IPFW torrent

[Dan Nelson]

In the last episode (Mar 10), Roy Stuivenberg said:
> I can't seem to get my torrent client working, when ipfw is up.
> 
> This rules i use in my script for the torrent client (ktorrent)
> 
> # Sta ktorrent toe naar buiten.
> $cmd 00283 allow tcp from any to any 50427 out via $pif setup keep-state
> $cmd 00284 allow udp from any to any 50427 out via $pif keep-state
> $cmd 00285 allow udp from any to any 50428 out via $pif keep-state
> $cmd 00286 allow udp from any to any 50429 out via $pif keep-state

These rules apply to outgoing traffic to TCP/50427 and UDP/50427-50429 . 
Unless you can guarantee that all your peers are listening on those ports,
those rules aren't going to do much good.  ...  Unless you're applying these
rules on an intermediate router box, and $pif is your "trusted network"
interface, in which case the rules look okay.

A good way to troubleshoot firewall problems is to set the sysctl
net.inet.ip.fw.verbose=1, add "reset log ip from any to any" rule to the
bottom of your list, and run "tail -f /var/log/security" to watch for
blocked packets.
 
> In my router these ports are open too.
> 
> I googled about this issue and found this rule .. but It doesn't look safe
> to me?  Looks like everything is open?
> 
> 520 allow tcp from any to any out keep-state

A rule like this is usually applied to the actual machine running ktorrent,
so any outgoing traffic (and any replies to that traffic) is allowed. 
Alternatively, a rule like this could be applied to an intermediate router:

allow ip from any to any in via $trusted_interface out via $external_interface keep-state

-- 
	Dan Nelson
	dnelson at allantgroup.com