-top:solid

                              #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">

                              <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">Van:</span></b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;;color:windowtext">

                                  Marco Padovan [<a

                                    moz-do-not-send="true"

                                    href="mailto:evcz@evcz.tk"

                                    target="_blank">mailto:evcz@evcz.tk</a>]

                                  <br>

                                  <b>Verzonden:</b> vrijdag 24 februari

                                  2012 14:05<br>

                                  <b>Aan:</b> Call of Duty server admin

                                  list.<br>

                                  <b>Onderwerp:</b> Re: [cod] CoD2 UDP

                                  flood</span></p>

                            </div>

                          </div>

                          <p class="MsoNormal">&nbsp;</p>

                          <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">You

can

                              either use the one you linked from

                              modsrepository or the more

                              "complex" one that was posted on this list</span><br>

                            <br>

                            Il 24/02/2012 14:03, <a

                              moz-do-not-send="true"

                              href="mailto:david.lauriou@wanadoo.fr"

                              target="_blank">david.lauriou@wanadoo.fr</a>

                            ha scritto: </p>

                          <div>

                            <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">the

rules

                                is ?</span></p>

                          </div>

                          <div>

                            <p class="MsoNormal">&nbsp;</p>

                          </div>

                          <blockquote

                            style="border:none;border-left:solid black

                            1.5pt;padding:0cm 0cm 0cm

4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

                            <div>

                              <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                  Message ----- </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"

                                style="background:#e4e4e4"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  <a moz-do-not-send="true"

                                    href="mailto:evcz@evcz.tk"

                                    title="evcz@evcz.tk" target="_blank">Marco

                                    Padovan</a> </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  <a moz-do-not-send="true"

                                    href="mailto:cod@icculus.org"

                                    title="cod@icculus.org"

                                    target="_blank">cod@icculus.org</a>

                                </span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  Friday, February 24,

                                  2012 2:00 PM</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                  Re: [cod] CoD2 UDP

                                  flood</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal">&nbsp;</p>

                            </div>

                            <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">that

rule

                                is very basic.<br>

                                <br>

                                cod1, cod1.5, cod2 and cod4 all suffer

                                the same problem and are exploited in

                                the

                                same exact way.<br>

                                <br>

                                So an iptables that fixes the cod4

                                problem works also for cod2 and cod1<br>

                              </span><br>

                              Il 24/02/2012 13:51, <a

                                moz-do-not-send="true"

                                href="mailto:david.lauriou@wanadoo.fr"

                                target="_blank">david.lauriou@wanadoo.fr</a>

                              ha scritto: </p>

                            <div>

                              <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">i've

find

                                  this : <a moz-do-not-send="true"

                                    href="http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers"

                                    target="_blank">http://wiki.modsrepository.com/index.php/Call_of_Duty_4:_Servers</a><br>

                                  <br>

                                  its for cod4 not for COD2 !</span></p>

                            </div>

                            <div>

                              <p class="MsoNormal">&nbsp;</p>

                            </div>

                            <blockquote

                              style="border:none;border-left:solid black

                              1.5pt;padding:0cm 0cm 0cm

4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

                              <div>

                                <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                    Message ----- </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"

                                  style="background:#e4e4e4"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    <a moz-do-not-send="true"

                                      href="mailto:evcz@evcz.tk"

                                      title="evcz@evcz.tk"

                                      target="_blank">Marco Padovan</a>

                                  </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    <a moz-do-not-send="true"

                                      href="mailto:cod@icculus.org"

                                      title="cod@icculus.org"

                                      target="_blank">cod@icculus.org</a>

                                  </span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    Friday, February 24,

                                    2012 1:49 PM</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                    Re: [cod] CoD2 UDP

                                    flood</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal">&nbsp;</p>

                              </div>

                              <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">NO!<br>

                                  <br>

                                  Read the messages that got posted in

                                  the last 2 days...<br>

                                  <br>

                                  This should be a proper ruleset:<br>

                                </span><a moz-do-not-send="true"

                                  href="http://icculus.org/pipermail/cod/2012-February/015927.html"

                                  target="_blank">http://icculus.org/pipermail/cod/2012-February/015927.html</a><br>

                                <br>

                                Il 24/02/2012 13:47, <a

                                  moz-do-not-send="true"

                                  href="mailto:david.lauriou@wanadoo.fr"

                                  target="_blank">david.lauriou@wanadoo.fr</a>

                                ha scritto: </p>

                              <div>

                                <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">like

this

                                    ?</span></p>

                              </div>

                              <div>

                                <p class="MsoNormal">&nbsp;</p>

                              </div>

                              <div>

                                <pre>IPTABLES -A INPUT -p UDP -m length --length 42 -m recent --set --name getstatus_cod</pre>

                                <pre>IPTABLES -A INPUT -p UDP -m string --algo bm --string "getstatus" -m recent --update --seconds 1 --hitcount 20 --name getstatus_cod -j DROP</pre>

                              </div>

                              <blockquote

                                style="border:none;border-left:solid

                                black 1.5pt;padding:0cm 0cm 0cm

4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

                                <div>

                                  <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                      Message ----- </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"

                                    style="background:#e4e4e4"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      <a moz-do-not-send="true"

                                        href="mailto:evcz@evcz.tk"

                                        title="evcz@evcz.tk"

                                        target="_blank">Marco Padovan</a>

                                    </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      <a moz-do-not-send="true"

                                        href="mailto:cod@icculus.org"

                                        title="cod@icculus.org"

                                        target="_blank">Call of Duty

                                        server admin

                                        list.</a> </span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      Friday, February 24,

                                      2012 1:35 PM</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                      Re: [cod] CoD2 UDP

                                      flood</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal">&nbsp;</p>

                                </div>

                                <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">iptables

                                    rules</span><br>

                                  <br>

                                  Il 24/02/2012 13:28, <a

                                    moz-do-not-send="true"

                                    href="mailto:david.lauriou@wanadoo.fr"

                                    target="_blank">david.lauriou@wanadoo.fr</a>

                                  ha scritto: </p>

                                <div>

                                  <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">for

COD4

                                      what is the best method to remove

                                      udp Flooding exploit ?</span></p>

                                </div>

                                <div>

                                  <p class="MsoNormal">&nbsp;</p>

                                </div>

                                <blockquote

                                  style="border:none;border-left:solid

                                  black 1.5pt;padding:0cm 0cm 0cm

4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-right:0cm;margin-bottom:5.0pt">

                                  <div>

                                    <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">-----

Original

                                        Message ----- </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"

                                      style="background:#e4e4e4"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        <a moz-do-not-send="true"

                                          href="mailto:evcz@evcz.tk"

                                          title="evcz@evcz.tk"

                                          target="_blank">Marco Padovan</a>

                                      </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">To:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        <a moz-do-not-send="true"

                                          href="mailto:cod@icculus.org"

                                          title="cod@icculus.org"

                                          target="_blank">Call of Duty

                                          server admin

                                          list.</a> </span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Sent:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        Friday, February 24,

                                        2012 12:10 PM</span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Subject:</span></b><span

style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">

                                        Re: [cod] CoD2 UDP

                                        flood</span></p>

                                  </div>

                                  <div>

                                    <p class="MsoNormal">&nbsp;</p>

                                  </div>

                                  <p class="MsoNormal"><span

style="font-size:10.0pt;font-family:&quot;Verdana&quot;,&quot;sans-serif&quot;">Be

aware

                                      that there are two different ways

                                      to talk about offset: packet

                                      offset

                                      (includes header) and payload

                                      offset</span> (does not include

                                    header)<br>

                                    <br>

                                    Il 24/02/2012 10:41, Geoff Goas ha

                                    scritto: </p>

                                  <p class="MsoNormal"

                                    style="margin-bottom:12.0pt">You're

                                    right, and I see my

                                    error. That is frustrating because I

                                    have no idea why it doesn't work

                                    with the

                                    offset specified then.</p>

                                  <div>

                                    <p class="MsoNormal">On Fri, Feb 24,

                                      2012 at 4:10 AM, Luca Farflame

                                      Fabbro &lt;<a

                                        moz-do-not-send="true"

                                        href="mailto:farflame@cybergames.it"

                                        target="_blank">farflame@cybergames.it</a>&gt;

                                      wrote:</p>

                                    <div>

                                      <div>

                                        <p class="MsoNormal">Try this

                                          command</p>

                                      </div>

                                      <p class="MsoNormal">tcpdump -c 4

                                        -nnvvvXS dst port 28960 </p>

                                      <div>

                                        <p class="MsoNormal">where port

                                          is the port that you want to

                                          monitor</p>

                                      </div>

                                      <div>

                                        <p class="MsoNormal">should be

                                          something like</p>

                                      </div>

                                      <div>

                                        <p class="MsoNormal">&nbsp;</p>

                                      </div>

                                      <div>

                                        <div>

                                          <p class="MsoNormal">&nbsp; &nbsp; &nbsp; &nbsp;

                                            0x0000: &nbsp;4500 002b 35b3

                                            0000 7511 179b b612 80ad

                                            &nbsp;E..+5...u.......</p>

                                        </div>

                                        <div>

                                          <p class="MsoNormal">&nbsp; &nbsp; &nbsp; &nbsp;

                                            0x0010: &nbsp;c0a8 010c 7012

                                            7120 0017 0000 ffff ffff

                                            &nbsp;....p.q.........</p>

                                        </div>

                                        <div>

                                          <p class="MsoNormal">&nbsp; &nbsp; &nbsp; &nbsp;

                                            0x0020: &nbsp;6765 7473 7461

                                            7475 730a 0000 0000 &nbsp; &nbsp; &nbsp;

                                            getstatus.....</p>

                                        </div>

                                      </div>

                                      <div>

                                        <div>

                                          <div>

                                            <p class="MsoNormal">&nbsp;</p>

                                          </div>

                                          <div>

                                            <p class="MsoNormal">On Feb

                                              24, 2012, at 9:54 AM,

                                              Geoff Goas wrote:</p>

                                          </div>

                                          <div>

                                            <div>

                                              <p class="MsoNormal"><br>

                                                <br>

                                                <br>

                                                <br>

                                              </p>

                                              <p class="MsoNormal"

                                                style="margin-bottom:12.0pt">That

                                                is strange, because if I

                                                use those values, it

                                                does not work. If I use

                                                "--from 31" alone, then

                                                it works. As soon as I

                                                change that to 32, it

                                                stops working. When I

                                                inspect the

                                                packets in Wireshark,

                                                the "getstatus" string

                                                starts at offset 48 if

                                                counting from 1. Would

                                                there be a way for

                                                iptables to print to log

                                                what it sees

                                                in the specified offset

                                                range?</p>

                                              <div>

                                                <p class="MsoNormal">On

                                                  Fri, Feb 24, 2012 at

                                                  3:28 AM, Luca Farflame

                                                  Fabbro &lt;<a

                                                    moz-do-not-send="true"

href="mailto:farflame@cybergames.it" target="_blank">farflame@cybergames.it</a>&gt;

                                                  wrote:</p>

                                                <div>

                                                  <p class="MsoNormal">It

                                                    doesn't matter the

                                                    length of the

                                                    packet.&nbsp; </p>

                                                  <div>

                                                    <p class="MsoNormal">That

                                                      rule will try to

                                                      find the string

                                                      "gestatus"

                                                      starting at

                                                      position 32 bytes

                                                      from start of

                                                      packet and

                                                      searching for it

                                                      at

                                                      maximum at

                                                      position 41.</p>

                                                  </div>

                                                  <div>

                                                    <p class="MsoNormal">The

                                                      Q3 protocol for

                                                      that command

                                                      expects the string

                                                      to be in

                                                      that range.</p>

                                                    <div>

                                                      <p

                                                        class="MsoNormal">&nbsp;</p>

                                                      <div>

                                                        <div>

                                                          <div>

                                                          <p

                                                          class="MsoNormal">On

                                                          Feb 24, 2012,

                                                          at 1:11 AM,

                                                          Geoff Goas

                                                          wrote:</p>

                                                          </div>

                                                          <p

                                                          class="MsoNormal">&nbsp;</p>

                                                        </div>

                                                        <blockquote

                                                          style="margin-top:5.0pt;margin-bottom:5.0pt">

                                                          <div>

                                                          <p

                                                          class="MsoNormal"

style="margin-bottom:12.0pt">Is the offset range of 32-41

                                                          based on a

                                                          60-byte

                                                          packet?</p>

                                                          <div>

                                                          <p

                                                          class="MsoNormal">On

                                                          Thu, Feb 23,

                                                          2012 at 10:34

                                                          AM, Marco

                                                          Padovan &lt;<a

moz-do-not-send="true" href="mailto:evcz@evcz.tk" target="_blank">evcz@evcz.tk</a>&gt;

                                                          wrote:</p>

                                                          <div>

                                                          <p

                                                          class="MsoNormal"

style="margin-bottom:12.0pt">iptables -A INPUT -p udp -m

                                                          string

                                                          --string

                                                          "getstatus"

                                                          --algo bm

                                                          --from 32 --to

                                                          41 -j DROP</p>

                                                          </div>

                                                          </div>

                                                          </div>

                                                          <div>

                                                          <p

                                                          class="MsoNormal">--

                                                          <br>

                                                          <b><i><span

style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                                          Goas<br>

                                                          Systems

                                                          Engineer</span></i></b><br>

                                                          <br>

_______________________________________________<br>

                                                          cod mailing

                                                          list<br>

                                                          <a

                                                          moz-do-not-send="true"

href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                          <a

                                                          moz-do-not-send="true"

href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                                          </div>

                                                        </blockquote>

                                                      </div>

                                                      <p

                                                        class="MsoNormal">&nbsp;</p>

                                                    </div>

                                                  </div>

                                                </div>

                                                <p class="MsoNormal"

                                                  style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

                                                  cod mailing list<br>

                                                  <a

                                                    moz-do-not-send="true"

href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                  <a

                                                    moz-do-not-send="true"

href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                              </div>

                                              <p class="MsoNormal"><br>

                                                <br clear="all">

                                                <br>

                                                -- <br>

                                                <b><i><span

style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                                      Goas<br>

                                                      Systems Engineer</span></i></b><br>

                                                <br>

_______________________________________________<br>

                                                cod mailing list<br>

                                                <a

                                                  moz-do-not-send="true"

href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                                                <a

                                                  moz-do-not-send="true"

href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                            </div>

                                            <p class="MsoNormal">&nbsp;</p>

                                          </div>

                                        </div>

                                      </div>

                                    </div>

                                    <p class="MsoNormal"

                                      style="margin-bottom:12.0pt"><br>

_______________________________________________<br>

                                      cod mailing list<br>

                                      <a moz-do-not-send="true"

                                        href="mailto:cod@icculus.org"

                                        target="_blank">cod@icculus.org</a><br>

                                      <a moz-do-not-send="true"

                                        href="http://icculus.org/mailman/listinfo/cod"

                                        target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                  </div>

                                  <p class="MsoNormal"><br>

                                    <br clear="all">

                                    <br>

                                    -- <br>

                                    <b><i><span

style="font-size:7.5pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Geoff

                                          Goas<br>

                                          Systems Engineer</span></i></b><br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                    <br>

                                  </p>

                                  <pre>_______________________________________________</pre>

                                  <pre>cod mailing list</pre>

                                  <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                                  <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                                  <div class="MsoNormal"

                                    style="text-align:center"

                                    align="center">

                                    <hr align="center" size="2"

                                      width="100%">

                                  </div>

                                  <p class="MsoNormal">_______________________________________________<br>

                                    cod mailing list<br>

                                    <a moz-do-not-send="true"

                                      href="mailto:cod@icculus.org"

                                      target="_blank">cod@icculus.org</a><br>

                                    <a moz-do-not-send="true"

                                      href="http://icculus.org/mailman/listinfo/cod"

                                      target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                                </blockquote>

                                <p class="MsoNormal"><br>

                                  <br>

                                  <br>

                                  <br>

                                  <br>

                                </p>

                                <pre>_______________________________________________</pre>

                                <pre>cod mailing list</pre>

                                <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                                <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                                <div class="MsoNormal"

                                  style="text-align:center"

                                  align="center">

                                  <hr align="center" size="2"

                                    width="100%">

                                </div>

                                <p class="MsoNormal">_______________________________________________<br>

                                  cod mailing list<br>

                                  <a moz-do-not-send="true"

                                    href="mailto:cod@icculus.org"

                                    target="_blank">cod@icculus.org</a><br>

                                  <a moz-do-not-send="true"

                                    href="http://icculus.org/mailman/listinfo/cod"

                                    target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                              </blockquote>

                              <p class="MsoNormal"><br>

                                <br>

                                <br>

                                <br>

                                <br>

                              </p>

                              <pre>_______________________________________________</pre>

                              <pre>cod mailing list</pre>

                              <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                              <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                              <div class="MsoNormal"

                                style="text-align:center" align="center">

                                <hr align="center" size="2" width="100%">

                              </div>

                              <p class="MsoNormal">_______________________________________________<br>

                                cod mailing list<br>

                                <a moz-do-not-send="true"

                                  href="mailto:cod@icculus.org"

                                  target="_blank">cod@icculus.org</a><br>

                                <a moz-do-not-send="true"

                                  href="http://icculus.org/mailman/listinfo/cod"

                                  target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                            </blockquote>

                            <p class="MsoNormal"><br>

                              <br>

                              <br>

                              <br>

                              <br>

                            </p>

                            <pre>_______________________________________________</pre>

                            <pre>cod mailing list</pre>

                            <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                            <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                            <div class="MsoNormal"

                              style="text-align:center" align="center">

                              <hr align="center" size="2" width="100%">

                            </div>

                            <p class="MsoNormal">_______________________________________________<br>

                              cod mailing list<br>

                              <a moz-do-not-send="true"

                                href="mailto:cod@icculus.org"

                                target="_blank">cod@icculus.org</a><br>

                              <a moz-do-not-send="true"

                                href="http://icculus.org/mailman/listinfo/cod"

                                target="_blank">http://icculus.org/mailman/listinfo/cod</a></p>

                          </blockquote>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                          <p class="MsoNormal"><br>

                            <br>

                            <br>

                          </p>

                          <pre>_______________________________________________</pre>

                          <pre>cod mailing list</pre>

                          <pre><a moz-do-not-send="true" href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a></pre>

                          <pre><a moz-do-not-send="true" href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a></pre>

                        </div>

                      </div>

                    </div>

                  </div>

                  <br>

                  _______________________________________________<br>

                  cod mailing list<br>

                  <a moz-do-not-send="true"

                    href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a><br>

                  <a moz-do-not-send="true"

                    href="http://icculus.org/mailman/listinfo/cod"

                    target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

                  <br>

                </blockquote>

                <br>

              </div>

              <br>

              <br clear="all">

              <br>

              -- <br>

              <i><b><font size="1"><span

                      style="font-family:tahoma,sans-serif">Geoff Goas</span><br

                      style="font-family:tahoma,sans-serif">

                    <span style="font-family:tahoma,sans-serif">Systems

                      Engineer</span></font></b></i><br>

              <br>

            </div>

          </div>

          <br>

          _______________________________________________<br>

          cod mailing list<br>

          <a moz-do-not-send="true" href="mailto:cod@icculus.org">cod@icculus.org</a><br>

          <a moz-do-not-send="true"

            href="http://icculus.org/mailman/listinfo/cod"

            target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>

          <br>

        </blockquote>

      </div>

      <br>

      <br clear="all">

      <br>

      -- <br>

      <div>EscapedTurkey.com Billing and Support<br>

      </div>

      <div><a moz-do-not-send="true"

          href="https://www.escapedturkey.com/helpdesk" target="_blank">https://www.escapedturkey.com/helpdesk</a></div>

      <br>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

cod mailing list

<a class="moz-txt-link-abbreviated" href="mailto:cod@icculus.org">cod@icculus.org</a>

<a class="moz-txt-link-freetext" href="http://icculus.org/mailman/listinfo/cod">http://icculus.org/mailman/listinfo/cod</a>

</pre>

    </blockquote>

  </body>

</html>