[ubuntu-uk] Ktorrent, firewall and blocked connections

Wed Mar 28 08:19:34 BST 2007

Tony Arnold wrote:
> Alan,
> 
> alan c wrote:
> 
>> I note that I have FTP allowed in firestarter for outbound on ports 
>> 20-21, but presumably that is not he same ftp function you describe?
> 
> No, the outbound ports you allow will let users of your machine use ftp
> to some remote ftp server and is completely independent of any remote
> user connecting to the ftp server on your machine.
> 
>>> User can run their FTP connection
>> 
>> would this user be my machine or remote machines?
> 
> On remote machines running an ftp client connecting to your ftp server, say.
> 
>>> in passive mode, which does not behave
>>> this but this is not the default, in general.
>>>
>>> I'm not convinced you need an outgoing policy at all unless you want to
>>> restrict users of your system in what they can/cannot do.
>> 
>> I am virtually the only user on my LAN (!) (wife sometimes). The 
>> reason for the outgoing policy is partly general precaution, partly to 
>> become familiar with what is happening, and partly to very 
>> specifically to limit what happens because the machine is left on 24/7 
>> for torrents mostly upload seeding. I dont know how useful the 
>> policies really are, but I am frankly surprised that so many 
>> apparently malware related service names are being (blocked) attempted.
>> 
>> The Blocking stops when ktorrent is closed. Where in the torrent 
>> process is the possible 'FTP' activity being used?
> 
> I was assuming people were trying to use FTP to download stuff from your
> server rather than torrent. The two are quite independent. If you have
> logging turned on for your ftp server (I assume you are running an ftp
> server?) then you could see if this so.
> 
> If you are not running an ftp server, then you don't need the ftp ports
> open on inbound and you can ignore all I've said about ftp clients:-)
> 
> Maybe there is an outgoing connection from your machine as part of the
> torrent process that is getting blocked. I can only imagine that a seed
> would connect to a tracker to let it know of the presence of the files
> you are making available, but I'm not too sure of the process here.
> 
>> I suppose I do not know enough about the torrent process, which does 
>> not help.
> 
> I'm not sure I know enough about it either!
> 
>> If the currently blocked items are not blocked, what will the benefits 
>> or disadvantages be?
> 
>>From a security point of view, the main reason for limiting outbound
> connections is to stop malware that makes it on to a compromised system
> from making outgoing connections and infecting other machines. Given you
> are running Ubuntu and you have some pretty good inbound rules, I think
> this is unlikely.
> 
> Setting outbound rules in my experience is quite tricky due to things
> like ftp and other odd protocols. Normal practise is to just use inbound
> rules unless you have specific reasons to do otherwise.

thanks.
(I don't run an ftp server).
mmm. Since I have reduced the number of peers allowed, the blocking 
indications from the firewall have stopped. One of the torrent faq 
sites mentioned about the allocated ports being at times overloaded. I 
wonder if there were so many peers attempting to use the seed that the 
ports (management) worked differently or badly, so that other ports 
were being sought, tried, and obviously blocked?

I am mystified though about the service names (and associated ports) 
at the time. For example one was Gatecrasher (service name) and this 
was trying to go out on port 6969 and google indicates this is a 
(windows) trojan.
-- 
alan cocks
Kubuntu user#10391