WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

Symptoms

As people become more focused on securing their home network, the idea of a "enterprise" firewall for home use is not out of the ordinary. Of course, this focus has grown over time because of teleworking/job requirements but also because some people realize that securing their home network is just as important as securing their "enterprise" network. Of course for us gamers, this causes an issue. I have be given the benefit to use my own Palo Alto Networks (PAN) PA-220 firewall for home use. While the initial setup didn't cause any issues, I had one major issue which was almost make or break for keeping the PA-220. The issue of course was my Xbox One did not function properly and I could not update games, group chat, or do anything an Xbox One should do.

Issue

When connecting to the Xbox Live service or PlayStation Network the console establishes client connections to the service. When hosting some games, or using some applications, a connection from the Xbox Live service or PlayStation Network inbound to the console is required. If these inbound connections can not be established then the console will report that strict NAT has been detected.

The consoles are compatible with uPnP devices to allow dynamic opening of TCP and UDP ports to forward traffic required for connectivity to the service. uPnP-enabled routers allow port forwarding to be configured on the device dynamically based on requests coming from internal devices. In a uPnP environment, the console will request the appropriate ports be forwarded to allow the traffic.

Palo Alto Networks firewalls are not compatible with uPnP. Requests from a console via uPnP to open ports will be ignored by the firewall. A 1-to-1 static NAT mapping must be created to forward the appropriate ports to the console from the Xbox Live service or PSN.

Resolution

The following is my configuration setup to fix my Xbox One as well as other gaming consoles which need Universal Plug and Play (UPnP).

Quick Tangent: While UPnP is a great idea to make home networking easier, it opens up the inside resources to many potential attacks. At a basic level, UPnP allows devices to discover each other on the same network dynamically so that all devices can communicate with each other for data sharing and entertainment purposes. While this sounds good, the security risk is that UPnP also dynamically adds port forwarding to the home router without human invention. This dynamic port forwarding allows for any and all ports to have access inside the network from the outside Internet without no protection. It is for this reason that any "enterprise" firewall will NEVER support UPnP. Of course, when it comes to gaming and our relaxation time, we don't care about the risks we just want our games to work.

The following configuration assumes that all basic connectivity has already been configured on your PA-220. The following configuration is my current setup and has never had any issues since the day I configured it.

The below is an extremely basic PA-220 configuration but the security policy that I want to highlight is the Outbound-Xbox Rule.

All firewall polices are created under Polices>>Security>>Add

Note: The Outbound-Xbox NAT must be above the general Outbound Internet Rule otherwise the Xbox traffic will never hit the dedicated Xbox NAT rule (this to be created next).

Xbox Security Rule:

I configured my Xbox Security Policy to use the dedicated or reserved ip address, this will be the source address (Creating a DHCP address reservation is not covered in this article)

  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic

  • The destination is to my UnTrust Zone or Outside security zone.

  • Application: This is the bread and butter of Palo Alto's Next Generation Firewall

  • The list in the image below are the applications which I have fingerprinted at the time of this article. As applications default ports change and Microsoft adds more application, this field will need to be updated from time to time.
    • Please note: A Layer 4 firewall rule will work but what is the point in having a Ferrari in the garage if you're not going to use it to its potential.

  • Action; of course allow

All other options not covered

The below is an extremely basic PA-220 configuration but the NAT policy that I want to highlight is the Xbox_NAT rule.

All firewall NAT polices are created under Polices>>NAT>>Add

Xbox NAT Rule:

I configured my Xbox NAT Policy to have a dedicated source address (Creating a DHCP address is not covered in this article)
  • The packet source is from the Trust/Inside Network
  • The packet destination is to my UnTrust Zone or Outside
  • The packet destination interface is the interface facing my ISP/Dynamic Client
  • The source is my dedicated Xbox/Gaming reserved address as I only wanted to NAT my Xbox traffic
  • The packet destination and service are set to ANY as we want all traffic from the Xbox to be NAT'd

The FOLLWING IS THE SECRET TO FIXING ALL UPnP ISSUES
  • Translated Packet
  • The source translated packet must be a fixed static-ip address
  • The IP missing below MUST be the IP address given to your home "modem" now firewall by the ISP.
    • NOTE: If the address assigned to your Internet Layer3 link ever changes, this NAT rule MUST be updated. Since having this implemented for over a year, I have never had to change this address as the ISP want to be stable and followings the basic rules of DHCP. My ISP always assigned me the same address when my DHCP reservation renews
  • The last major configuration is to check "bi-drectional: yes".

If the above NAT rule and security policy are configured with the proper information, all UPnP issues with be a problem of the past. I have never had an issue except to add applications to my security policy from time-to-time. I have used this configuration on multiple PA-220s and it works every time without any issues. Without the above rules, some games might work but group chat will always be broken.

For information on how to configure a static 1-to-1 destination NAT policy, or bi-directional NAT mapping please refer to the Understanding PAN-OS NAT document.

Please enjoy and hopefully this will help anyone avoid the headaches and research that I went through along with trail and error. Also, hopefully this configuration will allow everyone, including myself, the ability to keep our games but also make sure we are securing and protecting on valuable resources on the inside of the network. With this configuration, we have the ability to function without any issues as well as protect the network from UPnP vulnerabilities that all gaming systems rely on; especially Xbox/Microsoft.


Not so recently I purchased a lifetime license for Plex, but never really used it. It seemed like most everything I wanted to watch was already on Netflix, Hulu, or Amazon Prime. But when those streaming services let me down and I didn't want to re-purchase the digitally copy of a DVD I already owned I figured, why not digitize my physical DVDs?

So I stared searching the web and came across an excellent article by HowToGeek,com on backing up DVDs to digital copies using HandBreak. Being a Mac guy I was already familiar with Handbrake and loved it for converting media files, but I didn't know it could also back up my DVDs? So I wanted to post the Apple specific how to for backing up your DVD collection. For the entire article including the windows specific how to please visit the how to geek article linked above.

Step 1
Download and install Handbrake, which you can download here. Out of the box Handbrake can rip DVDs that are not copy protected or convert media files from one format to another…but almost all DVDs you buy in the store are copy protected. Getting around this is a weirdly gray area legally, so applications like Handbrake can’t legally include the software needed to decrypt copy protected DVDs. You can, however, download it separately as long as you’re just using this to watch a movie on your computer you physicaly own,

The software you'll need to install for backing up encrypted DVDs is called libdvdcss. This will let Handbrake read your encrypted DVDs and rip them to your computer. The process is a little different for Windows and Mac users, so if you are installing this on windows please visit the HowToGeek article. Note that you don’t have to do this every time you rip a DVD once libdvdcss is installed, you can skip to Step Two each time you rip a new disc.

Step 2
If you’re on El Capitan or newer, we’re going to use a command line tool called Homebrew. Sidebar if you’re not familiar with Homebrew this tool is awesome, spend some time looking into it. Basically they have created a software repository like apt-get for debian or yum for redhat I cant say enough good things about it. Fortunately, it only takes a few Terminal commands to install Homebrew if you haven’t already.

Once Homebrew is installed you can install libdvdcss. Open a the Terminal command line window on your mac. Then, type in brew install libdvdcss and hit enter. This will install libdvdcss, that's all you need to do.

Step 3
Once you’ve installed libdvdcss, it’s time to get ripping. Open Handbrake and choose your DVD drive from the sidebar that appears.

Handbrake will take a moment to scan the titles on your DVD. Wait until this process is finished. It should only take a moment. If libdvdcss wasn’t installed incorrectly, you’ll see an error saying that the disc can’t be read here instead.

Once your DVD is open, head to the “Title” dropdown box and choose which title you want to rip. By default, Handbrake will choose the movie, but if you want to rip any special features or deleted scenes, you can change the target you want to rip here. You can also change which chapters you want to rip, if you only want part of the movie. I chose to allow Handbrake to select the movie and it worked perfect for me.

Under Destination, click Browse to pick where you want to place the movie after you’ve ripped it.

Step 4
Next, you’ll need to decide the quality of your output file. The higher quality the movie, the more space it will take on your hard drive. If you’re technical, you can use the Picture, Video, and Audio tabs to adjust these settings, but most people only need to click one thing: a Preset.
Along the right side of the Handbrake window, you’ll see a selection of Presets (if you don’t see it, drag the corner of Handbrake’s window and expand it until you do). There are presets for nearly anything you could need: Apple TV, Android phones, PlayStation, and lots more. If you’re watching on your computer, use one of the “General” presets—“Fast” and “Very Fast” will be low quality but small in size, while “HQ” and “Super HQ” will have higher quality but take up more space.

Step 5
Once you’ve chosen your Title and Preset, click Start Encode at the top of the window. You’ll see a progress bar along the bottom that will let you know how much time you have left in the rip. Higher quality rips will take longer, so you’ll want to let your computer run for a while.

Once the rip is done, you should be able to double-click on it to watch it! Or, if you’re using a movie library program like Plex, go ahead and copy the file to your media server library.

I will start by saying yes I downloaded the app after the keynote but didn't open it till recently. Listening to Macbreak Weekly I had listened to Andy Ihnatko @ihnatko rave about how powerful the shortcuts app was. But what pushed me over the edge was a friend who had sent me a message telling me about an in-depth bad ass shortcut he wrote that runs shell commands over SSH to his NAS server, that was enough to inspire me.

I started thinking about things I do everyday and the one thing that bubbled to the surface was carpooling with my wife.  Everyday I text her and let her know I am on my way to pick her up, but now I only need to lift my watch and say, ”Hey Siri tell my wife I am on my way." That simple Siri command triggers a cascade of events that notifies my wife where I am leaving from, when I will arrive, and the weather on the way home. Then after a pause for the duration of the drive it will send a second text letting her know I am down stairs.

In addition to my first shortcut I am going to add interesting shortcuts I write or come across on the web to this post, so keep your eyes open. Oh ya you will need to open them on your IOS devices, hopefully they will add the shortcut app to the mac someday.

Carpool ETA shortcut: https://www.icloud.com/shortcuts/23d0048b12804690b364761fe377739f

Boarding Airplane 2: https://www.icloud.com/shortcuts/90df7fff30b4488d897fa4242fdffaeb
      Cool shortcut that walks you through three easy steps to send your flight information.



 Cadaver Dan's

This year we decided to try out Mickey's Halloween Party at Disneyland. We didn't know what to expect and even though we didn't dress up or wait in line for candy, we still had a great time. All the rides were pretty much walk on and the decorations in the park are really fun.  The spooky music lights and fog really changes the way the park feels. Also the Cadaver Dans and the fireworks show were really well done.  We missed the Parade (not really parade people) but again if you're only going for the party you can pretty much fit in all your favorite rides.

So in preparation for the party we were looking for Disneyland's Mickey's Halloween Party handout so we could plan our night but all we could find was the Disney World handout. So even though it is officially Christmas time in the parks I wanted to post my scans of the 2018 Mickey's Halloween Party flyer to hopefully help out any fellow newbies next year.

 The Front

The Back