Counter Strike Global Offensive - Multiplayer

Hello,

It's impossible to "Find" a multiplayer match with GUFW's current Steam rules.

To reproduce:

* Deny all inpput AND output;
* Add ftp, http, smtp, smtps, openvpn, https, pop3, imap, and finally Steam rules;
* Open CSGO, click "Play" and then "Find a Game";
* Select mode;
* Wait until "Confirming Match" appears;
* Wait until 30 seconds, the poing where a message will appear about failing to connect to match or something.

# iptables-save:

[code]# Generated by iptables-save v1.4.21 on Wed Aug 12 22:14:45 2015
*filter
:INPUT DROP [76:2432]
:FORWARD DROP [0:0]
:OUTPUT DROP [732:43555]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-after-logging-output -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP
-A ufw-before-input -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A ufw-before-input -s 127.0.0.2/32 -i enp0s7 -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type any -j DROP
-A ufw-before-input -p tcp -m tcp --dport 43 -j DROP
-A ufw-before-input -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A ufw-before-input -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A ufw-before-input -f -j DROP
-A ufw-before-input -p udp -m udp --dport 513 -j DROP
-A ufw-before-input -p udp -m udp --dport 33434:33524 -j DROP
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
-A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
-A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j DROP
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j DROP
-A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 21 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 25 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 53 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 110 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 143 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 515 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 465 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 1194 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 464 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 993 -j ACCEPT
-A ufw-user-output -p udp -m multiport --dports 27000:27015 -j ACCEPT
-A ufw-user-output -p udp -m multiport --dports 27015:27030 -j ACCEPT
-A ufw-user-output -p tcp -m multiport --dports 27014:27050 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 4380 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 3478 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 4379 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 27015 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 9987 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 10011 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 10060 -j ACCEPT
-A ufw-user-output -p tcp -m tcp --dport 30033 -j ACCEPT
-A ufw-user-output -p udp -m udp --dport 30033 -j ACCEPT
COMMIT
# Completed on Wed Aug 12 22:14:45 2015
[/code]

File /etc/ufw/before.rules (edited):
[code]#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m state --state INVALID -j ufw-logging-deny
-A ufw-before-input -m state --state INVALID -j DROP

# Drop TCP sessions opened prior to Firewall start
-A ufw-before-input -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A ufw-before-output -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

# Drop packates that do not match any valid state
-A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

# Anti-spoof
-A ufw-before-input -i enp0s7 -s amarildo -j DROP

# Anti ICMP
-A ufw-before-input -p icmp -m icmp --icmp-type any -j DROP
-A ufw-before-input -p tcp -m tcp --dport 43 -j DROP

# Xmas scan
-A ufw-before-input -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j DROP
-A ufw-before-input -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP

# IP fragments
-A ufw-before-input -p all -f -j DROP

# who
-A ufw-before-input -p udp -m udp --dport 513 -j DROP

# traceroute
-A ufw-before-input -p udp -m udp --dport 33434:33524 -j DROP

# quickly process packets for which we already have a connection
-A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
[/code]

Regards,
Amarildo