Open all outgoing ports ...

[calm_eddie]

... is the advice I read in FAQ and from search results. This makes me very nervous. Everyone seems to just take this advice at face value and do it without questioning it.

We have a small LAN, 20+ machines, all owned and maintained by individuals. I've always locked down all ports on NAT firewall both in and out, and created rules for necessary individual ports only, and everything has run fine for years and years.

Now some guys want to run utorrent and this is the first time I've seen a piece of software built so that it will not work unless the firewall is wide open on outgoing connections (or at least open on windows ephemeral ports). Maybe I have a sheltered life

utorrent does not work unless I open everything.

Can you help put my mind at rest? Why does this need to be so open? I don't want to tell them they can't have it, but I need a better reason than "all my friends do it, so it must be OK".

Also, does udp and tcp need to be open for windows ephemeral ports, or just udp? I couldn't find a precise answer in FAQ, which suggests both should be open, but http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html references UDP.

[1Bullet]

You will only have to open 1 port for tcp for each user. make sure you utorrent utility is not set to select random ports on start up. Stay with one port of your choice per user. That gets utorrent thru the firewall. Now deppending on your lan if you are using a bridge,you may have to create some tables .

I would not open every port.

Ephemeral ports are temporary ports and will not work as utorrnt is requires a port . The problem you will run into is unless you have mulitle public IP's only one client will be allowed to connect to the same tracker at a time, if it is a private site. You can not have 5 identical ip addresses trying to connect to same IP (site). Your customers must be made aware of this. That might be a reason not to set up.

I assume you are using window 2000 or 2003 sever, just make sure you asign at static ip to pc you wish to run Utorrent on.I you are using DHCP you may have problems with the lease unless you extend.

If I was maintaing a network with 10 to 20 clients I would split the public ip , run your main network separate and another network for bittorrent your clients .Give your bit torrent clients remote access back to the main network. Now you will have security and less traffic on your main network. Bit torrent uses a lot of bandwidth. I guarentee you you will get called back for performance issues if you don't. Give your bit torrent clients remote access back to the main network.

You must remember that utorrent( or any Bit Torrent utiliy) is only an application utility it connects to another bot(tracker) that tracks(maps) where all peers are located just like your server. Then all peers try to connect to your peer on your network, (and they only have permissions to to the file (torrent) that was downloaded). So now you could have 50 remote accesses connections trying to enter your network,they all use the same port . If you don't let them in utility doesn't work.

For you info if your customers don't know what they are doing with bit torrent and you have 10 Mb connection they(each one) could use a terabyte a month. So make sure you set limits in the utility espically on the upload.

[Switeck]

I think µTorrent can be set up now to only use 1 outgoing port -- the net.outgoing_port advanced setting.

There is no need to open up all the ephemeral ports anymore...and the other ends (those that µTorrent connects to) are not affected any way by this "limitation".

[calm_eddie]

Thanks for the excellent replies - I will look into this further and this info will be very helpful. Previously I could not get the test machine to connect at all without opening ephemeral ports, so this gives me some more options.