From owner-freebsd-questions@FreeBSD.ORG Tue Sep 16 16:13:39 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 22275424 for ; Tue, 16 Sep 2014 16:13:39 +0000 (UTC) Received: from mail-we0-x22a.google.com (mail-we0-x22a.google.com [IPv6:2a00:1450:400c:c03::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC3F75FB for ; Tue, 16 Sep 2014 16:13:38 +0000 (UTC) Received: by mail-we0-f170.google.com with SMTP id u57so82966wes.1 for ; Tue, 16 Sep 2014 09:13:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=2gXVPuAh0Aysl16sct1Fm7QF5XUVdGlVUzhUYlCoc5E=; b=ZFdIQeMq/0p19+t06/bqzjMdY119ZEwWT0IR2cuKrUba+5V0F56o4JDp07tGp9iUvp RN04gPgFIbuIRTRfRqFUkiPx/aXLdgezKy8oUDn1IEuhqVAr3YGnfjzG1BCGPTmhIWCX RYYz8TxD2z/LSKpDsbBWM8JaGYTEFFgL9KY41pGF2CStYy9U0hA3sFLi75Eg0Q8l3glj urmJ2LkjIPHcaVUCuuhOIlFBX5WXeC3BvT2VISrWrrblTfvD5wNYWMJwvlhIwU/zTQnk FciuPuYwXQrPiHoLLbeNDeX9Usu9Kd83ShkNYCpn4GLBpkUSyxVFgfsa8jDs2bEmUtgQ njzw== X-Received: by 10.180.84.193 with SMTP id b1mr34619985wiz.40.1410884016855; Tue, 16 Sep 2014 09:13:36 -0700 (PDT) Received: from gumby.homeunix.com ([94.195.197.245]) by mx.google.com with ESMTPSA id bj7sm18881118wjc.33.2014.09.16.09.13.35 for (version=SSLv3 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 16 Sep 2014 09:13:36 -0700 (PDT) Date: Tue, 16 Sep 2014 17:13:34 +0100 From: RW To: freebsd-questions@freebsd.org Subject: Re: firewall rules for torrents Message-ID: <20140916171334.37f952ee@gumby.homeunix.com> In-Reply-To: <54184D43.7020201@dreamchaser.org> References: <54184D43.7020201@dreamchaser.org> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2014 16:13:39 -0000 On Tue, 16 Sep 2014 08:46:27 -0600 Gary Aitken wrote: > Can someone point me to or fill me in on what's required in the way > of firewall rules for torrent operation? > > I gather I can configure for a given listening port, This depends on the client, older and less sophisticated clients use a separate port for for each torrent and you need to configure a range of ports. > and my existing outgoing rules should cover outgoing conversations. For the most part TCP handling is all the same. > But it's unclear to me whether or not the protocol is statefull from > inside the firewall (i.e. "ipfw ... setup keep-state" rules for > outgoing packets would cover it), or whether the download ports need > to be opened up because the a conversation may be initiated by an > external peer. Whether it's statefull or not doesn't depend on whether it's incoming or outgoing, you can keep-state on either or neither. If you don't keep state you typically pass established TCP traffic early in the script, or for UDP just have a rule to pass packets both ways. Bittorrent can be run without incoming connections but it works better with them because it allows you to connect with any client and not just those that are open to incoming connections. In addition to Bittorrent you probably also need to configure DHT access. This runs over UDP, and does need to accept incoming packets. It may share a port with Bittorrent or use a different one. Don't forget that if you are using a NAT router to connect to the internet and you want to have incoming connections, the router has to let them through and send them to the right lan IP address. Commonly this is setup by UPnP, but if that's not supported by the client or router you will have to setup the router manually.