FireBrick Firewall - Steam Client: Difference between revisions

From AAISP Support Site
m (PayPal (1))
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This firewall allows both inbound and outbound traffic to reach the steam client, all other traffic is rejected.
This firewall allows both inbound and outbound traffic to reach the steam client, all other traffic is rejected. It is written for gaming systems that will only be using the steam client.


=Static DNS=
=Static DNS=
Line 7: Line 7:
<syntaxhighlight lang=xml>
<syntaxhighlight lang=xml>
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21">
<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21">
<host name="api.steampowered.com" ip="23.195.77.152 23.205.213.78"/>
<host name="api.steampowered.com" ip="23.205.213.78"/>
<host name="cdn.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="cdn.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="cdn.store.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
<host name="cdn.store.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
Line 31: Line 31:
<host name="steamclouddub.blob.core.windows.net" ip="191.235.193.40"/>
<host name="steamclouddub.blob.core.windows.net" ip="191.235.193.40"/>
<host name="steamcommunity-a.akamaihd.net" ip="23.63.99.219 23.67.255.202"/>
<host name="steamcommunity-a.akamaihd.net" ip="23.63.99.219 23.67.255.202"/>
<host name="steamcommunity.com" ip="23.195.77.152 23.205.213.78"/>
<host name="steamcommunity.com" ip="23.63.99.219 23.67.255.202"/>
<host name="steamstore-a.akamaihd.net" ip="23.63.99.208 23.63.99.240"/>
<host name="steamstore-a.akamaihd.net" ip="23.63.99.208 23.63.99.240"/>
<host name="store.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="store.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="store.steampowered.com" ip="23.195.77.152 23.205.213.78"/>
<host name="store.steampowered.com" ip="23.205.213.78"/>
<host name="t.paypal.com" ip="173.223.190.173"/>
<host name="t.paypal.com" ip="173.223.190.173"/>
<host name="www.paypal.com" ip="173.223.190.173"/>
<host name="www.paypal.com" ip="173.223.190.173"/>
Line 89: Line 89:
protocol="6"
protocol="6"
action="accept"/>
action="accept"/>
<rule name="Paypal Payments"
<rule name="PayPal Payments"
target-ip="2.22.133.163 2.22.139.27 23.65.43.145 66.225.197.197 66.235.148.64 93.184.220.29 173.223.190.173"
target-ip="2.22.133.163 2.22.139.27 23.65.43.145 66.225.197.197 66.235.148.64 93.184.220.29 173.223.190.173"
target-port="80 443"
target-port="80 443"
Line 95: Line 95:
action="accept"/>
action="accept"/>
<rule name="Valve Software"
<rule name="Valve Software"
target-ip="103.10.124.0/24 146.66.155.0/24 155.133.245.0/24 155.133.248.0/24 162.254.192.0/21 205.196.6.0/24 208.64.203.0/24"
target-ip="103.10.124.0/23 146.66.155.0/24 155.133.224.0/19 162.254.192.0/21 205.196.6.0/24 208.64.200.0/22"
target-port="80 443"
target-port="80 443"
protocol="6"
protocol="6"
Line 131: Line 131:


==Steam Client==
==Steam Client==

This documents what hostnames the steam client uses and when.


On startup:
On startup:
Line 147: Line 149:
*br01.broadcast.fra.steamstatic.com (Randomly Selected)
*br01.broadcast.fra.steamstatic.com (Randomly Selected)
*br01.broadcast.lax.steamstatic.com (Randomly Selected)
*br01.broadcast.lax.steamstatic.com (Randomly Selected)
*br01.broadcast.lon.steamstatic.com (Randomly Selected)
*br01.broadcast.ord.steamstatic.com (Randomly Selected)
*br01.broadcast.ord.steamstatic.com (Randomly Selected)
*br01.broadcast.sto.steamstatic.com (Randomly Selected)
*br01.broadcast.sto.steamstatic.com (Randomly Selected)
*br02.broadcast.fra.steamstatic.com (Randomly Selected)
*br02.broadcast.fra.steamstatic.com (Randomly Selected)
*br02.broadcast.lax.steamstatic.com (Randomly Selected)
*br02.broadcast.lax.steamstatic.com (Randomly Selected)
*br02.broadcast.lon.steamstatic.com (Randomly Selected)
*br02.broadcast.ord.steamstatic.com (Randomly Selected)
*br02.broadcast.ord.steamstatic.com (Randomly Selected)
*br02.broadcast.sto.steamstatic.com (Randomly Selected)
*br02.broadcast.sto.steamstatic.com (Randomly Selected)
*br03.broadcast.fra.steamstatic.com (Randomly Selected)
*br03.broadcast.fra.steamstatic.com (Randomly Selected)
*br03.broadcast.lax.steamstatic.com (Randomly Selected)
*br03.broadcast.lax.steamstatic.com (Randomly Selected)
*br03.broadcast.lon.steamstatic.com (Randomly Selected)
*br03.broadcast.ord.steamstatic.com (Randomly Selected)
*br03.broadcast.ord.steamstatic.com (Randomly Selected)
*br03.broadcast.sto.steamstatic.com (Randomly Selected)
*br03.broadcast.sto.steamstatic.com (Randomly Selected)
*br04.broadcast.fra.steamstatic.com (Randomly Selected)
*br04.broadcast.fra.steamstatic.com (Randomly Selected)
*br04.broadcast.lax.steamstatic.com (Randomly Selected)
*br04.broadcast.lax.steamstatic.com (Randomly Selected)
*br04.broadcast.lon.steamstatic.com (Randomly Selected)
*br04.broadcast.ord.steamstatic.com (Randomly Selected)
*br04.broadcast.ord.steamstatic.com (Randomly Selected)
*br04.broadcast.sto.steamstatic.com (Randomly Selected)
*br04.broadcast.sto.steamstatic.com (Randomly Selected)
Line 170: Line 176:
*cdn.akamai.steamstatic.com
*cdn.akamai.steamstatic.com


Paypal Payments:
PayPal Payments:
*store.steampowered.com
*store.steampowered.com
*ocsp.digicert.com
*ocsp.digicert.com
Line 198: Line 204:


==IP Reference==
==IP Reference==

This documents what range of IP's belong to which CDN node and steam hostname.


cdn.akamai.steamstatic.com:<br>
cdn.akamai.steamstatic.com:<br>
Line 206: Line 214:
media4.steampowered.com:<br>
media4.steampowered.com:<br>
repo.steampowered.com:<br>
repo.steampowered.com:<br>
store.akamai.steamstatic.com:<br>
store.akamai.steamstatic.com:
(a1507.d.akamai.net):
*a1507.d.akamai.net
*23.63.98.26 (Primary)
*23.63.98.26 (Primary)
*23.63.98.32 (Primary)
*23.63.98.32 (Primary)
Line 223: Line 231:
*104.86.111.137
*104.86.111.137


steamcommunity-a.akamaihd.net:<br>
steamcommunity-a.akamaihd.net:
(a1697.g.akamai.net):
*a1697.g.akamai.net
*23.63.99.219 (Primary)
*23.63.99.219 (Primary)
*23.67.255.202 (Primary)
*23.67.255.202 (Primary)
Line 230: Line 238:
*104.86.110.75
*104.86.110.75


steamstore-a.akamaihd.net:<br>
steamstore-a.akamaihd.net:
(a1737.g.akamai.net):
*a1737.g.akamai.net
*23.63.99.208 (Primary)
*23.63.99.208 (Primary)
*23.63.99.240 (Primary)
*23.63.99.240 (Primary)
Line 237: Line 245:
*104.86.110.81
*104.86.110.81


steamcdn-a.akamaihd.net:<br>
steamcdn-a.akamaihd.net:
(a1843.g.akamai.net):
*a1843.g.akamai.net
*23.67.255.200 (Primary)
*23.67.255.200 (Primary)
*23.67.255.208 (Primary)
*23.67.255.208 (Primary)

Latest revision as of 14:44, 17 March 2017

This firewall allows both inbound and outbound traffic to reach the steam client, all other traffic is rejected. It is written for gaming systems that will only be using the steam client.

Static DNS

Static DNS manages control over which IP's the steam client can use:

<dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21">
<host name="api.steampowered.com" ip="23.205.213.78"/>
<host name="cdn.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="cdn.store.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
<host name="cgpromotion.azurewebsites.net" ip="104.40.183.236"/>
<host name="cgpromotion.blob.core.windows.net" ip="168.61.57.78"/>
<host name="clientconfig.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="crash.steampowered.com" ip="208.64.203.140 208.64.203.173"/>
<host name="crl4.digicert.com" ip="66.225.197.197"/>
<host name="dreamfallchapters.azurewebsites.net" ip="191.238.8.26"/>
<host name="images.akamai.steamusercontent.com" ip="23.63.98.26 23.63.98.32"/>
<host name="media.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
<host name="media2.steampowered.com" ip="205.185.216.10 205.185.216.42"/>
<host name="media3.steampowered.com" ip="8.253.70.30 8.253.70.110"/>
<host name="media4.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
<host name="ocsp.digicert.com" ip="93.184.220.29"/>
<host name="paypal.d1.sc.omtrdc.net" ip="66.235.148.64"/>
<host name="repo.steampowered.com" ip="23.63.98.26 23.63.98.32"/>
<host name="s1.symcb.com" ip="2.22.133.163"/>
<host name="s2.symcb.com" ip="2.22.139.27"/>
<host name="steamcdn-a.akamaihd.net" ip="23.67.255.200 23.67.255.208"/>
<host name="steamcloud-eu.storage.googleapis.com" ip="216.58.198.208 216.58.198.240"/>
<host name="steamcloudams.blob.core.windows.net" ip="168.61.58.14"/>
<host name="steamclouddub.blob.core.windows.net" ip="191.235.193.40"/>
<host name="steamcommunity-a.akamaihd.net" ip="23.63.99.219 23.67.255.202"/>
<host name="steamcommunity.com" ip="23.63.99.219 23.67.255.202"/>
<host name="steamstore-a.akamaihd.net" ip="23.63.99.208 23.63.99.240"/>
<host name="store.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/>
<host name="store.steampowered.com" ip="23.205.213.78"/>
<host name="t.paypal.com" ip="173.223.190.173"/>
<host name="www.paypal.com" ip="173.223.190.173"/>
<host name="www.paypalobjects.com" ip="23.65.43.145"/>
</dns>

Firewall

Outbound Rules - Change the MAC address in the source-mac= element to your own:

<rule-set name="Steam Client: Outbound" source-interface="LAN" target-interface="pppoe" no-match-action="continue">
  <rule name="Steam OS: NTP"
        target-port="123"
        protocol="17"
        action="accept"/>
  <rule name="Steam Client: TCP"
        target-port="27014-27050"
        protocol="6"
        action="accept"/>
  <rule name="Steam Client: UDP"
        target-port="3478 4379 4380 27000-27030"
        protocol="17"
        action="accept"/>
  <rule name="CDN: Akamai"
        target-ip="23.32.0.0/11 23.64.0.0/14 23.192.0.0/12 92.122.0.0/15 104.64.0.0/10 173.223.176.0/20"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="CDN: Highwinds"
        target-ip="205.185.216.10 205.185.216.42"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="CDN: Level 3"
        target-ip="8.253.70.30 8.253.70.110"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="Steam Cloud: Amazon Web Services"
        target-ip="54.231.130.0/23 54.231.132.0/22 54.231.136.0/22 54.231.140.0/23 54.231.142.0/24"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="Steam Cloud: Google Cloud Platform"
        target-ip="216.58.198.208 216.58.198.240"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="Steam Cloud: Microsoft Azure"
        target-ip="104.40.183.236 168.61.57.78 168.61.58.14 191.235.193.40 191.238.8.26"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="PayPal Payments"
        target-ip="2.22.133.163 2.22.139.27 23.65.43.145 66.225.197.197 66.235.148.64 93.184.220.29 173.223.190.173"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="Valve Software"
        target-ip="103.10.124.0/23 146.66.155.0/24 155.133.224.0/19 162.254.192.0/21 205.196.6.0/24 208.64.200.0/22"
        target-port="80 443"
        protocol="6"
        action="accept"/>
  <rule name="Deny All"
        source-mac="D8CB8AA2464E"
        action="reject"/>
</rule-set>

Inbound Rules - Change the IP address in the target-ip= element to your own:

<rule-set name="Steam Client: Inbound" target-interface="LAN" no-match-action="reject">
<rule name="Allow Firebrick" source-interface="self"/>
<rule name="Steam Client: TCP" target-ip="217.169.11.114/31" target-port="27014-27050" protocol="6" action="accept"/>
<rule name="Steam Client: UDP" target-ip="217.169.11.114/31" target-port="3478 4379 4380 27000-27030" protocol="17" action="accept"/>
</rule-set>

Technical Notes

Steam's game delivery system uses 3 different high performing CDN companies: Akamai, Highwinds and Level 3.

  • media.steampowered.com = Akamai
  • media2.steampowered.com = Highwinds
  • media3.steampowered.com = Level 3
  • media4.steampowered.com = Akamai

Origin Server

The origin server is where each CDN will pull files from. The origin server hostnames are:

  • cdn-01-origin.steampowered.com
  • cdn-01.steampowered.com

Steam Client

This documents what hostnames the steam client uses and when.

On startup:

  • repo.steampowered.com
  • client-download.steampowered.com
  • media.steampowered.com (Randomly Selected)
  • media2.steampowered.com (Randomly Selected)
  • media3.steampowered.com (Randomly Selected)
  • media4.steampowered.com (Randomly Selected)
  • api.steampowered.com
  • clientconfig.akamai.steamstatic.com
  • steamcommunity-a.akamaihd.net
  • store.steampowered.com
  • cdn.akamai.steamstatic.com
  • steamcommunity.com
  • br01.broadcast.fra.steamstatic.com (Randomly Selected)
  • br01.broadcast.lax.steamstatic.com (Randomly Selected)
  • br01.broadcast.lon.steamstatic.com (Randomly Selected)
  • br01.broadcast.ord.steamstatic.com (Randomly Selected)
  • br01.broadcast.sto.steamstatic.com (Randomly Selected)
  • br02.broadcast.fra.steamstatic.com (Randomly Selected)
  • br02.broadcast.lax.steamstatic.com (Randomly Selected)
  • br02.broadcast.lon.steamstatic.com (Randomly Selected)
  • br02.broadcast.ord.steamstatic.com (Randomly Selected)
  • br02.broadcast.sto.steamstatic.com (Randomly Selected)
  • br03.broadcast.fra.steamstatic.com (Randomly Selected)
  • br03.broadcast.lax.steamstatic.com (Randomly Selected)
  • br03.broadcast.lon.steamstatic.com (Randomly Selected)
  • br03.broadcast.ord.steamstatic.com (Randomly Selected)
  • br03.broadcast.sto.steamstatic.com (Randomly Selected)
  • br04.broadcast.fra.steamstatic.com (Randomly Selected)
  • br04.broadcast.lax.steamstatic.com (Randomly Selected)
  • br04.broadcast.lon.steamstatic.com (Randomly Selected)
  • br04.broadcast.ord.steamstatic.com (Randomly Selected)
  • br04.broadcast.sto.steamstatic.com (Randomly Selected)

Entering the Store:

  • store.steampowered.com
  • store.akamai.steamstatic.com

Exploring your Queue:

  • store.steampowered.com
  • cdn.akamai.steamstatic.com

PayPal Payments:

  • store.steampowered.com
  • ocsp.digicert.com
  • crl4.digicert.com
  • www.paypal.com
  • s2.symcb.com
  • s1.symcb.com
  • www.paypalobjects.com
  • paypal.d1.sc.omtrdc.net
  • t.paypal.com

Steam Cloud

The steam cloud stores a copy of local saved games, allowing you to use them on another system running the steam client. Here is a list of which hostnames belong to which game:

Deponia: The Complete Journey

  • cgpromotion.azurewebsites.net
  • cgpromotion.blob.core.windows.net

Deponia Doomsday

  • cgpromotion.azurewebsites.net
  • cgpromotion.blob.core.windows.net

Dreamfall Chapters

  • dreamfallchapters.azurewebsites.net
  • steamcloud-dub.s3.amazonaws.com

IP Reference

This documents what range of IP's belong to which CDN node and steam hostname.

cdn.akamai.steamstatic.com:
cdn.store.steampowered.com:
clientconfig.akamai.steamstatic.com:
images.akamai.steamusercontent.com:
media.steampowered.com:
media4.steampowered.com:
repo.steampowered.com:
store.akamai.steamstatic.com:

  • a1507.d.akamai.net
  • 23.63.98.26 (Primary)
  • 23.63.98.32 (Primary)
  • 23.63.98.10
  • 23.63.98.17
  • 23.63.98.18
  • 23.63.98.19
  • 23.63.98.27
  • 23.63.98.33
  • 23.63.98.41
  • 23.63.98.43
  • 23.63.99.58
  • 23.63.99.90
  • 104.86.110.249
  • 104.86.111.137

steamcommunity-a.akamaihd.net:

  • a1697.g.akamai.net
  • 23.63.99.219 (Primary)
  • 23.67.255.202 (Primary)
  • 104.86.110.24
  • 104.86.110.75

steamstore-a.akamaihd.net:

  • a1737.g.akamai.net
  • 23.63.99.208 (Primary)
  • 23.63.99.240 (Primary)
  • 104.86.110.24
  • 104.86.110.81

steamcdn-a.akamaihd.net:

  • a1843.g.akamai.net
  • 23.67.255.200 (Primary)
  • 23.67.255.208 (Primary)
  • 104.86.110.27
  • 104.86.110.35