Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 16 Sep 2014 17:13:34 +0100
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: firewall rules for torrents
Message-ID:  <20140916171334.37f952ee@gumby.homeunix.com>
In-Reply-To: <54184D43.7020201@dreamchaser.org>
References:  <54184D43.7020201@dreamchaser.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Tue, 16 Sep 2014 08:46:27 -0600
Gary Aitken wrote:

> Can someone point me to or fill me in on what's required in the way
> of firewall rules for torrent operation?
> 
> I gather I can configure for a given listening port,

This depends on the client, older and less sophisticated clients use a
separate port for for each torrent and you need to configure a range of
ports.

> and my existing outgoing rules should cover outgoing conversations.

For the most part TCP handling is all the same.

> But it's unclear to me whether or not the protocol is statefull from
> inside the firewall (i.e. "ipfw ... setup keep-state" rules for
> outgoing packets would cover it), or whether the download ports need
> to be opened up because the a conversation may be initiated by an
> external peer.

Whether it's statefull or not doesn't depend on whether it's incoming
or outgoing, you can keep-state on either or neither. If you don't keep
state you typically pass established TCP traffic early in the script, or
for UDP just have a rule to pass packets both ways. 

Bittorrent can be run without incoming connections but it works better
with them because it allows you to connect with any client and not just
those that are open to incoming connections.

In addition to Bittorrent you probably also need to configure DHT
access. This runs over UDP, and does need to accept incoming packets.
It may share a port with Bittorrent or use a different one.


Don't forget that if you are using a NAT router to connect to the
internet and you want to have incoming connections, the router has to
let them through and send them to the right lan IP address. Commonly
this is setup by UPnP, but if that's not supported by the client or
router you will have to setup the router manually.




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20140916171334.37f952ee>