Port forwarding: Are block ports fine if it still works?

[Smoke]

I have a D-Link DGL-4100 GamerLounge. Latest Firmware (1.7). I had been using the Gaming section to open the required ports but recently switched it over to a special application rule so the ports only open when traffic is triggered from internally. It works fine, both DHT and regular downloading work. I've got the green light for it. The problem is that my logs (router) show alot of blocks for the port utorrent is using. It doesn't seem to be having any adverse effects.

So is it alright. Should I stick to the trigger bases port opening or have them open all the time (rather not give hackers and such a free port to slam).

[µtorrent-Guest]

if you only allow incomming connections tru the router if it is triggered from intern, then you have in effect the same situation as if you were firewalled; No one from outside can initiate a connection to you as the first one that does it. Thats bad!

you can savely open normaly that port for µT since no other aplication is listening on that port for incomming connections.

(and you got a green light because others can of course connect you (but only after you initiated that connection first) even if you are in that case "technically red" like a full firewalled user.)

[Smoke]

Wouldn't I want to to connect only if I initiate the connection, not all the time. I know when I had the port permanently open I had a lot of extra active sessions even when I hadn't downloaded/uploaded for days. I'm still able to upload at full as well as download?

[µtorrent-Guest]

of course I don't know what you want.

All I can tell you is that your setup -even if you get a green light- is technically the same as this http://bt.degreez.net/firewalled.html. And that is BAD for the swarm.

[Switeck]

Actually, port triggers is a workable alternative...assuming the router impliments it correctly. What's supposed to happen is when traffic first occurs on that port or a 'trigger' port which may be a different port, then and only then does that port start allowing traffic on that port through the router.

It would seem that D-Link routers do not handle port triggers correctly. EVERY TCP and UDP packet on that port should be forwarded to your computer, and only there can µTorrent decide if it's a legit packet or trash. There should not be many blocked packets, unless lots are malformed in their headers (a likely possiblity with a miscoded or overloaded clients!)

Another problem with port triggers is the port may stay open 30 minutes (or more!) after the application triggering them has closed. So the supposed advantage (only open when needed) is partially lost. Yet another problem is only 1 computer can use that port at a time...and may be locked out by previous sessions on the same port. Even rebooting the computer would lock it out if the computer's LAN ip address changed.

[Smoke]

It seems to only be blocking UDP (ie. DHT) when the port is not triggered. The Special Applications page specifies it as:

"This option is used to open single or multiple ports on your router when the router senses data sent to the Internet on a "trigger" port or port range. Special Applications rules apply to all computers on your internal network."

While the Gaming and other permanent port options limit it to one computer. I have tried multiple computers at once and it works fine. Hmm. It's working! I can upload and download and I have no problem with the main private tracker I use so I guess I'll leave it until I find otherwise. Thanks for the help. Still have to worry about the apparent epidemic of idiots banning utorrent now!

[Switeck]

For one, I don't use DHT myself -- I don't like all the uncontrollable UDP packets. The TCP traffic does hang around a bit after I close µTorrent, but UDP traffic related to DHT can persist for weeks. To me, it seems a needlessly "noisy" network -- after studying how Gnutella v0.6 and later connects. In short, I thought it a very messy way to attempt to get just a couple more ip connections per torrent. Peer Exchange on the other hand reused existing connections and had a decent hit ratio on passed ips, so I used that instead. I simply accept that a torrent that is lacking seeds is probably dead and move on ...instead of fighting to find the 1 person on the entire planet sharing that torrent.

[Smoke]

It seems every tracker is not allowing DHT anyways nowadays so I guess that's a good plan. I don't see it helping much on dead torrents anyways and your right, the UDP connections do not die. My router has been off for hours before due to a power outage and the UDP were still trying to get though as soon as it came back on.

[Switeck]

Those UDP DHT packets are periodically checking to see if you come back -- they can't know till after they ping you again and get a reply.

Peer Exchange quits the moment you close the torrent, as far as I know.