Jump to content

Tracker and firewall


Creasy

Recommended Posts

Hello,

I use µTorrent with Outpost firewall.

When I put a rule

http://forum.utorrent.com/viewtopic.php?t=205&highlight=firewall

"Allow inbound TCP connections on the port specified in Network Options, Listening Options."

It will become like that with Outpost:

snap36qe.jpg

65532 for example.

But :

Tracker status become snap8uf.jpg

No connection established because the target computer has denied it

(it is an English French approximate translation)

If I put µTorrent in the Trusted Applications with Outpost (-> allow all)

then, after a "Update tracker" :

snap10ax.jpg

Have an idea to resolve that?

I'll like to filter µTorrent with Outpost but I prefer the blue color ;)

Thank you by advance

Link to comment
Share on other sites

Now this suggestion is something I don't understand. I thought that uTorrent does all its activity through one TCP port, both for trackers and for client connections. The previous two posts suggest otherwise. Forwarding all TCP ports is not practical, primarily due to security and secondarily there are other machines in the network that need particular inbound ports.

Does uTorrent need any TCP ports forwarded besides the single port in the network dialog box? If so, what is the minimum quantity and what is the port range?

Link to comment
Share on other sites

Does uTorrent need any TCP ports forwarded besides the single port in the network dialog box? If so, what is the minimum quantity and what is the port range?

no, it only needs one port... but 2 rules must be defined as bittorrent acts like a client AND a server :

one for allowing inbound connections (as a client) from everyone/every port to your chosen port

one for allowing outbound connections (as a server) from your chosen port to everyone

Link to comment
Share on other sites

no, it only needs one port... but 2 rules must be defined as bittorrent acts like a client AND a server :

one for allowing inbound connections (as a client) from everyone/every port to your chosen port

one for allowing outbound connections (as a server) from your chosen port to everyone

I have try like that :

Where the protocole is TCP

and where the direction is INBOUND

and where the local port is 1234

Allow it

AND

Where the protocole is TCP

and where the direction is OUTBOUND

and where the local port is 1234

Allow it

not working

but if I change the outbound rule like that :

Where the protocole is TCP

and where the direction is OUTBOUND

Allow it

it's OK !

because, in the blocked connexion Log, I can see when I try to update the tracker :

snap7mv.jpg

(RDP and 2710 -> Remote port

1906, 1907, 1908, ...,....,.... -> Local port )

Link to comment
Share on other sites

Torrent HTTP Connection Rule

Where the protocol is TCP

and Where the direction is Outbound

and Where the remote port is HTTP

Allow it

Torrent HTTPS Connection Rule

Where the protocol is TCP

and Where the direction is Outbound

and Where the remote port is HTTPS

Allow it

Torrent Network TCP Inbound Rule

Where the protocol is TCP

and Where the direction is Inbound

and Where the local port is 65532

Allow it

Torrent Network TCP Outbound Rule

Where the protocol is TCP

and Where the direction is Outbound

and Where the remote port is 1024-65535

Allow it

Torrent Network UDP Inbound Rule

Where the protocol is UDP

and Where the direction is Inbound

and Where the local port is 65532

Allow it

Torrent Network UDP Outbound Rule

Where the protocol is UDP

and Where the direction is Outbound

and Where the remote port is 1024-65535

Allow it

Localhost Loopback Inbound Rule

Where the protocol is TCP

and Where the direction is Inbound

and Where the remote host is 127.0.0.1

Allow it

Application UDP DNS Resolution

Where the protocol is UDP

and Where the remote host is the IP address for your DNS server

and Where the remote port is DNS

Allow it

TCP Inbound Blockall Coverage Rule

Where the protocol is TCP

and Where the direction is Inbound

Block it

TCP Outbound Blockall Coverage Rule

Where the protocol is TCP

and Where the direction is Outbound

Block it

UDP Blockall Coverage Rule

Where the protocol is UDP

Block it

Link to comment
Share on other sites

OK, I think we have to distinguish between two different points of protection where such rules are deployed:

1) the LAN border router, which typically performs NAT and may include a firewall, and

2) the software firewall on each machine in the LAN.

The rules Undesirable posted above are for a particular software firewall running on a LAN client. A NAT router is the gateway to the LAN and hides all local LAN IP addresses by changing the outgoing packets to make them appear to come from the same WAN IP address: the publicly routable IP address of the router. By keeping track of "transactions", it does the same address translation for incoming packets, so the remote host never knows the local LAN IP address it is really talking to. Though my question wasn't specific, I was asking about the more basic level of the border router.

Specifically, my understanding is that uTorrent only uses a single local port, using the TCP protocol, which is bidirectional, for all communications with both trackers and clients. The remote port numbers can be anything. This means that for a border router providing NAT services, only one incoming TCP port has to be forwarded to a given LAN client to run uTorrent. If there is a firewall in that router, the rules have to allow incoming and outgoing TCP connections through that port. Since TCP is inherently bidirectional, all this really means is the router will forward all incoming TCP packets hitting that port to a specific port on a specific local machine, regardless of whether the TCP connection was initiated by the local machine or the remote host. In other words, that port can function as either a client or a server for intermediate-level protocols based on TCP (such as BitTorrent and SMTP). Is my understanding of uTorrent correct?

UDP traffic is different, since UDP only defines a single packet going in a single direction. There is no connection to speak of, no handshakes and no state machine for the protocol. Some intermediate-level protocols, such as FTP, consist of a series of one-way UDP packets. To control these, the router either has to understand the specific protocol or use the "port triggering" concept. That is, an outgoing UDP packet is treated as opening a connection and incoming UDP packets to that port are forwarded instead of being dropped for a period of time.

Software firewalls not only deal with ports and low-level protocols, but also intermediate-level protocols and applications. Software firewalls generally deal with low-level protocols such as TCP and UDP, intermediate level protocols such as HTTP and FTP, and some know about the application that is requesting network services, such as FireFox. This leads to a larger variety of possible rules compared to a router.

Link to comment
Share on other sites

65532 is the guys listening port i guess.

Application UDP DNS Resolution

Where the protocol is UDP

and Where the remote host is the IP address for your DNS server

and Where the remote port is DNS

Allow it

What is this good for ? Only in combination with the HTTP and HTTP rules ? I think this can be left away aswell.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...