uTorrent and static packet filters

I want to use uTorrent (only for seeding, not for downloading) on a Win2k3 server having static packet filters (instead of embedded firewall) enabled. It's impossible to grant different port access to different applications so the advice to allow all outgoing connections is not suitable here. I know about net.outgoing_port and net.outgoing_max_port settings. My questions:

1. How many ports should be granted to uTorrent by net.outgoing_port and net.outgoing_max_port settings? Does it depend on the number of seeded torrents?

2. Which UDP ports should be open for DHT? Which "Destination Unreachable" ICMP codes should be allowed for DHT?

uTorrent will only use 2 outgoing ports if set that way *IF* it's trying to connect to the same ip twice, once on 1 torrent once on another torrent.

Does that mean that total number of open outgoing TCP ports should be better equal to <number_of_active_torrents>+1?

What about my 2nd question?

No, the max possibly used outgoing ports is equal to the max active torrents.

In practice, if you have 10 dissimilar torrents from 3 trackers...the odds of using more than 3 sequential outgoing ports is pretty close to nil.

2.I don't know.

2. The DHT uses the main BitTorrent port for outgoing packets, same as incoming packets arrive on.

2b. ICMP type 3, code != 4. So, any ICMP host unreachable other than a fragmentation error.

Greg Hazel and Switeck, thank you very much for answers.

> The DHT uses the main BitTorrent port for outgoing packets, same as incoming packets arrive on.

Does that mean that if I use port 30000 for incoming connections I should open UDP port 30000 for outgoing connections?

The fact is that I googled the DHT question and found a lot of mentions of UDP port 6881 (even here in FAQ). I opened it, and DHT started working, but found not enough nodes (3 instead of 300 while all UDP ports are open for outgoing connections). I opened additional UDP ports from 6882 to 6889, which increased the number of found nodes to 20-30. So are UDP ports 6881-6889 of any importance for DHT or not?

Is it correct to use the same TCP port for outgoing connections as for incoming connections?

Greg Hazel

> 2. The DHT uses the main BitTorrent port for outgoing packets, same as incoming packets arrive on.

My settings are:

incoming port = 45202

net.outgoing_port = 45202

net.outgoing_max_port =45210

Open incoming ports:

TCP 45202

Open outgoing ports:

TCP 45202-45210

UDP 6881-6889

UDP 45202

Also open:

ICMP type 3, code 0-3 and 5-13

uTorrent is working (green icon), but DHT found only 12 nodes. If I opened all UDP ports for incoming and outgoing connections then number of nodes is increased dramatically. So what UDP ports should I open in addition? Have I opened some unnecessary ports? BTW: I use uTorrent on this machine for seeding only.

The incoming port is also used for DHT, so 45202 UDP-IN. As for out, I don't know if UDP traffic obeys those outgoing port settings. If it does, UDP 45202-45210 OUT would suffice and your 6881-6889 is pointless. It it doesn't, all UDP out. If some of those rules aren't present you'll have the connectivity issues you've described.

GTHK, thanks for your answer (better late than never...). DHT works fine with 45202 UDP-IN, no need to open additional UDP ports. So let's resume:

Open incoming ports:

TCP 45202

UDP 45202

Open outgoing ports:

TCP 45202-45210

ICMP type 3, code != 4

You should not use the incoming port as the starting port for outgoing!

Start with the next port instead.

Switeck, thanks. So let's resume again:

If setting are:

incoming port = 45202
net.outgoing_port = 45203
net.outgoing_max_port =45210

then:

Open incoming ports:
TCP 45202
UDP 45202

Open outgoing ports:
TCP 45203-45210

ICMP type 3, code != 4

That looks better, but I don't know how your firewall treats destination ports for outgoing.

Well it seems to work fine, that's all I can say .

... or not? The icon in status bar changes from green to yellow and from yellow to green continuously. Upload is working even when it's yellow.

The ability to receive incoming connections has no effect on existing connected peers/seeds...only the ability to get new ones incoming. Outgoing connections may be made just fine either way.