I set up outbound filtering on my firewall to only allow access to ports 80 and 443 for web surfing,
Now , obviously , bit lord wont work.
Question :
which outbound ports do i need to open ?
since bitlord is connecting to peers which can have any port set as the server port then it appears i have to allow outbound traffic to all TCP Ports in order to allow bitlord to connect,
If you can't answer this question yourself (including RTFM and taking a look at your log file), then you shouldn't try to run a firewall.
No, it's pure nonsense, showing that you don't even understand what TCP states and stateful filtering are. Please do yourself a favor and stop thinking that you could run a firewall.
I'm curious... you've not yet stated WHY you are limiting your OUTBOUND connections... of course you want your inbound limited... you don't want everyone connecting to you, you want to connect to everyone else...
i dont need to open any inbound ports on my firewall
@@@@@@@@@@@@@@@@@
formatting link
BitTorrent will usually work fine in a NAT (network address translation) environment, since it can function with only outbound connections. Such environments generally include all situations where multiple computers share one publicly-visible IP address, most commonly: computers on a home network sharing a cable or xDSL connection. If you are unsure of whether you have NAT or not, then try this link which will try to determine if you are behind a NAT gateway. @@@@@@@@@@@@@@@@@@
i am using NAT,
checkpoint does,
my problem is that i want to filter outbound traffic at my router,
if i attempt to filter TCP outbound BitLord stops functioning,
it only works fully if i allow TCP outbound to all ports.
i think i should ask this question on alt.torrents instead
That is the reason why it does not make much sense to filter output connections if you want to use BitTorrents. Outbound filtering only works if you have a very strict narrow security policy. Application based filtering is not part of that. BitTorrents won't fit into this. If you want tight security with outbound filtering don't use BitTorrents. If you want to use BitTorrents, don't filter outbound traffic.
If you want, buy an expensive firewall with application-based filtering. But for protocols like those used for BitTorrents it won't help you much I guess. The reason why it uses all ports is to circumvent filtering. Trying to filter software which is designed to circumvent it is obviously not effective.
Why don't you block all incoming ports and do port forwarding with the services you need? I don't think it makes much sense to filter outbound ports especially when you are in a NAT environment. I work with several SonicWall firewalls at work and they only filter incoming connections, we don't run NAT either.
Go read the specs on BitLord, and you'll find that it does NOT require anything special, like all other torrent software, even limewire and gnutella are similar...
Why does BitLord use only one incoming TCP port? You can use a single TCP port for all your torrents, no matter how many are simultaneously downloading or uploading, 10 or 100.
Because I'm directly connected to a PPPoE dial-up.
Because I'm particularly running varying services on ports >1024. Indeed, for ports I don't think it makes much sense to filter
Yes and no.
Yes, it's indeed generally a stupid idea.
No, because you should employ egress filtering and state tracking. You might also limit specific services (f.e. blocking SMTP totally, deliver mail via SUBMISSION instead).
Your question was not legitimate in a technical sense. Whatever your original problem was, you've drawn a wrong conclusion and then asked how to implement it. I just pointed out that your conclusion is wrong, and asked if you might rather state the original problem. Since blocking outgoing traffic is generally stupid, and in combination with P2P technology it becomes obviously stupid.
(Well, except if you're running a SOCKS proxy. But then your question would have been totally different.)
Then again, you've shown a big lack of competence by not differing between traffic and connections, as well as state (which is important for both stateful filtering and NAT). Any serious firewall implementation is heavily concerned with these, so I doubt you have any clue about this really works.
And, even further, your information was obviously incomplete. Only port 80 and 443 for web surfing? What happened to DNS? Why are you ignoring ICMP? You're either over-simplifying or don't know what you're doing. Sorry to tell you that directly.
Yes. But this is not a matter of the firewall, but rather of the client.
If your client is exploitable: yes. And no firewall can save you from that.
Now, can we please turn back and come to your real problem: Why do you want to indiscriminatingly filter outbound traffic/connections? What do you intend to achieve?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.