It took some digging, trial and error for me to get my SRX firewall
setup to allow my XBOX360 to connect to XBOX live. Even though I don’t
leave my XBOX360 powered on, the thought of it being on the same LAN
segment (with the same open firewall policies as my workstations) bugged
the shit out of me. I had a good multizone setup with a SSG5, but it
was time to upgrade to a JUNOS based firewall at the house – a perk
working for Juniper. I also moved all of my non-computer multimedia
hosts into this new zone; like Blu-Ray players, Wii, TV’s. If I can’t
personally patch it then it is in the media security zone.
There was a recent article about a hacked XBOX that cause a family some grief – http://www.digitaltrends.com/gaming/hacker-hijacks-xbox-360-sends-swat-team-to-home/ . I have a lot of questions about the “how” of this article, but it makes me think none-the-less.
I present this SRX configuration for your reference. Any improvements to this configuration would be great – leave comments.
There was a recent article about a hacked XBOX that cause a family some grief – http://www.digitaltrends.com/gaming/hacker-hijacks-xbox-360-sends-swat-team-to-home/ . I have a lot of questions about the “how” of this article, but it makes me think none-the-less.
I present this SRX configuration for your reference. Any improvements to this configuration would be great – leave comments.
Configuration Notes
- All identifiable IP addresses have been changed.
- All usernames passwords, host information, etc, etc have been changed
- The JUNOS version may be different
- This may or may not be my real config
The Config
[edit] test@atomic# show version 10.4R3.4; system { host-name test-example; time-zone America/New_York; root-authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA } name-server { inactive: 208.67.222.222; inactive: 208.67.220.220; } login { user test { uid 2005; class super-user; authentication { encrypted-password "xxxxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA } } } services { apply-macro dyndns-client1 { hostname xxxx.xxxxx.xxxx; password xxxxxxxxxxxxxxxx; type dyndns; username XXXXXXXXXX; } ssh; dhcp { router { 192.168.0.1; 192.168.1.1; } pool 192.168.0.0/24 { address-range low 192.168.0.100 high 192.168.0.119; router { 192.168.0.1; } } pool 192.168.1.0/24 { address-range low 192.168.1.99 high 192.168.1.119; exclude-address { 192.168.1.99; } router { 192.168.1.1; } } propagate-settings ge-0/0/0.0; } } syslog { archive size 100k files 3; user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } ntp; } interfaces { interface-range interfaces-trust { member ge-0/0/1; member fe-0/0/2; member fe-0/0/3; member fe-0/0/4; member fe-0/0/5; unit 0 { family ethernet-switching { vlan { members vlan-trust; } } } } ge-0/0/0 { unit 0 { family inet { dhcp { client-identifier ascii xxxxxxxxxx; update-server; } } } } fe-0/0/6 { unit 0 { family inet { address 192.168.1.1/24; } } } fe-0/0/7 { unit 0 { family inet { address 192.168.2.1/24; } } } vlan { unit 0 { family inet { address 192.168.0.1/24; } } } } event-options { policy dyn-dns-updater { events SYSTEM; attributes-match { SYSTEM.messages matches "EVENT Add"; } then { event-script dyn-dns-update; } } event-script { file dyn-dns-update.xslt; } } routing-options { static { route 0.0.0.0/0 next-hop 76.20.224.1; route 10.0.0.0/8 next-hop 192.168.2.2; route 172.16.0.0/12 next-hop 192.168.2.2; route 192.168.0.0/16 next-hop 192.168.2.2; } } security { nat { source { pool xbox-src-pool { address { 76.20.224.10/32 to 76.20.224.11/32; } port no-translation; } rule-set media-to-untrust { from zone media; to zone untrust; rule src-nat-xbox { match { source-address 192.168.1.99/32; } then { source-nat { pool { xbox-src-pool; } } } } rule media-source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { match { source-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool dnat-xbox { address 192.168.1.29/32; } rule-set dst-nat { from zone untrust; rule xbox-vip-88 { match { destination-address 76.20.224.10/32; destination-port 88; } then { destination-nat pool dnat-xbox; } } rule xbox-vip-3074 { match { destination-address 76.20.224.10/32; destination-port 3074; } then { destination-nat pool dnat-xbox; } } rule xbox-vip-53 { match { destination-address 76.20.224.10/32; destination-port 53; } then { destination-nat pool dnat-xbox; } } } } } screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; } land; } } } zones { security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.0; fe-0/0/7.0; } } security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; } } } } } security-zone media { address-book { address xbox 192.168.1.99/32; address-set xbox-group { address xbox; } } interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { dhcp; dns; } } } } } } policies { from-zone media to-zone untrust { policy media-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone media { policy static-nat-xbox-live { match { source-address any; destination-address xbox-group; application xbox-app-set; } then { permit; } } } from-zone trust to-zone trust { policy intrazone { match { source-address any; destination-address any; application any; } then { permit; } } } } } services { rpm { probe comcast { test gateway { probe-type icmp-ping; target address 76.20.224.1; test-interval 60; } } } } applications { application xbox-live-tcp-88 { protocol tcp; destination-port 88; } application xbox-live-udp-88 { protocol udp; destination-port 88; } application xbox-live-tcp-3074 { protocol tcp; destination-port 3074; } application xbox-live-udp-3074 { protocol udp; destination-port 3074; } application xbox-live-udp-53 { protocol udp; destination-port 53; } application-set xbox-app-set { application xbox-live-tcp-88; application xbox-live-udp-88; application xbox-live-udp-3074; application xbox-live-tcp-3074; application xbox-live-udp-53; } } vlans { vlan-trust { vlan-id 3; l3-interface vlan.0; } }
Explanation of Configuration
- XBOX is 192.168.1.99
- SRX Untrust Interface IP is 76.20.224.10
- Three security zones: untrust, trust, media
- The first thing that you need to do is create the application definitions. Based on my (half ass) research, these are the required ports; tcp/udp port 88, tcp/udp port 3064, and udp 53.
- Next, if you have two security zones, then you need to create another zone. I called mine media.
- Identify and configure the interface that will provide connectivity to the “media” hosts.
- If you are going to use DHCP for hosts attached to the media interface, configure it now. I don’t recommend using a dynamically assigned address due to the static NAT. I have other devices in the media security zone so DHCP is useful.
- You will need to create a source NAT policy for the XBOX. Start with a source pool. The configuration forces you to use two addresses – just specify the outside address of your SRX and increment the address by one. If there are more hosts on the media network, you will need to create a second source NAT policy to translate everything else to the “untrust” interface.
- Create destination NAT to create the VIP for the required TCP/UDP ports. I just specified the destination port without the protocol since I still had firewall policy to enforce what was allowed in. NOTE: You need both the Source and Destination NAT configs for this to work – the SRX flow engine will prevent connectivity to your XBOX without it.
- The last thing that should be completed is the firewall policy itself. You will need a policy for traffic flowing from-untrust-to-media and from-media-zone-to-untrust.
Assumptions
I assume:- you have an SRX and have it currently working as your CPE.
- you understand the zone concept
- you have a Internet connection and a pretty stable IP address – the NAT configs must be manually changed if your IP address changes. There are Junoscripts that can do this, but I’m too lazy to apply it to my config.
- you are somewhat proficient with Junos and can troubleshoot any problems that arise – more than likely I’m not going to be able to help you trouble any problems you have.
- you’re your own
