FireBrick Firewall - Steam Client: Difference between revisions

← Older edit

FireBrick Firewall - Steam Client (view source)

Revision as of 14:44, 17 March 2017

727 bytes added , 17 March 2017

m

PayPal (1)

CrazyTeeka

editor

426

edits

Revision as of 13:51, 5 March 2016 (view source) CrazyTeeka (talk \| contribs) No edit summary ← Older edit		Latest revision as of 14:44, 17 March 2017 (view source) CrazyTeeka (talk \| contribs) m (PayPal (1))
(69 intermediate revisions by 2 users not shown)
This ~~rule~~firewall ~~set restricts~~allows both inbound and outbound traffic to reach the ~~Steam~~steam client, all other traffic is ~~Client~~rejected. ~~Useful~~It is written for agaming ~~Windows~~systems ~~Gaming~~that PCwill oronly ~~Mac~~be using the ~~Gaming~~steam ~~System~~client. =Static DNS= ~~These static DNS entries help keep the IP addresses matched to the ones in the firewall rule set:~~ Static DNS manages control over which IP's the steam client can use: ~~<syntaxhighlight>~~ <syntaxhighlight lang=xml> <dns resolvers="2001:8b0::2020 2001:8b0::2021 217.169.20.20 217.169.20.21"> <host name="~~a1507~~api.steampowered.com" ip="23.d205.~~akamai~~213.~~net~~78"/> <host name="cdn.akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="~~a1697~~cdn.store.steampowered.com" ip="23.63.98.26 23.g63.~~akamai~~98.~~net~~32"/> <host name="cgpromotion.azurewebsites.net" ip="104.40.183.236"/> ~~ip="23.63.99.219 23.67.255.202"/>~~ <host name="~~a1737~~cgpromotion.gblob.~~akamai~~core.windows.net" ip="168.61.57.78"/> <host name="clientconfig.akamai.steamstatic.com" ip="23.63.9998.~~208~~26 23.63.9998.~~240~~32"/> <host name="~~a1843~~crash.steampowered.com" ip="208.64.203.140 208.g64.~~akamai~~203.~~net~~173"/> <host name="crl4.digicert.com" ip="66.225.197.197"/> ~~ip="23.67.255.200 23.67.255.208"/>~~ <host name="dreamfallchapters.azurewebsites.net" ip="191.238.8.26"/> ~~<host name="api.steampowered.com"~~ <host name="images.akamai.steamusercontent.com" ip="23.63.98.26 23.63.98.32"/> ~~ip="23.195.77.152 23.205.213.78 92.122.219.245 104.71.179.142 173.223.184.147"/>~~ <host name="~~cdn~~media.~~akamai.steamstatic~~steampowered.com" ip="23.63.98.26 23.63.98.32"/> <host name="media2.steampowered.com" ip="205.185.216.10 205.185.216.42"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="~~cdn.store~~media3.steampowered.com" ip="8.253.70.30 8.253.70.110"/> <host name="media4.steampowered.com" ip="23.63.98.26 23.63.98.32"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="~~cgpromotion~~ocsp.digicert.com" ip="93.184.~~azurewebsites~~220.~~net~~29"/> <host name="paypal.d1.sc.omtrdc.net" ip="~~104~~66.40235.~~183~~148.~~236~~64"/> <host name="~~cgpromotion~~repo.~~blob~~steampowered.com" ip="23.63.98.26 23.~~core~~63.~~windows~~98.~~net~~32"/> <host name="s1.symcb.com" ip="~~168~~2.6122.57133.78163"/> <host name="~~clientconfig~~s2.~~akamai.steamstatic~~symcb.com" ip="2.22.139.27"/> <host name="steamcdn-a.akamaihd.net" ip="23.67.255.200 23.67.255.208"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="steamcloud-eu.storage.googleapis.com" ip="216.58.198.208 216.58.198.240"/> ~~<host name="images.akamai.steamusercontent.com"~~ <host name="steamcloudams.blob.core.windows.net" ip="168.61.58.14"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="steamclouddub.blob.core.windows.net" ip="191.235.193.40"/> ~~<host name="media.steampowered.com"~~ <host name="steamcommunity-a.akamaihd.net" ip="23.63.99.219 23.67.255.202"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="~~media2.steampowered~~steamcommunity.com" ip="23.63.99.219 23.67.255.202"/> <host name="steamstore-a.akamaihd.net" ip="~~205~~23.~~185~~63.~~216~~99.10208 ~~205~~23.~~185~~63.~~216~~99.42240"/> <host name="~~media3~~store.~~steampowered~~akamai.steamstatic.com" ip="23.63.98.26 23.63.98.32"/> <host name="store.steampowered.com" ip="23.205.213.78"/> ~~ip="8.253.70.30 8.253.70.110 8.253.70.142 8.254.191.94 8.254.191.238"/>~~ <host name="~~media4~~t.~~steampowered~~paypal.com" ip="173.223.190.173"/> <host name="www.paypal.com" ip="173.223.190.173"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ <host name="~~repo~~www.~~steampowered~~paypalobjects.com" ip="23.65.43.145"/> ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ ~~<host name="steamcdn-a.akamaihd.net"~~ ~~ip="23.67.255.200 23.67.255.208"/>~~ ~~<host name="steamcloud-eu.storage.googleapis.com"~~ ~~ip="216.58.213.112"/>~~ ~~<host name="steamcloudams.blob.core.windows.net"~~ ~~ip="168.61.58.14"/>~~ ~~<host name="steamclouddub.blob.core.windows.net"~~ ~~ip="191.235.193.40"/>~~ ~~<host name="steamcommunity-a.akamaihd.net"~~ ~~ip="23.63.99.219 23.67.255.202"/>~~ ~~<host name="steamcommunity.com"~~ ~~ip="23.195.77.152 23.205.213.78 92.122.219.245 104.71.179.142 173.223.184.147"/>~~ ~~<host name="steamstore-a.akamaihd.net"~~ ~~ip="23.63.99.208 23.63.99.240"/>~~ ~~<host name="store.akamai.steamstatic.com"~~ ~~ip="23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.26 23.63.98.27 23.63.98.32 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137"/>~~ ~~<host name="store.steampowered.com"~~ ~~ip="23.195.77.152 23.205.213.78 92.122.219.245 104.71.179.142 173.223.184.147"/>~~ </dns> </syntaxhighlight> =Firewall= Outbound Rules - Change the MAC address in the source-mac= element to your own: <syntaxhighlight lang=xml> <rule-set name="Steam Client: Outbound" source-interface="LAN" target-interface="pppoe" no-match-action="continue"> <rule name="Steam OS: NTP" target-port="123" protocol="17" action="accept"/> <rule name="Steam Client: TCP" target-port="27014-27050" protocol="6" action="accept"/> <rule name="Steam Client: UDP" target-port="3478 4379 4380 27000-27030" protocol="17" action="accept"/> <rule name="~~Akamai~~ CDN: Akamai" target-ip="23.6332.980.0/2311 23.6764.~~255~~0.0/2414 23.~~195.64~~192.0~~/20 23.205.212~~.0/2212 92.122.~~218~~0.0/2315 104.~~71.176~~64.0~~/20 104.86.110~~.0/2310 173.223.176.0/20" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Google~~CDN: ~~Cloud~~Highwinds" target-ip="205.185.216.5810 205.~~213~~185.216.~~112~~42" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Highwinds~~ CDN: Level 3" target-ip="~~205~~8.~~185~~253.~~216~~70.1030 ~~205~~8.~~185~~253.~~216~~70.42110" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Level3~~Steam ~~CDN~~Cloud: Amazon Web Services" target-ip="854.~~253~~231.70130.300/23 854.~~253~~231.70132.~~110~~0/22 854.~~253~~231.70136.~~142~~0/22 854.~~254~~231.~~191~~140.940/23 854.~~254~~231.~~191.238 212.73.205~~142.~~178~~0/24" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Microsoft~~Steam Cloud: Google Cloud Platform" target-ip="~~104~~216.4058.~~183~~198.~~236~~208 ~~168.61.57.78 168.61~~216.58.~~14 191.235.193~~198.40240" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Paypal~~Steam ~~Payments~~Cloud: Microsoft Azure" target-ip="66104.~~235~~40.~~148~~183.64236 66168.61.57.78 168.61.58.14 191.235.~~148~~193.40 191.238.8.~~128/31~~26" target-port="80 443" protocol="6" action="accept"/> <rule name="~~Telia~~PayPal ~~Network~~Payments" target-ip="622.~~115~~22.11133.~~250~~163 802.~~239~~22.~~194~~139.~~146~~27 23.65.43.145 66.225.197.197 66.235.148.64 93.184.220.29 173.223.190.173" target-port="80 443" protocol="6" action="accept"/> <rule name="Valve Software" target-ip="103.10.124.0/2423 146.66.155.0/24 155.133.~~245~~224.0/~~24 155.133.248.0/24~~19 162.254.192.0/2221 ~~162.254~~205.196.~~0/23 162.254.198~~6.0/3224 ~~205~~208.~~196~~64.6200.0/2422" target-port="80 443" protocol="6" action="accept"/> <rule name="Deny All" source-mac="~~408D5C57F303~~ D8CB8AA2464E" action="reject"/> </rule-set> </syntaxhighlight> Inbound Rules - Change the IP address in the target-ip= element to your own: ~~Inbound Rules:~~ <syntaxhighlight lang=xml> <rule-set name="Steam Client: Inbound" target-interface="LAN" no-match-action="reject"> <rule name="Allow Firebrick" source-interface="self"/> <rule name="Steam Client: TCP" target-ip="217.169.11.114/31" target-port="27014-27050" protocol="6" action="accept"/> <rule name="Steam Client: UDP" target-ip="217.169.11.114/31" target-port="3478 4379 4380 27000-27030" protocol="17" action="accept"/> </rule-set> </syntaxhighlight> =Technical Notes= Steam's game delivery system uses 3 different high performing CDN companies: Akamai, Highwinds and Level 3. ~~Steam used to have a huge amount of servers (some from Limelight CDN) located around the world and older versions of the software used an inefficient method to connect users to the servers.~~ media.steampowered.com = Akamai ~~Steam has made a big improvement on the game delivery system by using 3 different high performing CDN companies, Akamai, Highwinds and Level 3 all at the same time.~~ media.steampowered.com = Akamai media2.steampowered.com = Highwinds media3.steampowered.com = Level 3 media4.steampowered.com = Akamai ==Origin Server== ~~Running Steam will download a small file from http://client-download.steampowered.com/client/ containing a list of files with SHA-1 checksum and size in bytes to check if Steam is up to date.~~ The origin server is where each CDN will pull files from. The origin server hostnames are: ~~If Steam is outdated, it will need to download the updated files by randomly selecting one of the CDN hosts and that host will be used to serve the files.~~ cdn-01-origin.steampowered.com cdn-01.steampowered.com ==Steam Client== Since Steam randomly connects to a host, it is possible that it doesn’t cycle through all four CDN hosts. Unfortunately there is no way to connect to a particular CDN host because there is no command line option to do that. This documents what hostnames the steam client uses and when. Although you cannot choose which CDN to connect to, you can map all 4 hostnames to the IP address of the origin server. The origin server is where the CDN will pull the files from and serve to users. This would mean that the origin server is less busy since it is not used to serve files to millions of users but only serve once to the each CDN. The origin server has a hostname of cdn-01-origin.steampowered.com or cdn-01.steampowered.com, and the hostname will resolve to an IP address of 208.64.200.30. On startup: ~~<syntaxhighlight>~~ ~~<host name="media~~repo.steampowered.com~~" ip="208.64.200.30"/>~~ ~~<host name="media2~~client-download.steampowered.com~~" ip="208.64.200.30"/>~~ ~~<host name="media3~~media.steampowered.com" ~~ip="208.64.200.30"/>~~(Randomly Selected) ~~<host name="media4~~media2.steampowered.com" ~~ip="208.64.200.30"/>~~(Randomly Selected) media3.steampowered.com (Randomly Selected) ~~</syntaxhighlight>~~ media4.steampowered.com (Randomly Selected) api.steampowered.com clientconfig.akamai.steamstatic.com steamcommunity-a.akamaihd.net store.steampowered.com cdn.akamai.steamstatic.com steamcommunity.com br01.broadcast.fra.steamstatic.com (Randomly Selected) br01.broadcast.lax.steamstatic.com (Randomly Selected) br01.broadcast.lon.steamstatic.com (Randomly Selected) br01.broadcast.ord.steamstatic.com (Randomly Selected) br01.broadcast.sto.steamstatic.com (Randomly Selected) br02.broadcast.fra.steamstatic.com (Randomly Selected) br02.broadcast.lax.steamstatic.com (Randomly Selected) br02.broadcast.lon.steamstatic.com (Randomly Selected) br02.broadcast.ord.steamstatic.com (Randomly Selected) br02.broadcast.sto.steamstatic.com (Randomly Selected) br03.broadcast.fra.steamstatic.com (Randomly Selected) br03.broadcast.lax.steamstatic.com (Randomly Selected) br03.broadcast.lon.steamstatic.com (Randomly Selected) br03.broadcast.ord.steamstatic.com (Randomly Selected) br03.broadcast.sto.steamstatic.com (Randomly Selected) br04.broadcast.fra.steamstatic.com (Randomly Selected) br04.broadcast.lax.steamstatic.com (Randomly Selected) br04.broadcast.lon.steamstatic.com (Randomly Selected) br04.broadcast.ord.steamstatic.com (Randomly Selected) br04.broadcast.sto.steamstatic.com (Randomly Selected) Entering the Store: store.steampowered.com store.akamai.steamstatic.com Exploring your Queue: store.steampowered.com cdn.akamai.steamstatic.com PayPal Payments: store.steampowered.com ocsp.digicert.com crl4.digicert.com www.paypal.com s2.symcb.com s1.symcb.com www.paypalobjects.com paypal.d1.sc.omtrdc.net t.paypal.com ==Steam Cloud== The steam cloud stores a copy of local saved games, allowing you to use them on another system running the steam client. Here is a list of which hostnames belong to which game: Deponia: The Complete Journey cgpromotion.azurewebsites.net cgpromotion.blob.core.windows.net Deponia Doomsday cgpromotion.azurewebsites.net cgpromotion.blob.core.windows.net Dreamfall Chapters dreamfallchapters.azurewebsites.net steamcloud-dub.s3.amazonaws.com ==IP Reference== This documents what range of IP's belong to which CDN node and steam hostname. cdn.akamai.steamstatic.com:<br> cdn.store.steampowered.com:<br> clientconfig.akamai.steamstatic.com:<br> images.akamai.steamusercontent.com:<br> media.steampowered.com:<br> media4.steampowered.com:<br> repo.steampowered.com:<br> store.akamai.steamstatic.com: a1507.d.akamai.net 23.63.98.26 (Primary) 23.63.98.32 (Primary) 23.63.98.10 23.63.98.17 23.63.98.18 23.63.98.19 23.63.98.27 23.63.98.33 23.63.98.41 23.63.98.43 23.63.99.58 23.63.99.90 104.86.110.249 104.86.111.137 steamcommunity-a.akamaihd.net: a1697.g.akamai.net 23.63.99.219 (Primary) 23.67.255.202 (Primary) 104.86.110.24 104.86.110.75 steamstore-a.akamaihd.net: a1737.g.akamai.net 23.63.99.208 (Primary) 23.63.99.240 (Primary) 104.86.110.24 104.86.110.81 steamcdn-a.akamaihd.net: a1843.g.akamai.net 23.67.255.200 (Primary) 23.67.255.208 (Primary) 104.86.110.27 104.86.110.35