isaak654
commented
1 year ago Did you try to remove Template=BlockPorts from your sandbox(es) in Sandboxie.ini?
Open DBMandrake opened 1 year ago
isaak654
commented
1 year ago Did you try to remove Template=BlockPorts from your sandbox(es) in Sandboxie.ini?
DBMandrake
commented
1 year ago Hi,
Thanks for the suggestion. No I had not tried this because the template doesn't block any ports that are used (which are dynamically allocated high ports) however I've just tried it now and unfortunately I can report it doesn't help.
Is there anything else that can be done to disable all network filtering or traffic modification applied by Sandboxie within a sandbox ? I don't want to place any network restrictions on these specific sandboxes at all. (The server is already within a DMZ VLAN)
DavidXanatos
commented
1 year ago @DBMandrake thank you very much for the verbose issue description.
this indeed sounds strange that with DllSkipHook=ws2_32.dll and disabled WFP it still fails, did you write DllSkipHook or DLLSkipHook the later does not work its case sensitive.
Using a compartment type box you should be able to disable most hooks
DllSkipHook=user32.dll
DllSkipHook=msi.dll
DllSkipHook=gdi32full.dll
DllSkipHook=gdi32.dll
DllSkipHook=sxs.dll
DllSkipHook=shell32.dll
DllSkipHook=combase.dll
DllSkipHook=ole32.dll
DllSkipHook=shcore.dll
DllSkipHook=userenv.dll
DllSkipHook=MsCorEE.dll
DllSkipHook=ntmarta.dll
DllSkipHook=ComDlg32.dll
DllSkipHook=acscmonitor.dll
DllSkipHook=winnsi.dll
DllSkipHook=Pdh.dll
DllSkipHook=sysfer.dll
DllSkipHook=emet.dll
DllSkipHook=snxhk64.dll
DllSkipHook=snxhk.dll
DllSkipHook=IDMIECC.dll
DllSkipHook=MsgPlusLive.dll
DllSkipHook=agcore.dll
DllSkipHook=advpack.dll
DllSkipHook=mso.dll
DllSkipHook=dwrite.dll
DllSkipHook=osppc.dll
DllSkipHook=winspool.drv
DllSkipHook=wevtapi.dll
DllSkipHook=winsta.dll
DllSkipHook=wtsapi32.dll
DllSkipHook=sfc_os.dll
DllSkipHook=d3d9.dll
DllSkipHook=imm32.dll
DllSkipHook=uxtheme.dll
DllSkipHook=zipfldr.dll
DllSkipHook=cfgmgr32.dll
DllSkipHook=setupapi.dll
DllSkipHook=sspicli.dll
DllSkipHook=pstorec.dll
DllSkipHook=wkscli.dll
DllSkipHook=netapi32.dll
DllSkipHook=iphlpapi.dll
DllSkipHook=ws2_32.dll
DllSkipHook=hnetcfg.dll
DllSkipHook=crypt32.dll
DllSkipHook=secur32.dll
#DllSkipHook=advapi32.dll
#DllSkipHook=sechost.dll
#DllSkipHook=rpcrt4.dllits worth testing if disabling most hooks solves the issue. If so one can narrow in which dll is the culprit and then properly fix the issue
Can you provide a guide how o create a test setup, or provide remote access to a test system like a vm for example.
DBMandrake
commented
1 year ago Hi David,
Thanks for the reply - I don't recall what capitalization I used previously for DllSkipHook so I've retested it.
With WFP disabled and a standard isolation sandbox I tried DllSkipHook=ws2_32.dll in the specific sandbox ini section, unfortunately it didn't seem to help.
I also tried an "Application Compartment no isolation" type box, both as is, and again with the long list of DllSkiphooks you provided above unfortunately both cases are actually worse than the default sandbox.
When I attempt to start a new server in the game it fails, reporting "Lobby creation Failed. No Internet Connection", which is puzzling because an Application Compartment box should be less restrictive, not more ?
I had noticed this before and wondered if I was not understanding the difference between a normal sandbox and an application compartment as I haven't seen a detailed description of the differences of the different box types.
As for reproducing it - it's not the easiest thing to reproduce - I have two copies of Quake on two different steam accounts, one is running on a server at work the other is running a client at home and they are connecting across the internet.
Then to verify if the direct connection (via NAT UDP hole punching) is working, I'm running tcpdump on the router in front of the server to see if UDP traffic is flowing directly to the client or going out via a Bethesda (hosted by Microsoft) relay server.
There is quite a difference in the in-game reported ping times as well, with the direct connection working I get about 30ms, with it not working it is around 60-80ms due to going via a relay, so I can usually tell just by looking at the ping time, but running tcpdump is the conclusive way to check.
I'm not sure whether the problem could be reproduced with server and client on the same network - since the thing that doesn't work properly is UDP hole punching through different NAT routers. If they're on the same LAN they should just make a direct connection without going through the firewall at all. (Although it would be interesting to see whether the Sandbox did interfere with this as well, I will see if I can set up a test within the same LAN)
Would you say that the compartment box type with the long list of DllSkipHooks should be the least restrictive from a network traffic point of view or is there something else I could disable ?
DavidXanatos
commented
1 year ago Yes the compartment type box with most hooks disabled is almost least restrictive, perhaps the driver is interfering
to bypass this you can enable NoSecurityFiltering=y this disables all driver based security for the sandbox its set in.
Also not that NoSecurityFiltering=y is only effective when set in a box with NoSecurityIsolation=y
DBMandrake
commented
1 year ago Hi,
Still no change unfortunately - with an application compartment box the game always fails to create an online game with the error "Lobby creation Failed. No Internet Connection", even with NoSecurityFiltering=y and NoSecurityIsolation=y, with or without the DllSkipHook options.
So in this regard the Application compartment box seems to be more restrictive than the Standard Sandbox setting. I've attached a copy of the sandboxie.ini for the configuration during the most recent test where I'm seeing the No Internet Connection warning from Quake.
Strangely, Steam seems to be able to log in OK, and Quake doesn't report any errors initially connecting to the Bethesda servers when you first select the online menu, but creating a server for others to join claims that there is no internet connection.
Describe what you noticed and did
To run multiple Quake servers on the same physical server on the 2021 Quake 1 remaster (which does not provide traditional command line only dedicated servers) it's necessary to use something like Sandboxie to allow multiple copies of Quake (in windowed mode) to run at the same time on the same server without "seeing" each other.
This actually works quite well and performs well, however there is an issue with Sandboxie interfering with the set up of peer to peer network connections.
Normally when a client tries to connect to the server they will attempt to set up a direct UDP stream between client and server using typical "UDP hole punching" techniques using a rendezvous server such as a STUN server, which is something many games do.
If this fails for any reason the game falls silently back to relay all traffic between a Bethesda/Microsoft hosted relay server, naturally adding an additional relay increases ping times considerably and is detrimental to gameplay.
When a Quake Enhanced server is run within Sandboxie the attempt to perform the UDP hole punching always fails resulting in the server relaying via a 3rd party server.
I've spent several days trying to debug this issue with network tracing with tcpdump/wireshark etc and experimented with a wide variety of sandbox settings to no avail, and it's still not clear what is causing the issue.
Some of the things I've tried which have made no difference include:
Enable or disable WFP mode in Global settings. (Then reboot)
Removing "network restrictions" in Sandbox->General Options->Restrictions
Pretty much every combination of options in Security Options->Security Hardening, Security Isolation, Advanced Security.
Different box types - for example Application Compartment (NO isolation) however while Quake runs in this mode it can no longer connect to the Bethesda servers and complains about no network connectivity.
I've also tried using DLLSkipHook to skip hooking all winsock related DLL's, and then also most of the DLL's listed in this post:
https://github.com/sandboxie-plus/Sandboxie/issues/1515#issuecomment-1006408988
Unfortunately nothing helps, either the problem remains or Quake loses the ability to connect to Bethesda servers completely.
I have tried both the Steam and Good Old Games version of Quake Enhanced, both show the same problems.
Interestingly if I run a quake CLIENT within a sandbox, it is able to connect to a server and perform successful UDP hole punching as shown via tcpdump. However when the SERVER is within the sandbox UDP hole punching fails. (But works if the game is run outside the sandbox) So the issue is asymetric.
I have tried installing the game only in the sandbox, or in the native filesystem and then running it with a sandbox that makes no initial changes and the problem is the same both ways.
I have run Wireshark on the server (outside of the sandbox) and can see the UDP traffic from the remote peer is coming in and to the correct ports however Quake running within the sandbox does not seem to "see" this traffic.
At this point I'm not sure what to try next, and it's not entirely clear whether Sandboxie is blocking/modifying network traffic or some other restriction it is placing within the sandbox is causing the issue.
I have seen the same issue on both 1.7.2 and 1.8.4 which just released. I did try to test with a much older version before WFP was introduced (0.9.8) however Quake is unable to run at all in this version.
How often did you encounter it so far?
No response
Affected program
Quake Enhanced (Quake 2021 remaster)
Download link
Steam / Good Old Games / Epic Games
Where is the program located?
The program is installed only outside the sandbox.
Expected behavior
The expected behaviour is that Quake should be able to establish a peer to peer connection using UDP hole punching.
What is your Windows edition and version?
Windows Server 2019
In which Windows account you have this problem?
Not relevant to my request.
Please mention any installed security software
Built in Windows defender
What version of Sandboxie are you running?
1.8.4 Plus
Is it a new installation of Sandboxie?
I recently did a new clean installation.
Is it a regression?
Applicable to all versions I've tried
In which sandbox type you have this problem?
All sandbox types (I tried them all).
Can you reproduce this problem on a new empty sandbox?
I can confirm it also on a new empty sandbox.
Did you previously enable some security policy settings outside Sandboxie?
No response
Crash dump
No response
Trace log
No response
Sandboxie.ini configuration
No response