I am using a bit torrent client called bit lord.
I set up outbound filtering on my firewall to only allow access to ports 80 and 443 for web surfing,
Now , obviously , bit lord wont work.
Question :
which outbound ports do i need to open ?
since bitlord is connecting to peers which can have any port set as the server port then it appears i have to allow outbound traffic to all TCP Ports in order to allow bitlord to connect,
IS this correct ?
If you can't answer this question yourself (including RTFM and taking a look at your log file), then you shouldn't try to run a firewall.
No, it's pure nonsense, showing that you don't even understand what TCP states and stateful filtering are. Please do yourself a favor and stop thinking that you could run a firewall.
wow. thanks. I dont have a stateful firewall. I have a SOHO firewall. A Netgear DG834G to be precise,
It allows basic packet filtering rules only.
So I have to open up outbound traffic to certain TCP ports.
Looking at the logs I can see that Bitlord is making outbound connections to many many different TCP ports,
The only way I can get it to work is to allow all outbound TCP.
inbound traffic is not an issue as BitLord will work quite happily with outbound connections only,
What's that supposed to mean? Almost any SOHO firewall should do stateful filtering, and a Netgear DG834G clearly should.
This just means that you can't refer to the TCP states in your ruleset. A bit limiting, but not relevant for your case.
Ehm... yes. I wonder why you even limited outbound connections.
Doubtful. But again, this is a case of RTFM.
inbound traffic is not an issue i can assure you.
it works fine with all inbound traffic denied,
my manual tells me it only needs outbound connections to work.
so i set up a basic filter to allow TCP outbound to ports 6000-7000
and i block everything else
i look in the logs and i look at my bitlord client
what do i see ?
i see that some outbound connections are working ie those to peers listening on ports in the range 6000-7000
so i can get some traffic
i see that traffic to peers listening on other TCP ports are blocked
i increase thse scope of my filter to allow TCP 1000-65535 and i get most traffic
some is still filtered to peerfs using TCP ports outside that range
so the only way i can see is to allow ALL TCP traffic outbound
have you actually tried this yourself ?
inbound connections are not reqquired,
it works with outbound connections only.
if i open up TCP ports 6000-7000 i can connect to some peers.
if i open up TCP ports 1000-65000 i can connect to most peers
if i open up ALL TCP ports I can connect to ALL peers
therefore with my firewall (which doesnt allow me to filter by application ) i surely must allow ALL OUTBOUND TCP traffic for BitLord to work fully.
Sure they are. Just consider peers with the same setup...
Well, why and how should it?
I still wonder where your problem is.
I'm curious... you've not yet stated WHY you are limiting your OUTBOUND connections... of course you want your inbound limited... you don't want everyone connecting to you, you want to connect to everyone else...
RedForeman
i dont need to open any inbound ports on my firewall
@@@@@@@@@@@@@@@@@
i am using NAT,
checkpoint does,
my problem is that i want to filter outbound traffic at my router,
if i attempt to filter TCP outbound BitLord stops functioning,
it only works fully if i allow TCP outbound to all ports.
i think i should ask this question on alt.torrents instead
That is the reason why it does not make much sense to filter output connections if you want to use BitTorrents. Outbound filtering only works if you have a very strict narrow security policy. Application based filtering is not part of that. BitTorrents won't fit into this. If you want tight security with outbound filtering don't use BitTorrents. If you want to use BitTorrents, don't filter outbound traffic.
If you want, buy an expensive firewall with application-based filtering. But for protocols like those used for BitTorrents it won't help you much I guess. The reason why it uses all ports is to circumvent filtering. Trying to filter software which is designed to circumvent it is obviously not effective.
Gerald
i have my reasons.
anyway it appears bitlord needs all TCP OUTBOUND allowed to function properly,
You're ignoring the fact that then you can't connect with any peers of the same setup, thereby limiting your connectivity.
"someone stupid does" (or did you mean "someone allows me to do something stupid") sure is an argument...
And WHY do you want that? You're just shooting yourself in the foot, nothing more.
you havent a clue dude. so shut it,
Remember, he has his reasons....
...ever get the feeling, ppl don't ask the real questions, only come up with scenarios that are just too weird for words?
RedForeman
Why don't you block all incoming ports and do port forwarding with the services you need? I don't think it makes much sense to filter outbound ports especially when you are in a NAT environment. I work with several SonicWall firewalls at work and they only filter incoming connections, we don't run NAT either.
Who doesn't have a clue?
Go read the specs on BitLord, and you'll find that it does NOT require anything special, like all other torrent software, even limewire and gnutella are similar...
Why does BitLord use only one incoming TCP port? You can use a single TCP port for all your torrents, no matter how many are simultaneously downloading or uploading, 10 or 100.
RedForeman
Yes and no.
Yes, it's indeed generally a stupid idea.
No, because you should employ egress filtering and state tracking. You might also limit specific services (f.e. blocking SMTP totally, deliver mail via SUBMISSION instead).
sorry for being rude but you needlessly started it by saying i wasnt fit to run a firewall just because i asked a legitimate question.
i want to run bit-torrent but i am concerned about security,
the question is can you run bittorrents and remain secure ?
can you be hacked by a BT peer ?
Your question was not legitimate in a technical sense. Whatever your original problem was, you've drawn a wrong conclusion and then asked how to implement it. I just pointed out that your conclusion is wrong, and asked if you might rather state the original problem. Since blocking outgoing traffic is generally stupid, and in combination with P2P technology it becomes obviously stupid.
(Well, except if you're running a SOCKS proxy. But then your question would have been totally different.)
Then again, you've shown a big lack of competence by not differing between traffic and connections, as well as state (which is important for both stateful filtering and NAT). Any serious firewall implementation is heavily concerned with these, so I doubt you have any clue about this really works.
And, even further, your information was obviously incomplete. Only port 80 and 443 for web surfing? What happened to DNS? Why are you ignoring ICMP? You're either over-simplifying or don't know what you're doing. Sorry to tell you that directly.
Yes. But this is not a matter of the firewall, but rather of the client.
If your client is exploitable: yes. And no firewall can save you from that.
Now, can we please turn back and come to your real problem: Why do you want to indiscriminatingly filter outbound traffic/connections? What do you intend to achieve?
ach just f*ck off will you,
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.