I have a 3 x PC LAN behind a DSL router/firewall using NAT and 1 public static IP. The router also has SPI.

In the router config I have set up a virtual server for a single port, so I can run a public game server console 24/7. The virtual server service port maps both TCP and UDP to one of the LAN IPs.

In the router firewall I have WAN port blocking enabled and 'Block Hacker Attack' enabled.

To allow the game server to be visible on the internet, in the firewall I have set incoming packet filtering/port forwarding for TCP and UDP to the single port of the virtual server LAN subnet IP.

We then use the 3 PCs simultaneously to join my own public game server via the internet so we can all join a game with our friends.

To achieve this I have set each PC exec config to launch the game on the virtual server service port number (n) plus one. So PC A transmits to the server on port n + 1, B on n + 2 and c on n + 3. To make this work in the router I also have incoming TCP/UDP port forwarding set-up for ports n+1, n+2 and n+3 to LAN subnet IPs A, B and C respectively.

So after that long winded explanation my question is, with my router firewall set this way and my game server running 24/7 am I exposed to unsolicited TCP/UDP probe and attack??

TIA

Only on the "opened" or "forwarded" ports and only when the application/game is running, otherwise all requests to those ports are just getting dropped into the "ether" as "no response" results on the receiving/scanning end.

Thanks for that. Your answer confirms what I thought would be the case. However since my thread starter I did some more research. It led me to carry out a couple of security scans using Insecure.org's NMapWin and GFI's LANGuard Security Scanner.

I specifically scanned my game server port and both apps reported it as closed even though the server was running. I got the same result doing a custom port scan with GRC's Shields Up.

Is the port appearing closed because the scans are not sending application specific packets? Is the the SPI only allowing game data packets to pass thru the port?

I would like to think I'm safe but, as with all security, it would be nice to be 100% sure. :confused:

This is quickly beyond the scope of this forum as most home users are not hosting any servers (too many varieties and too many entrenched issues that are very technically specific)... But...

SPI may not work well when hosting servers behind it. From experience, Linksys had included SPI in their past firmware revisions, but wound up dropping it. When SPI was available across a few of the versions, it would not allow servers to be hosted correctly.

It may have been something specific to Linksys, but you might check to see if anyone that is actually outside of your network can access your server while SPI is enabled.

You never did state the brand nor model of the router that you are using, but if your server tests are not successful with SPI enabled, you might consider disabling it (if possible) in order to successfully run the game server.

It's a Billion-741. The game server runs perfectly with the firewall/router set-up I described. My eight friends on the public clientside of the router get in-game pings typically in the 30 - 50 ms range.

I was really seeking a comfort blanket that it was safe to leave my game server running 24/7 with the port open, and rely on the SPI to protect me from unsolicited intrusion.

It appears contradictory to me but the security scans report the port as closed with the game server up, yet the game works ok. Ergo it's safe???? Or am I now totally confused???

Thanks for your continued advice. :)

If the scans are coming up negative, then you are fine. The SPI may actually be doing its job of dropping the scan packets.

As for the original situation of forwarded ports, that still stands as stated. You are only "exposed" if the opened ports actually leads to something on your network that can be compromised. This doesn't mean that the game/application itself may or may not have its own security flaws/issues, but that's something specific to the application. The same goes for any server that one decides to run in a similar fashion.

:)

snuggles up under comfort blanket and gently relaxes :o

once again thanks

btw - good forum