[ubuntu-uk] Ktorrent, firewall and blocked connections

Tony Arnold tony.arnold at manchester.ac.uk
Tue Mar 27 18:07:17 BST 2007


alan c wrote:
> I like to seed open source software, particularly Ubuntu family, from 
> a machine which is mostly set aside just for this.
> I am using Ktorrent in Kubuntu 6.06.1, and Firestarter as a firewall 
> management app. I am no expert so the gui is very welcomed.
> I believe I have set the firewall settings to the minimum for web 
> browsing or torrent use.
> Web browsing, ftp downloads to my machine, and Torrents to and from my 
> machine seem to work ok.
> My Firestarter firewall settings are as follows:
> Outbound traffic Policy:
> Restrictive by default, whitelist traffic
> allowed service, port, who:
> HTTP  80 everyone
> HTTPS 443everyone
> FTP 20-21
> Bittorrent  6881-688 everyone
> Inbound traffic Policy:
> allowed service, port, who:
> HTTP 80 everyone
> HTTPS 443 everyone
> Bittorrent 6881-6889 everyone
> However, I see that a lot of attempted outward bound connections are 
> 'blocked'. At least, the Source is stated as
> my pc (fixed) IP within my LAN, various port numbers presumably exit 
> ports (?), and various destination IPs, Length is always 44, TOS is 
> 0x00, Protocol is always TCP,

I suspect this is due to FTP. When an FTP client connects to the server,
it negotiates a port for the server to connect back to the client, which
unless your firewall is FTP aware, will get blocked. (I don't think
Firestarter is FTP aware, at least I've not seen anything referring to
it). I believe the port is fairly random and at the top of the range of
port numbers.

User can run their FTP connection in passive mode, which does not behave
this but this is not the default, in general.

I'm not convinced you need an outgoing policy at all unless you want to
restrict users of your system in what they can/cannot do.

Tony Arnold, IT Security Coordinator, University of Manchester,
IT Services Division, Kilburn Building, Oxford Road, Manchester M13 9PL.
T: +44 (0)161 275 6093, F: +44 (0)870 136 1004, M: +44 (0)773 330 0039
E: tony.arnold at manchester.ac.uk, H: http://www.man.ac.uk/Tony.Arnold

More information about the ubuntu-uk mailing list