Review of my home broadband router logs (suspicious activity?)

Putting together what you said, plus what David W. Hodgins said, plus what Jasen Betts said, is this how it works?

(1) If I turn off UPnP on the router (and in Transmission?) then nobody can connect to "me" for me to "upload" to them with them using my public IP address through a port forwarded through my router via UPnP.

(2) This means that I can only upload to other clients that have a public socket, but if the other clients don't have a public socket, I can't upload to them (or, said more directly, they can't get files from me).

(3) Since bittorrent maintains two download queues, the first priority going to those who are uploading data and the second going to those who are not uploading data, if I'm not uploading data, then I will only download data when the first queue is empty.

(4) That means two different things. - For those people with public sockets, I will be in the first queue because they can get data from me even though I don't have a public socket myself. - For those people without public sockets, I will be in the second queue because, to them, I'm not uploading any data because I don't have a public upload socket open.

(5) Overall, this will probably increase my download times (depending on a combination of how many other people have public sockets open and on how full that first queue is).

(6) If I want to upload data to everyone, in order to ensure I'm in the first queue, I will need to "open" a port for uploading data.

(7) The "easiest" way to open that outgoing (upload) port is to enable UPnP in my router (and in the Transmission GUI?).

(8) HERE IS WHERE I'M STILL CONFUSED! The "safest" way to open that outgoing upload port is to set up something called "port forwarding" in the router.

MY QUESTION: If all this is correct, then all I really need to learn next is how to set up port forwarding in the router.

The router has a menu for "port forwarding" & "port triggering." The first dropdown menu has a "Service Name" for me to select: (The choices are ftp, http, icuii, ip phone, netmeeting h.323, news, quake II & III, real audio, telnet, & vpn/pptp). Notice "bittorrent" is conspicuously missing from the dropdown menu.

Once I select a service name, the rest of the choices are: - External Start Port = ? - External End Port = ? - Internal Start Port = ? - Internal End Port = ? - Internal IP address = (this would be the IP address of my computer)

So, I have to figure out what is an External and Internal port, and then what is the difference between a Start and End port.

One bit of confusion is that Transmission is picking random ports.

formatting link

So, how do I set up port forwarding in the router when Transmission doesn't know what port it will be using at any given time?

Do I tell Transmission to pick a STATIC port?

Reply to
Paul M. Cook
Loading thread data ...

All very simple - since you should have a basic understanding of the terms internal, external, start, and end.

In the case of transmission, it uses just ONE port for control purposes, and you can pick any one that is not being used by something else.

Ports are numbered from a minimum of 0 to a maximum of ,(because they are 16 bit).

Ports 0 to 1024 are reserved for system services and require administrative privileges (root) in order to use them.

So that leaves 1025 and above to 65535, but many of these are used by different programs and to see what is assigned look in the file /etc/services.

Now in the case of transmission you can choose anything not in use.

So if you have transmission running on host1, a choice could be to use port 43101.

So in transmission on host 1 you have to go into the network setup options menu and tell it to use port 43101.

Then on the router, one sets the

external start port to 43101 external end port to 43101

internal start port to 43101 external end port to 43101

and internal IP address to that of host 1

Transmission uses both UDP and TCP for this port, so you must ensure in your router configuration that the forwarding rule is applied to both protocols.

Similarly if you also have transmission running on host 2, you could then choose port 43102 and enter the values appropriate, and for host 3 choose port 43103 ...

This way you can have transmission running on hosts 1, 2, and 3 all running at the same time and the traffic is forwarded to the appropriate host.

The reason for not choosing consecutive numbers for each host 43101, 43102,

43103 which could be done, is to illustrate a more general scheme.

If you have an application which uses a range of ports, eg rtorrent, then you would need to specify a larger number for the end point, eg start 49160 and end 49199 for host 1, start 49260 and end 49299 for host 2, etc.

As you can see from the choice of the numbering, it is easy to see which ports are forwarded to host 1, host 2, and host 3.

Reply to
J G Miller

Port forwarding works by taking any packet with destination address the router, and port the given port, and readdressing it so that that packet goes to IP of your computer,and the port you told it to forward to.

Often the router will allow you to pick the incoming port number. as well as giving you a list of the common ports that are often forwarded.

Note that for outgoing, the system will usually pick a random port and the router will remember that port number and return any incoming packets to that port. Ie, you do not forward outgoing packets.

Sorry I have no idea what thos STart/End ports are all about.

Reply to
William Unruh

Start and End simply refer to cases where you need to open a contiguous range of ports. For example, if you wanted to open/forward ports 43101 thru

43199, then 43101 would be the Start of that range and 43199 would be the End of that range. Everything in between is also opened/forwarded.

By providing the capability to define a range by its start and end like that, you're saved from having to open umpteen number of individual ports.

In cases where you only want to open a single port, the Start and End ports are the same.

Reply to
Char Jackson

Me neither! Not yet, anyway.

This whole port forwarding & UPnP stuff is new to me, so, a lot goes over my head.

Reply to
Paul M. Cook

Thanks for explaining that the "start" and "end" ports merely define a range of ports, e.g., the hundred ports between port 10001 to port 10100.

If I just want Transmission bittorrent to work faster for upload, do I set the "external" range or the "internal" range?

I would *guess* it's the "internal" range, but I'm not sure.

Reply to
Paul M. Cook

Everything you said cleared up a lot of my confusion: (1) Transmission uses one port so I can pick any (upper) unused port. (2) A look at /etc/services shows what ports are in use For example openvpn 1194/tcp & openvpn 1194/udp In my case, there are no ports in /etc/services between port 27374 & 30865, so your example of 43101 works fine. (3) The computer where Transmission runs is currently on 192.168.1.10 But that is a temporary IP address (assigned by DHCP from the router). I assume I'd want to force that IP address to be static from the router. (4) Then, I can set, on the router, the external range to: External start port to 43101 External end port to 43101 And, I can set, on the router, the internal range to: Internal start port to 43101 External end port to 43101 (5)And then I set the "Internal IP address = 192.168.1.10". (6)And I'd have to do that (somehow) for both TCP & UDP. (7)Lastly I'd have to set up transmission to use the same port!

Are the assumptions above correct? (A) Should I set up the computer to get a static IP address from the router? (B) Must I set the *same* port 43101 on Transmission (I assume the answer is yes)? (C) Why do I even need the "External" port setup? (Why don't I just need to set the "Internal" port, since it's for uploading?)

Reply to
Paul M. Cook

This makes sense that what you're saying is: (1) If I don't enable port forwarding or UPnP in the router, then transmission can't have an incoming public port. (2) If Transmission can't have an incoming public port, then other clients without a public socket can not get data from me (3) If other clients can't get data from me, they will put me in the second download torrent priority queue, which only downloads data from them when the first priority queue is empty.

One question I have is that transmission uses the term: "Listening port" which is the "Port used for incoming connections".

The router seems to have an "External port" & an "Internal Port" in the port-forwarding dialog.

Are these all actually the same thing but with different words?

Reply to
Paul M. Cook

set both, use a range 6881 to 6889 if you want to run several instances simultaneously.

Reply to
Jasen Betts

As far as I am aware (corrections please if not) transmission uses just one control port for communication with other p2p clients but having established contact and agreed on what other port to use and checked that it can be opened, then the actual data transfer occurs on that other port.

Those will be the "random ports" you mentioned in an earlier message that transmissin was using.

Yes whenever you run a program such as transmission it is running as a "service" or "daemon" and in order for the router to do the port forwarding to any host running a daemon, it has to know its IP address.

So you need to have it on a static IP address because the router does not have the necessary software to discover which host the service is running on (if the host was using say Avahi or slp to advertise the service) and for cases of instances of the same service on multiple hosts, it would not know which one to chose.

If you do not want to set a fixed IP on the actual machine you can get your router to always assign the same IP address from the DHCP pool by a rule using the host's NIC MAC address.

This should be clear from the GUI for the router on how to do that.

You are confusing things here internal/external are not synonyms for uploading/downloading.

The router has two sides

host1 ] host2 ] --- LAN (internal) --- [router] --- (external) WAN (Internet) --- some_other_p2per host3 ]

What you are doing is mapping the external port number to the internal port number.

So because the transmission program tells the remote p2p client/server that it is using port 43101 for communications, the router has to make sure that it maps its external port 43101 to 43101 on the host where there transmission is running.

What the port forwarding does is connect the external port number to the internal port number.

Usually the external port and the internal port are the same but this is not always necessary and for some special cases may have to be different.

Suppose you were at a remote site and wanted to ssh into your home LAN but the administration at the remote site blocked port 22 but not port 80 (because that normall carries web traffic). What you could then do on your router is forward incoming external port 80 to port 22 on your host running the sshdaemon and at the remote site tell the ssh client to use port 80 and not the usual port 22 when connecting to your router's WAN side (with an IP address usually allocated by your ISP).

Incidentally home/SOHO routers are not full routers since the internal ethernet ports are on a switch and all have a common IP address, not individual LAN IP addresses.

I suggest you visit this website

which more than likely has screenshots of how to do port forwarding configuration for your model or router, and indeed it apparently does ...

Reply to
J G Miller

But, what exactly "is" an external port and an internal port?

(1) Let's say I set my router to hand a static IP address to my Linux computer, and let's say that's 192.168.1.10

(2) Then, let's say I set up Transmission on that Linux computer to use static port 6881 (Transmission calls that port the "Listening Port" and Transmission describes it as the "Port used for incoming connections".)

(4) Let's say my external IP address is 1.2.3.4 for argument's sake.

(5) Let's assume it's a basic tenet in firewalling to only enable what you have to enable, so, let's assume all I want to enable is the ability for my Transmission bittorrent client to upload files to other bittorrent clients, whether or not those other clients have a public socket. (This allows me access to both bittorrent queues, which eventually gets me faster downloads.)

(6) Given all that above, I would "guess" that what I'm trying to open is an "external" port, i.e., a port to the outside world where someone on the Internet tries to connect to 1.2.3.4:6881 which my router directs to 192.168.1.10:6881

Is that a correct assumption, if all I want to do is enable my Bittorrent client to upload to other clients, that I want to only open an "external" port on the router (and not an internal port)?

Reply to
Paul M. Cook

On Friday, January 1st, 2016, at 10:42:35h -0500, Paul M. Cook asked yet again:

This was all be carefully explained in detail in

Thursday, December 31st, 2015, at 23:30:05h -0000 (UTC) in message

even with a little ASCII picture.

Perhaps these dictionary definitions will help you to understand the meaning of external, internal, and port.

From The Collaborative International Dictionary of English v.0.48 [gcide]:

External \Ex*ter"nal\, n. Something external or without; outward part; that which makes a show, rather than that which is intrinsic; visible form; -- usually in the plural. [1913 Webster]

From The Collaborative International Dictionary of English v.0.48 [gcide]:

Internal \In*tern"al\, a. [L. internus; akin to interior. See {Interior}.] [1913 Webster] 1. Inward; interior; being within any limit or surface; inclosed; -- opposed to {external}; as, the internal parts of a body, or of the earth. [1913 Webster] From The Free On-line Dictionary of Computing (20 July 2014)

port port number 1. A logical channel or channel endpoint in a communications system. The {Transmission Control Protocol} and {User Datagram Protocol} {transport layer} protocols used on {Ethernet} use port numbers to distinguish between (demultiplex) different logical channels on the same {network interface} on a computer. Each {application program} has a unique port number associated with it, defined in /etc/services or the {Network Information Service} "services" database. Some {protocols}, e.g. {telnet} and {HTTP} (which is actually a special form of telnet) have default ports specified as above but can use other ports as well. Some port numbers are defined in {RFC 3232} (which replaces RFC 1700). Ports are now divided into: "Well Known" or "Privileged", and "Ephemeral" or "Unprivileged" (comprising "Registered", "Dynamic", "Private").

Reply to
J G Miller

I just got to that most excellent explanation and was reading and re-reading the internal/external port explanation when I saw this post here.

I'm sorry, I was out last night and wasn't able to read anything until now.

In that earlier post, I easily understood what you kindly explained about how Transmission opens up one port, and what you explained well about how I could assign a static IP address on either the computer or on the router (by telling the router the MAC address of the computer).

I'm working on this internal/external port concept now, and will respond to *that* post, so as to keep it together.

The final summary should be forthcoming when I figure out the difference between and internal and external port, and why I have to open up both UDP and TCP traffic through that opened port.

Thanks for your wonderfully detailed explanations!

Reply to
Paul M. Cook

On Friday, January 1st, 2016, at 11:15:15h -0500, Paul M. Cook confessed:

Always best to try and read all the followups before posting questions especially those which have you already asked.

Good, just try to keep in mind that the router is a device which connects the LAN, the INTERNAL side, to the WAN (usually the Internet), the EXTERNAL side.

So for things to work (ie communications to/from the Internet), the router has to connect the internal port to an external port, and an external port to an internal port.

In normal factory default operation, home (SOHO) routers are always open to allow traffic from an internal host on any port (so internal port) to any external host on any port (so external port).

It is the incoming traffic which is barred by default unless an internal host on that port has already established communications on with that particular external IP address on that particular port.

If you think of an old fashioned telephone exchange operations board, somebody has to put a patch wire in the socket for the incoming call from the network to the socket to the local exchange line to the home phone.

This is effectively what you are doing with incoming port forwarding rules (from external port to internal port).

Yes -- on the Internet there are numerous communications protocols but the most basic are TCP and UDP (and also IMCP which is used by ping):

UDP (user datagram protocol) which is non-guaranteed (hence often described as non-reliable) datagram delivery.

TCP (transmission control protocol) which guarantees delivery of data and also guarantees that packets will be delivered in the same order in which they were sent.

For a brief summary take a look at

The difficult part about networking and networking issues is not really the concepts involved (getting packets from host A to host B) but remembering all the terms and what they mean ;+}

By the time you have read, learnt, and inwardly digested all this information you will be able to go around all your friends and neighbors and help them to make sure their routers are configured more securely (use WPA2 and never WEP) ;+) ;+)

Reply to
J G Miller

I'm reading and re-reading what you wrote, and I'm also adjusting my router as I read and reread, but, this seems to be the key sentence that I hadn't realized in the least when this quest was started!

The "port forwarding" is just connecting an internal port on the LAN (i.e., 192.168.1.10:43101) to an external port on the WAN (for example,

1.2.3.4:43101).

I'm also reading the reference you provided, which lead me to this:

formatting link

So now I see that all requests don't just go to an IP address, but, they all go to an IP address plus a port. If that port is well known (such as port 80, and if I have a "service" running on that port on my laptop) then the router might be able to connect the external request to the right internal laptop & port (which is where the Ubuntu /etc/services file comes into play, I think).

But, there is no "Transmission" (bittorrent) service defined in the /etc/services file, so, I have to tell the router what to do with the incoming requests to my external port 1.2.3.4:43101.

The router will be told to connect that external port 1.2.3.4:43101 to an internal port 192.168.1.10:43101, which is where Transmission will be set to listen for incoming connections.

I'm reading your suggested URL now to make sense of it:

formatting link

But, one question in the back of my mind is what does the router do to a request without port forwarding to 1.2.3.4:43101. Of course, the router summarily drops that request, but, then, how does ANY traffic get through the router if the router blocks all incoming requests to all ports?

Certainly the router lets in *some* requests from the outside. Otherwise hackers would never get in. Right?

Reply to
Paul M. Cook

On Friday, January 1st, 2016, at 12:23:42h -0500, Paul M. Cook realized:

Yes, yes, yes, this is exactly the case.

In our analogy with the operator and patch cords at the telephone exchange, there is with TCP/IP networking in addition to the telephone number (the IP address) a port number, so it is like somebody have one telephone number but a black phone, a yellow phone, a red phone (for calls to the Kremlin) and only one phone is the right one, so the patch cord has to connect to the specific phone (internal port) as well.

So if the Kremlin red phone calls, one would not want it connected to the yellow phone, but to your internal red phone so that when the conversation starts, one does not make the mistake of asking is that Xi Jinping (because the yellow phone rang) when it is in fact Vladimir Putin calling from his red phone.

Exactly so, but without ensuring that the web server you have running on your laptop is fully secure with proper configuration directives to only allow LAN hosts access to "sensitive" directories where needed, and that you have eliminated any possible SQL or PHP injection inquiry faults, etc, opening up your web server to the Internet is not a sensible thing to do.

Because nobody has registered Transmission as using a particular port. And if they did, then all the ISPs would have to do was block traffic on that port and it would not work properly, so people would then choose random alternative ports as they do now, so going to the trouble of registering a particular port for transmission is pointless ...

Exactly. Exactly.

Hopefully it does what it should do.

If your local host has already established a connection (which would of course be TCP, because UDP is connectionless) with a remote host on 43101, it would allow incoming traffic with that same remote host on that port. If another IP address tried to connect, the router (or rather the iptables or equivalent in the router) would just drop all traffic from that remote host on that port and send it to /dev/null or the bitbucket.

As I have tried to explain above and in the other message, if your local host1 has already initiated and established a connection with a remote host on a particular port, it allows incoming traffic from that same IP address and same port and forwards it to the local host1.

The way hackers can bypass the router security are generally via two routes.

The hacker gets one its botnet hosts to send you an e-mail with an attachment which you think is just a document but is actually an executable and when you open it, it runs the executable which installs a program which initiates contact with the botnet and becaue it initiated contact, it allows incoming traffic from the botnet on that port.

Alternatively you use Windoze and Internet Explorer and visit a web site with malicious code (perhaps javascript or even java) which Internet Explorer runs and installs sofware which does the same as above.

The other possible route, is that the hacker is able to connect to your router administration interface because you have used a weak password or even not even set one different from the factory default and have turned on Internet access to the administration interface, or the router manufacturer stupidly left in a backdoor in the firmware, perhaps to allow ISPs to do meddle with your router.

The worst ISPs are ones such as Sky in the UKofGB&NI which officially do not allow you to use anything but the router which they supply and which has most administrative functions blocked to the user because the administrator account is locked, and only access to a simple non-privileged interface is provided.

See also how bad uPnP implementations by some networking device companies on some routers can be misused by hackers at

This is of course why you need to keep the firmware updated on your router.

Obviously once a hacker can login to the administrator account on the router, then she/he can open up whatever ports she/he chooses and to connect to machines on your LAN.

A secondary line of defence is to have software firewalls running on each of your machines which will safeguard against this failure, but the problem is for hosts running embedded systems (Smart TVs, Wifi Radios, satellite receivers, internet connected coffee machines and refrigerators etc) for which the manufacturer did not care about LAN security.

What could be worse than coming home to find that crackers have gotten access to your refrigerator/freezer and turned the freezer off so that all your frozen food has melted and started decomposing, when you open the freezer compartment door?

Reply to
J G Miller

I'm still reading and re-reading both your explanation and the helpful links you provided (which, really, tell me how to do almost EVERYTHING I need to do.

I never got the algorithm down to keeping track of which articles I should reply to because my nntp client puts unread articles in bold and read articles not bolded, so, once I read it, I can't find it again in all the other articles.

Anyway, I'm reading and re-reading your references, which are spot on the money!

It's interesting that the article says that Transmission can *only* use port 51413 so I will be using that port, in future messages.

formatting link

It's strange that the article clearly says Transmission uses only that one port, because the Transmission GUI just as clearly intimates otherwise (by giving you a selection of what Transmission calls the "Listening port"). Transmission: Edit > Preferences > Network > Listening port = {54689} Pick a random port every time Transmission is started = yes/no

It's also interesting that the articles have methods for setting a static IP on Windows and consoles, but not Ubuntu:

formatting link

But, I'll probably set up the Ubuntu static IP address from the router anyway, which you well explained was simply by matching the wlan0 MAC address to force the router DHCP to hand my Ubuntu laptop the same IP address each time.

I didn't know this bit of information that all outgoing ports are allowed, which makes a lot of sense and which will help me understand how *any* traffic gets through the router, since I would have thought that Transmission uploads to other clients from the inside out (but, in reality, Transmission actually apparently uploads to other clients from the outside in!).

Finally this makes sense! I'm not sure how hackers get in, but, what you're saying is that all incoming ports are barred, by default, unless a request first went out from inside the LAN.

Reply to
Paul M. Cook

The analogy of the telephone patch cord is a great one which I hope to remember.

To me, it's like the operator is downstairs in a large bank building with the switchboard in the basement when the call from outside comes in for Mr. Banks.

The operator patches in the call from an external line to the internal line for Mr. Banks' office.

Thanks for that "port forwarding" analogy.

Reply to
Paul M. Cook

This is very interesting that "defining" a port for Transmission would be futile, due, essentially, to human nature.

Thanks for that observation.

Reply to
Paul M. Cook

This makes sense that hackers get in directly from the outside through the admin interface, since the administration interface is open to a connection all the time by default.

It also makes sense that hackers, more often than not, get in by sneaking something onto your system (via email or the web, as you noted), and then, once on the system, whatever malware they gave you can initiate its own communications to the outside.

Reply to
Paul M. Cook

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.