Review of my home broadband router logs (suspicious activity?)

[Paul M. Cook]

Does this activity found accidentally in my home broadband
wireless router logs seem suspicious to you?

Here is a screenshot of the suspicious log entries:
https://i.imgur.com/iZm1CCq.jpg

When "I" log into my router, I see a line like this:
[Admin login] from source 192.168.1.16, Tuesday, Dec 22,2015 19:16:15

But, I see the following (suspicious?) activity in my log file:
[LAN access from remote] from 93.38.179.187:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:42:41
[LAN access from remote] from 177.206.146.201:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:41:54
[LAN access from remote] from 101.176.44.21:1026 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 181.164.218.29:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 2.133.67.47:11233 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 186.206.138.72:62531 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 148.246.193.87:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:19
[LAN access from remote] from 195.67.252.183:49076 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 1.78.16.174:47891 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 178.116.59.223:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 82.237.141.86:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:16
[LAN access from remote] from 107.223.217.54:9000 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:34:11
[LAN access from remote] from 216.98.48.95:11020 to 192.168.1.5:9000, Saturday, Dec 19,2015 06:32:31

I don't know what this really means: "LAN access from remote".

Looking at the router wired & wireless list of devices, 192.168.1.5
seems to not be attached at the moment.

But, looking back, I can determine (from the MAC address) that it's
my child's Sony Playstation (which has "UPNP events" whatever they are):
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Saturday, Dec 19,2015 06:32:28
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Monday, Dec 21,2015 12:26:18
[DHCP IP: (192.168.1.5)] to MAC address F8:D0:AC:B1:D4:A3, Tuesday, Dec 22,2015 16:17:47
[UPnP set event: Public_UPNP_C3] from source 192.168.1.5, Tuesday, Dec 22,2015 16:46:15
*****************************************************************
Can you advise me whether I should be worried that there are many
LAN accesses from a remote IP address to a kid's Sony Playstation?
*****************************************************************

[Paul M. Cook]

On Tue, 22 Dec 2015 22:53:30 -0500, Paul M. Cook wrote:

> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************

The IP addresses seem to belong to the following (from a whois):
--------------------------------------------------
inetnum: 93.38.176.0 - 93.38.183.255
netname: FASTWEB-DPPU
descr: Infrastructure for Fastwebs main location
descr: NAT POOL 7 for residential customer POP 4106,
country: IT
--------------------------------------------------
inetnum: 177.204/14
aut-num: AS18881
abuse-c: GOI
owner: Global Village Telecom
country: BR
--------------------------------------------------
inetnum: 101.160.0.0 - 101.191.255.255
netname: TELSTRAINTERNET50-AU
descr: Telstra
descr: Level 12, 242 Exhibition St
descr: Melbourne
descr: VIC 3000
country: AU
--------------------------------------------------
inetnum: 181.164/14
status: allocated
aut-num: N/A
owner: CABLEVISION S.A.
ownerid: AR-CASA10-LACNIC
responsible: Esteban Poggio
address: Aguero, 3440,
address: 1605 - Munro - BA
country: AR
--------------------------------------------------
inetnum: 2.133.64.0 - 2.133.71.255
netname: TALDYKMETRO
descr: JSC Kazakhtelecom, Taldykorgan
descr: Metro Ethernet Network
country: KZ
--------------------------------------------------
inetnum: 186.204/14
aut-num: AS28573
abuse-c: GRSVI
owner: CLARO S.A.
ownerid: 040.432.544/0835-06
responsible: CLARO S.A.
country: BR
--------------------------------------------------
inetnum: 148.246/16
status: allocated
aut-num: N/A
owner: Mexico Red de Telecomunicaciones, S. de R.L. de C.V.
ownerid: MX-MRTS1-LACNIC
responsible: Ana María Solorzano Luna Parra
address: Bosque de Duraznos, 55, PB, Bosques de las Lomas
address: 11700 - Miguel Hidalgo - DF
country: MX
--------------------------------------------------
inetnum: 195.67.224.0 - 195.67.255.255
netname: TELIANET
descr: TeliaSonera AB Networks
descr: ISP
country: SE
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: NTTDoCoMo
descr: NTT DOCOMO,INC.
descr: Sannno Park Tower Bldg.11-1 Nagatacho 2-chome
descr: hiyoda-ku,Tokyo Japan
country: JP
--------------------------------------------------
inetnum: 1.72.0.0 - 1.79.255.255
netname: MAPS
descr: NTT DoCoMo, Inc.
country: JP
--------------------------------------------------
inetnum: 178.116.0.0 - 178.116.255.255
netname: TELENET
descr: Telenet N.V. Residentials
remarks: INFRA-AW
country: BE
--------------------------------------------------
inetnum: 82.237.140.0 - 82.237.143.255
netname: FR-PROXAD-ADSL
descr: Proxad / Free SAS
descr: Static pool (Freebox)
descr: deu95-3 (mours)
descr: NCC#2005090519
country: FR
--------------------------------------------------
NetRange: 107.192.0.0 - 107.223.255.255
NetName: SIS-80-4-2012
NetHandle: NET-107-192-0-0-1
Parent: NET107 (NET-107-0-0-0-0)
NetType: Direct Allocation
OriginAS: AS7132
Organization: AT&T Internet Services (SIS-80)
City: Richardson
StateProv: TX
--------------------------------------------------
NetRange: 216.98.48.0 - 216.98.63.255
CIDR: 216.98.48.0/20
NetName: UBICOM
NetHandle: NET-216-98-48-0-1
Parent: NET216 (NET-216-0-0-0-0)
NetType: Direct Assignment
OriginAS:
Organization: Ubisoft Entertainment (UBISOF-2)
--------------------------------------------------

[Bert]

In news:a4fa0$567a1aba$17f03b0b$24...@nntpswitch.blueworldhosting.com

"Paul M. Cook" <pmc...@gte.net> wrote:

> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?

I'm not a gamer, never even seen a Playstation, let alone used or
configured one.

But, don't many of the games have multi-user, across the Internet, modes
of play?

If you're concerned, and if your router has the capability, you could
block inbound UPnP traffic from outside your home LAN.

Why is alt.os.linux included in this discussion?

--
be...@iphouse.com St. Paul, MN

[Paul M. Cook]

On Wed, 23 Dec 2015 15:14:46 +0000, Bert wrote:

> Why is alt.os.linux included in this discussion?

They know more about security than anyone, and, the machine
that could be connected is Linux (as is a Windowsm, iOS, and
Android - but Linux people are often smarter than the others).

Besides, there is no router group that I can find.

[J G Miller]

On Tuesday, December 22nd, 2015, at 22:53:30h -0500, Paul M. Cook reported:

> But, looking back, I can determine (from the MAC address) that it's
> my child's Sony Playstation

Is your child playing any of the following games with other players
out on the Internet?

From <http://www.speedguide.NET/port.php?port=9000>

QUOTE

Games that use this port:
Port 9000 is used by the EverQuest World server.
Dungeons & Dragons Online uses ports 9000-9010 (TCP/UDP)
Lord of the Rings Online uses ports 9000-9010

UNQUOTE

> *****************************************************************
> Can you advise me whether I should be worried that there are many
> LAN accesses from a remote IP address to a kid's Sony Playstation?
> *****************************************************************

Only if your child is NOT authorized (preferably in writing) to not
play games in Internet mode.

Do you really want your child to be potentially radicalized by
foreigners in foreign countries who have not vetted by dedicated
patriots?

--

"dedicated patriots working around the clock all around
the country to protect us all."
-- President Obama on Thursday, December 17th, 2015

[Paul M. Cook]

On Wed, 23 Dec 2015 16:53:20 +0000, J G Miller wrote:

> Is your child playing any of the following games with other players
> out on the Internet?

Not those, but one of the "attackers" was "Ubisoft Entertainment"
which does make the "Assasins Creed" game he plays a lot.

I told him to play games (which he's doing now, without much more
prompting from me) where I just noticed an older "Smurf" attack:
https://i.imgur.com/0WHiS9A.jpg
Which shows up as this error:
[DoS attack: Smurf] attack packets in last 20 sec from ip
[114.254.105.255], Sunday, Dec 20,2015 04:02:28

But, I don't see any more of those original attacks into port
9000. But I'll keep watching the log.

[Jeff Liebermann]

On Wed, 23 Dec 2015 11:18:33 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

Perhaps you might explain why you also posted the same question to:
alt.home.repair and sci.electronics.repair?


--
Jeff Liebermann je...@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

[J G Miller]

On Wednesday, December 23rd, 2015, at 12:33:13h -0500,

Paul M. Cook wrote:

> Not those, but one of the "attackers" was "Ubisoft Entertainment"

> which does make the .game he plays a lot.

Well if you looked further down the page at the link I provided,
you would have seen quite a few more games, although I do not
see "Assasins Creed".

You will also see on that page that there are quite a few
exploits/trojans being used for this port.

If the port is needed to be opened for this game and for Internet
playing, it would be wise to ensure that your router only forwards
traffic on this port to the IP address assigned to the Playstation.

If somebody has come up with a crack to gain access via 9000 to the
Playstation then you will need to update the latest firmware with
a fix for the crack.

Having uPnP enabled on your router is rather dangerous unless you
have secured all the hosts, which includes devices, not just computers,
eg your ethernet connected refrigerator, your WiFi connected coffee
machine, on your LAN.

Crackers have easily been able, thanks to lax security by people
who just buy and connect these things, to monitor conversations
and/or view household rooms, by accessing baby-monitoring-web-cams.

The first rule of Internet security is deny access to all, and only
open up specific ports as necessary, preferably (but not always
possible) limited to specific incoming IP ranges, and always forwarded
towards specific single local host IPs.

[David W. Hodgins]

http://www.gnucitizen.org/blog/hacking-the-interwebs/

The upnp "feature" is broken by design. It should be turned off
in all routers.

Regards, Dave Hodgins

--
Change dwho...@nomail.afraid.org to davidw...@teksavvy.com for
email replies.

[Paul M. Cook]

On Wed, 23 Dec 2015 11:38:12 -0500, David W. Hodgins wrote:

> The upnp "feature" is broken by design. It should be turned off
> in all routers.

I have always been very confused by UPNP.

If it's not useful, then why do all routers default to having it on?

Does anything *need* it?

Specifically does a playstation or Ooma or Skype or whatever need upnp?

[Paul M. Cook]

On Wed, 23 Dec 2015 10:11:56 -0800, Jeff Liebermann wrote:

> Perhaps you might explain why you also posted the same question to:
> alt.home.repair and sci.electronics.repair?

The news server doesn't allow certain newsgroups to be xposted.

[Paul M. Cook]

On Wed, 23 Dec 2015 18:39:50 +0000, J G Miller wrote:

> Having uPnP enabled on your router is rather dangerous unless you
> have secured all the hosts, which includes devices, not just computers,
> eg your ethernet connected refrigerator, your WiFi connected coffee
> machine, on your LAN.

I looked at my router UPNP settings, and it looks like there are a few
ports that are reporting something. But what are they reporting here?
https://i.imgur.com/YDR7kWO.jpg

Active Protocol Int. Port Ext. Port IP Address
YES UDP 9000 9000 192.168.1.5
YES UDP 2550 2550 192.168.1.12
YES TCP 2550 2550 192.168.1.12
YES UDP 64941 64941 192.168.1.15

192.168.1.5 is the Sony Playstation.
192.168.1.12 is an Android cellphone
192.168.1.15 is a Windows PC

What is this UPNP report page actually trying to tell me?
If I turn off UPNP from the router, what bad things happen?

[J G Miller]

On Wednesday, December 23rd, 2015, at 15:24:47h -0500,

Paul M. Cook wrote:

> What is this UPNP report page actually trying to tell me?

It is telling your that uPnP is active on your router and that
your router has used the uPnP method of automatically connecting
your playstation port 9000 (just UDP) to the router's incoming/outgoing
port 9000 port, and similarly for your Android cellphone for
2550 (both TCP and UDP), and your PC for 64941 (just UDP).

Port 2550 may be related to Active Directory Authentication.

> If I turn off UPNP from the router, what bad things happen?

Without manually setting up the appropriate port forwarding, the
services which use these ports may have problems talking to
whoever on the Internet.

The usual way port opening on a router is set up, is that if a local
host, on the LAN side of the router, initiates a connection to an
external site on a particular port, then that port stays open in order
to get the remote response.

If a remote site, on the WAN side of the router, initiates a connection
on a port which the router has not opened due to a host trying
to talk outbound, then that port stays closed and the incoming
message is not received.

The two most important thing with respect to your router are these:

(1) Always set a strong password for Admin and unless it is absolutely
needed, turn off external administrative access, which has been
the most common way that routers have been compromised.

(2) Regularly check that you have the latest firmware installed to
ensure that bugs and security holes (which the manufacturer of
the router cares to do something about) get fixed.

With regard to enabling uPnP, have a read of this article to see
why uPnP enabled is risky, and check to see if your router is affected
(certain Netgear models did have a real vulnerability in the past).

<https://threatpost.COM/upnp-trouble-puts-devices-behind-firewall-at-risk/114493/>

Also take a look at

<http://www.tomsguide.com/us/home-router-security,news-19245.html>

And if you want to run an external test, you can use the GRC uPnP test at

<https://www.grc.com/su/upnp-rejected.htm>

Be sure to click on the red "do real test" though.

[Jeff Liebermann]

On Wed, 23 Dec 2015 15:12:54 -0500, "Paul M. Cook" <pmc...@gte.net>
wrote:

That's something new. Usually the usenet news server software limits
the number of newsgroups that can be crossposted. Anything posted to
over about 5 groups is usually considered spam. Unless someone has
rewritten INN (again), I don't know of any way to limit cross posting
by specific newsgroups.

This may also explain why you're being restricted:
<http://blueworldhosting.com>
"I am recovering from a major server failure. Please
contact me at jesse....@gmail.com until things are
back online."

Good luck.

[David W. Hodgins]

On Wed, 23 Dec 2015 15:12:22 -0500, Paul M. Cook <pmc...@gte.net> wrote:

> I have always been very confused by UPNP.
> If it's not useful, then why do all routers default to having it on?

It would be useful if it didn't open up security holes.

> Does anything *need* it?
> Specifically does a playstation or Ooma or Skype or whatever need upnp?

It makes things easier, as you have to learn how to manually open
needed ports, and configure security within the router and the lan.
It's enabled as a marketing feature. The designers of upnp either
didn't understand the security implications, or didn't care, and it
became a standard feature of most routers, with consumers expecting
it.

There are multiple ways upnp opens up security attacks. Some only affect
certain routers, while others affect any router that has upnp enabled.

For some of the attacks, run a search on "upnp soap attack", without
the quotes.

The basic concept of most of the attacks, is going to a web site
that's been hacked, or is intentionally sending html code to your
browser causing the browser to send a soap attack back to the
router (without any intervention by you), so it's being attacked from
inside the lan, as far as the router can tell. Both the router, and
the browser are working as designed, but the concept is bad. Changing
the router admin password will block some of the attacks, but not all
of them.

[David W. Hodgins]

You'll have to manually go into the router configuration screen,
(have to anyway, to turn off upnp), and open up those ports.

Having those ports open isn't necessarily a bad thing, but it
should be something you control, not websites you visit. I'd
check to see what is listening to udp port 64941. It' not a
standard port, though it may be used for skype incoming calls,
or other applications that do need an open incoming port.

[Paul M. Cook]

On Wed, 23 Dec 2015 19:01:03 -0500, David W. Hodgins wrote:

> You'll have to manually go into the router configuration screen,
> (have to anyway, to turn off upnp), and open up those ports.
>
> Having those ports open isn't necessarily a bad thing, but it
> should be something you control, not websites you visit. I'd
> check to see what is listening to udp port 64941. It' not a
> standard port, though it may be used for skype incoming calls,
> or other applications that do need an open incoming port.

I googled what upnp was, but understanding upnp requires already
understanding port forwarding, so I googled that. Please correct
where I err - but here is my summary of what I understood from
googling both port forwarding and UPNP.

Apparently port forwarding is a way that the Internet can get to
a device on your system by typing your external ip address and
then a port number (e.g., 123.123.123.123:64941).

Somehow, that *knows* to go to a particular device on your LAN.

In order for *that* to work, you need to do something that they
call *port forwarding* on your router, which points to the internal
IP address of the device on your network that you want connected
to the Internet.

So, once you "open" that port by "forwarding" it, when someone
on the Internet goes to your IP address and that port, your router
forwards the connection to a particular local 192.168.1.x IP
address on your system that you had set up in the router.

Having said that, port forwarding is basically opening up a *hole*
in your router, that allows someone from the Internet to get to
a specific device on your system just by typing your IP address
and that port that you had forwarded in your router setup.

Now if that's all correct, then UPNP is simply *automatically*
opening up *that hole*.

I'm not sure *what* causes that automatic opening of the hole,
but, if you don't turn off UPNP, then something from the Internet
can somehow open up that hole to a device on your local LAN
that has a 192.168.1.x address via whatever port it wants.

If that understanding above is correct, then UPNP is absolutely
evil.

So I have it turned off now.
I don't know what will break though.

[Paul M. Cook]

On Wed, 23 Dec 2015 18:52:54 -0500, David W. Hodgins wrote:

> It's enabled as a marketing feature. The designers of upnp either
> didn't understand the security implications, or didn't care, and it
> became a standard feature of most routers, with consumers expecting
> it.

I googled this UPNP thing and I found out that it's absolutely evil.

Apparently "corporate" routers have it turned off, by default; but
home broadband routers have it turned on by default. Go figure.

Anyway, I couldn't understand UPNP until I looked up port forwarding.

Correct me if I'm wrong, but, let's say your external IP address is
1.2.3.4 but that you have a Playstation on 192.168.1.2 behind your
router. And say that you want port 12345 on your playstation to
"do something" (I'm not sure what).

From what I can gather, port forwarding is the act of you purposefully
going into your router and setting the router up so that if anyone on
the Internet goes to your IP address (1.2.3.4) and that port (12345),
I guess by typing "1.2.3.4:12345", then your router will connect
that person on the Internet to your playstation at 192.168.1.2:12345
as far as I can tell (even if you have a dozen other machines on your
local LAN).

That is, port forwarding seems to be the act of opening up a specific
*hole* in your router firewall to a specific machine inside your
local network.

The port forwarding action somehow allows someone from the Internet
to specify a certain machine and port on your local LAN simply by
specifying your external IP address and a particular port:
1.2.3.4:12345 ---> is forwarded to ---> 192.168.1.2:12345

If that's correct, then UPNP is merely the act of doing all that
totally automatically (as far as I can tell).

I'm not sure *how* that's done, but, that's what I understood from
reading about port forwarding and UPNP.

So, I just turned *off* UPNP on my router.

I have no idea what that will do to whatever was being port forwarded
before, which is this list below:

Active Protocol Int. Port Ext. Port IP Address

YES UDP 9000 9000 192.168.1.5 (Sony Playstation)
YES UDP 2550 2550 192.168.1.12 (Android cellphone)
YES TCP 2550 2550 192.168.1.12 (Android cellphone)
YES UDP 64941 64941 192.168.1.15 (Windows PC)

Did I get the description of Port Forwarding & UPNP correct yet?

[William Unruh]

On 2015-12-24, Paul M. Cook <pmc...@gte.net> wrote:
> On Wed, 23 Dec 2015 18:52:54 -0500, David W. Hodgins wrote:
>
>> It's enabled as a marketing feature. The designers of upnp either
>> didn't understand the security implications, or didn't care, and it
>> became a standard feature of most routers, with consumers expecting
>> it.
>
> I googled this UPNP thing and I found out that it's absolutely evil.

Well, no. If it is restricted to your home network, then it allows your
computer to find the network printer without you having to go through a
bunch of setup. (or for your comptuer to find your refigerator, so when
it needs a snack it can get one without it having to be explicitly set
up). If it automatically opens ports to the outside world that is a bit
dangerous.

>
> Apparently "corporate" routers have it turned off, by default; but
> home broadband routers have it turned on by default. Go figure.
>
> Anyway, I couldn't understand UPNP until I looked up port forwarding.
>
> Correct me if I'm wrong, but, let's say your external IP address is
> 1.2.3.4 but that you have a Playstation on 192.168.1.2 behind your
> router. And say that you want port 12345 on your playstation to
> "do something" (I'm not sure what).
>
> From what I can gather, port forwarding is the act of you purposefully
> going into your router and setting the router up so that if anyone on
> the Internet goes to your IP address (1.2.3.4) and that port (12345),
> I guess by typing "1.2.3.4:12345", then your router will connect
> that person on the Internet to your playstation at 192.168.1.2:12345
> as far as I can tell (even if you have a dozen other machines on your
> local LAN).

More likely it would go for example to 1.2.3.4:25 ( the standard email port) it
would be forwarded to 192.168.1.2:25. or similarly for ssh.

>
> That is, port forwarding seems to be the act of opening up a specific
> *hole* in your router firewall to a specific machine inside your
> local network.

Usually only specific ports.

[David W. Hodgins]

On Wed, 23 Dec 2015 23:42:08 -0500, Paul M. Cook <pmc...@gte.net> wrote:

> Did I get the description of Port Forwarding & UPNP correct yet?

Yes. It is useful to open a port and forward it to a specific computer
within the lan, for example to allow skype to receive incoming calls.
That should be decided and manually configured by the system admin.

The main problem with upnp, is that, while it makes it easier for
people who don't understand how a router works to get things like
skype working, it opens the hole where a malicious website can get
a browser to send the request to the router, to open whatever port
the malicious site wants. For example, ftp. People within a lan may
want to have an ftp server running, with no password required, as
it's only intended to be used by people within the lan. By having
upnp turned on, the malicious site would be able to get access.
There are a lot of other ports that should not be opened to the
general internet, without proper security configurations.

If you have one computer running ftp, sure go ahead and open port
22, and forward it to the appropriate computer, if that's what
you want to do. With upnp, you are no longer have complete control
of what's open.

[David W. Hodgins]

On Thu, 24 Dec 2015 00:03:33 -0500, William Unruh <un...@invalid.ca> wrote:

> Well, no. If it is restricted to your home network, then it allows your
> computer to find the network printer without you having to go through a
> bunch of setup. (or for your comptuer to find your refigerator, so when
> it needs a snack it can get one without it having to be explicitly set
> up). If it automatically opens ports to the outside world that is a bit
> dangerous.

If you mean ensuring that router does not have access to the internet,
that would work, keeping in mind the computer would have to use a
second nic and router, for it's internet access, with upnp disabled,
assuming internet access is wanted for it.

Regards. Dave Hodgins

[Jasen Betts]

On 2015-12-24, William Unruh <un...@invalid.ca> wrote:
> On 2015-12-24, Paul M. Cook <pmc...@gte.net> wrote:
>> On Wed, 23 Dec 2015 18:52:54 -0500, David W. Hodgins wrote:
>>
>>> It's enabled as a marketing feature. The designers of upnp either
>>> didn't understand the security implications, or didn't care, and it
>>> became a standard feature of most routers, with consumers expecting
>>> it.
>>
>> I googled this UPNP thing and I found out that it's absolutely evil.

> Well, no. If it is restricted to your home network, then it allows your
> computer to find the network printer without you having to go through a
> bunch of setup.

That's "zeroconf" or "avahi"

> (or for your comptuer to find your refigerator, so when
> it needs a snack it can get one without it having to be explicitly set
> up). If it automatically opens ports to the outside world that is a bit
> dangerous.

"upnp" is about messing with the router. it's used by peer-to-peer
services including "windows update" and (historically) "skype", to
turn your pc into a server.

--
\_(ツ)_

[Markus Grob]

Paul M. Cook wrote:

> Now if that's all correct, then UPNP is simply *automatically*
> opening up *that hole*.

Yes.

> I'm not sure *what* causes that automatic opening of the hole,

Every software can use it to open every port. That's the problem. If you
use "good" software, only necessary ports will be opened without no risk.

> but, if you don't turn off UPNP, then something from the Internet
> can somehow open up that hole to a device on your local LAN
> that has a 192.168.1.x address via whatever port it wants.

This is the problem. With a special attack, the router can be used with
upnp to open ports, which shouldn't never be opened for access from the
internet.

> If that understanding above is correct, then UPNP is absolutely
> evil.

I don't think so, but at the moment, it is bad by design, if I have
unterstood the discussion right.

> So I have it turned off now.
> I don't know what will break though.

If the ports will stay open, nothing. If not, you have to open this
ports manually for playing in the internet or use software which need
your computer as a server and not only as a client.

Sincerely, Markus

[William Unruh]

On 2015-12-25, Markus Grob <sno...@ilnet.ch> wrote:
> Paul M. Cook wrote:
>
>> Now if that's all correct, then UPNP is simply *automatically*
>> opening up *that hole*.
>
> Yes.
>
>
>> I'm not sure *what* causes that automatic opening of the hole,
>
> Every software can use it to open every port. That's the problem. If you
> use "good" software, only necessary ports will be opened without no risk.

I presume you mean software on your machine with root privileges can open any port on your
machine and ask the router to port forward to that port.

>
>
>> but, if you don't turn off UPNP, then something from the Internet
>> can somehow open up that hole to a device on your local LAN
>> that has a 192.168.1.x address via whatever port it wants.
>
> This is the problem. With a special attack, the router can be used with
> upnp to open ports, which shouldn't never be opened for access from the
> internet.

Sorry, what does "with special attack" mean? I suspect it means that if
there is a bug in the upnp software on the router, then outside software
can tell the router to port forward to your computer. I do not see how
your computer will open up ports just because the router asked it to.

[Markus Grob]

William Unruh schrieb:

>> This is the problem. With a special attack, the router can be used with
>> upnp to open ports, which shouldn't never be opened for access from the
>> internet.
>
> Sorry, what does "with special attack" mean? I suspect it means that if
> there is a bug in the upnp software on the router, then outside software
> can tell the router to port forward to your computer. I do not see how
> your computer will open up ports just because the router asked it to.

Yes. I ment this. I think about "open" printers, which normally are not
open to the internet?

Sincerely, Markus

[Paul M. Cook]

On Wed, 23 Dec 2015 21:16:49 +0000, J G Miller wrote:

>> If I turn off UPNP from the router, what bad things happen?
>
> Without manually setting up the appropriate port forwarding, the
> services which use these ports may have problems talking to
> whoever on the Internet.

The strange thing is that I turned off UPNP inside my Netgear router:
https://i.imgur.com/mpPCvqO.jpg

But, nobody in the household has reported anything adverse going on.

The kids have been playing multi-user games on the playstation, and
they still seem to work. Likewise, a bittorrent was tested, which
also worked, despite the fact that the preferences in transmission
say to use UPnP port forwarding in the router.

Looking into my "transmission" bittorrent preferences, I see this:
https://i.imgur.com/16ePujM.jpg

Which says:
[x]Use UPnP or NAT-PMP port forwarding from my router

Should I turn that checkbox off in the "transmission" bittorrent
app now that I have turned off UPnP inside my router?

[David W. Hodgins]

On Mon, 28 Dec 2015 18:20:18 -0500, Paul M. Cook <pmc...@gte.net> wrote:

> Should I turn that checkbox off in the "transmission" bittorrent
> app now that I have turned off UPnP inside my router?

bittorrent will still work, even if the incoming port is not reachable,
but as a "leacher" it will be much slower.

Click on the Test icon to see what it shows. I expect that port should
be opened in the router, and forwarded to the computer running bittorrent.

Regards, Dave Hodgins

[J G Miller]

On Mon, 28 Dec 2015 18:20:18 -0500, Paul M. Cook wrote:

> The strange thing is that I turned off UPNP inside my Netgear router:
> https://i.imgur.com/mpPCvqO.jpg
>
> But, nobody in the household has reported anything adverse going on.

But have you rebooted the router since making that change?

If not, then the appropriate ports would likely remain open or at least
stay in the configuration as being directed towards the appropriate host.

> Should I turn that checkbox off in the "transmission" bittorrent
> app now that I have turned off UPnP inside my router?

It probably does not matter if it is turned on in transmission but
turned off on the router, but you can turn it off to align with the
fact that it is turned off on the router.

The best way to deal with transmission (and other applications which
need a port or range of ports open eg SIP phones) is in its configuration
assign a unique port (not used by anything else of course) on each
machine eg 45340 for machine 1, 45341 for machine 2, and then on the router
set up rules to forward port 45341 to machine 1, 45342 to machine 2, etc.

Incidentally if you do have uPnP turned on on the router, fire up

upnp-router-control

from package upnp-router-control and you will quickly see that anybody
on the LAN side can get information from the router and also do some
configuration of ports, perhaps bypassing parental security.

To get an overview of all uPnP traffic on your LAN, fire up

gupnp-universal-cp

from gupnp-tools and you may get a surprise at how many network traffic,
not absolute size but just activity and what you can see on each device,
if you do have some other uPnP/DLNA devices (eg Smart TV) powered up
and connected to your LAN. uPnP/DLNA is a broadcast protocol so every
so often (interval is often set to 15 minutes) they start shouting at
everything else which may be listening.

[Paul M. Cook]

On Mon, 28 Dec 2015 18:26:58 -0500, David W. Hodgins wrote:

> bittorrent will still work, even if the incoming port is not reachable,
> but as a "leacher" it will be much slower.
>
> Click on the Test icon to see what it shows. I expect that port should
> be opened in the router, and forwarded to the computer running bittorrent.

Thanks David for that suggestion.

Looking into my "transmission" bittorrent preferences, I see this:
https://i.imgur.com/16ePujM.jpg
Which says:
[x]Use UPnP or NAT-PMP port forwarding from my router

Looking at transmission bittorrent settings, I see this:
https://i.imgur.com/e2mrPEt.gif

Which says:
[x]Use UPnP or NAT-PMP port forwarding from my router

Looking at the transmission bittorrent log file, I saw many errors:
https://i.imgur.com/T3T2HKw.gif
So, I first fixed (at least) these two (unrelated) errors:
Please add the line "Net.core.rmem_max = 419304" to /etc/sysctl.conf
Please add the line "Net.core.wmem_max = 1048576" to /etc/sysctl.conf

By adding these two lines to the /etc/sysctl.conf file:
net.core.rmem_max = 16777216
net.core.wmem_max = 4194304
And then running the sysctl "-p" and restarting transmission:
$ sysctl -p

Then I get these UPnP messages which I don't know what to make of:
https://i.imgur.com/sI3grMU.gif
Which say this:
Port Forwarding (NAT-PMP) initnatpmp succeeded (0)
Port Forwarding (UPnP) UPNP_GetValidIGD failed (errno 0 - Success)
Port Forwarding (UPnP) If your router supports UPnP, please make sure UPnP is enabled!
Port Forwarding State changed from "Not forwarded" to "Starting"

Yet, inexplicably, looking at my router, there is no port forwarding!
https://i.imgur.com/OF67IYw.gif

When I hit the suggested "Test" button in Transmission, I get:
Testing TCP Port...
Port is Closed

Is that what you expected? (I'm not sure what I'm testing.)

Does any of this make sense to you?
What else do you suggest I change?

[Paul M. Cook]

On Tue, 29 Dec 2015 00:38:12 +0000, J G Miller wrote:

> Incidentally if you do have uPnP turned on on the router, fire up
> upnp-router-control

> To get an overview of all uPnP traffic on your LAN, fire up
> gupnp-universal-cp

Interestingly, even with UPNP turned off on my Netgear router, it found
stuff on my Linksys router, which is wired as an extender, which I had
totally forgotten about.

The linksys probably has UPNP turned on, and the playstation is actually
hooked to that extender (since it's in the play room far from the main
router).

I'm still looking at the output, but here is what I did:
$ sudo apt-get install upnp-router-control
$ upnp-router-control
This brought up a GUI, which showed my Linksys wired extender was
doing something...but I still need to look more at what its trying
to tell me.

$ gupnp-universal-cp
The program 'gupnp-universal-cp' is currently not installed.
You can install it by typing:
sudo apt-get install gupnp-tools
$ sudo apt-get install gupnp-tools
$ gupnp-universal-cp
This also brought up a GUI, which I am looking at the output of
to figure out what it's telling me.

[J G Miller]

On Tuesday, December 29th, 2015, at 12:03:57h -0500,
Paul M. Cook reported:

> $ upnp-router-control
> This brought up a GUI, which showed my Linksys wired extender was
> doing something...but I still need to look more at what its trying
> to tell me.

Yes it shows you the overall up/down traffic rate on the router or
bridge that it is connected to but in the case of the router, if
the uPnP interface control on the router to administrative functions
does not require authentication then it allows the user to add forwarding
rules on the router using the big plus + button "Add".

> $ gupnp-universal-cp
> This also brought up a GUI, which I am looking at the output of
> to figure out what it's telling me.

That is showing you all the uPnP/DLNA devices which have been announced
on your LAN and it shews you what information or even files (in the
case of any media servers) that can be accessed without authentication.

There are other GUI programs in both the gupnp and upnp package suites
which you can fire up to investigate and instigate uPnP actions on
your LAN.

For example say you had a media server running on a host and a media
client running on a host (could be a Smart TV or a WiFi Radio with
media player) then you could use gupnp-av-cp to select a file (audio,
picture, or video as appropriate) for the media player client) and
request for it to be "displayed/played" on the media player client.

Usually in the case of Smart TVs, the TV has to be in media player mode
and a confirmation popup appears the first time for that session to allow
the file to be played.

An in case you are wondering DLNA is more or less a subset of uPnP but
with a few quirks added according to the manufacturer of the hardware
media player client (Smart TV, WiFi Radio with media player).

[Paul M. Cook]

On Mon, 28 Dec 2015 18:26:58 -0500, David W. Hodgins wrote:

> bittorrent will still work, even if the incoming port is not reachable,
> but as a "leacher" it will be much slower.

I'm still trying to figure out what that sentence means.

1. Bittorrent will still work (that it does, with or without
UPNP set on the router).

2. So, "why" would leaching be slower?

I'm getting the data somehow.

[David W. Hodgins]

On Wed, 30 Dec 2015 16:02:36 -0500, Paul M. Cook <pmc...@gte.net> wrote:

> On Mon, 28 Dec 2015 18:26:58 -0500, David W. Hodgins wrote:
>> bittorrent will still work, even if the incoming port is not reachable,
>> but as a "leacher" it will be much slower.
>
> I'm still trying to figure out what that sentence means.

Without the incoming port open, the torrent software will be downloading
only, not sharing what's already been downloaded.

As it's not sharing, the torrent peers it's downloading from will give
it a lower priority, so it will take longer for the download to happen.

If the peers are not running at their limit, it likely won't make much
of a difference, if any. If the peers are at the limit (people waiting
in a queue), it will make a much bigger difference. Basically, the
torrent software has two queues for download requests. One for peers
that are sharing, and one for peers that are not. The download requests
from the non-sharing peers are only processed if there are no outstanding
download requests from peers that are sharing.

[Eef Hartman]

In alt.os.linux Paul M. Cook <pmc...@gte.net> wrote:
> 2. So, "why" would leaching be slower?

Because the seeding site/software will allow less bandwidth to a
pure leach, who won't even share the pieces it just got.
In fact on my site I can see that some peers do not get anything at
all from me.

PS: I'm only seeding legal torrents, like Linux iso images.
For instance I'm currently sharing the latest CentOS (7.2.1511) and
openSUSE (Leap 42.1) ones, only to people who will share the load.

[Wildman]

On Wed, 30 Dec 2015 16:20:30 -0500, David W. Hodgins wrote:

> On Wed, 30 Dec 2015 16:02:36 -0500, Paul M. Cook <pmc...@gte.net> wrote:
>
>> On Mon, 28 Dec 2015 18:26:58 -0500, David W. Hodgins wrote:
>>> bittorrent will still work, even if the incoming port is not reachable,
>>> but as a "leacher" it will be much slower.
>>
>> I'm still trying to figure out what that sentence means.
>
> Without the incoming port open, the torrent software will be downloading
> only, not sharing what's already been downloaded.

That is odd. My pfsense firewall is set to block all incoming
traffic and yet I maintain a ratio of 2 in Transmission. I have
no problem sharing. The only difference is all the uploading
connections are listed as outgoing, not incoming. This no doubt
limits the number of potential leechers but I still share.

--
<Wildman> GNU/Linux user #557453
"One thing is clear: The Founding Fathers never
intended a nation where citizens would pay nearly
half of everything they earn to the government."
-Ron Paul

[Paul M. Cook]

On Wed, 30 Dec 2015 16:20:30 -0500, David W. Hodgins wrote:

> Without the incoming port open, the torrent software will be downloading
> only, not sharing what's already been downloaded.

I think I'm out of my league trying to understand that sentence.
I don't doubt you. I just don't understand because I figured whatever
port that transmission used on Linux is a two-way port. Certainly,
even without UPnP enabled on either the router or on tranmsission,
I can *see* that I can both seed (upload) and leech (download).

So, "somehow", a "port" is opened on the desktop which does both
uploading and downloading in transmission, even without UPnP enabled
on either the transmission bittorrent client or on the router.

> As it's not sharing, the torrent peers it's downloading from will give
> it a lower priority, so it will take longer for the download to happen.

I've always heard that, if you don't share your files, then you
get a lower download speed, but is that really true? (see below
where you say it is true)

I generally share until the ratio is 2.x, but I never noticed any
speed difference either way. A 1GB file with about 10 seeds
takes about an hour (sometimes more, sometimes less).

> torrent software has two queues for download requests. One for peers
> that are sharing, and one for peers that are not. The download requests
> from the non-sharing peers are only processed if there are no outstanding
> download requests from peers that are sharing.

I share by default, because transmission shares what was just
downloaded, so, I wonder if that's why I don't see any slowdown?

From what you're saying, if I start with no file, then I'm not sharing
anything, so, I'm in that second queue, but, the moment I start getting
data, then I'm in the first queue because transmission, by default,
shares what it already has downloaded.

But, back to the ports.

As far as I can tell, the uploading and downloading still happens
even though I have turned off UPnP in both transmission & in the
router.

From what you're saying, I should be able to download faster if
I open a port on the router. I have never done that, but, I have
transmission set to an arbitrary port each time it runs, so, how
would I know *what* port to open in the router?

[Paul M. Cook]

On Wed, 30 Dec 2015 16:31:21 -0600, Wildman wrote:

> That is odd. My pfsense firewall is set to block all incoming
> traffic and yet I maintain a ratio of 2 in Transmission. I have
> no problem sharing. The only difference is all the uploading
> connections are listed as outgoing, not incoming. This no doubt
> limits the number of potential leechers but I still share.

I also still share until the ratio gets to 2 (which is the
default in Transmission).

I had UpNP turned on by default in both the router and in
Transmission at the start of this thread, but now I have
UpNP turned off in both the router and Transmission.

I haven't noticed anything different in Transmission speeds.
(I don't really know how to tell though.)

[Paul M. Cook]

On Wed, 30 Dec 2015 21:38:53 +0000, Eef Hartman wrote:

>> 2. So, "why" would leaching be slower?
>
> Because the seeding site/software will allow less bandwidth to a
> pure leach, who won't even share the pieces it just got.
> In fact on my site I can see that some peers do not get anything at
> all from me.

This makes sense that there must be a port for uploading the
files, but, I have UpNP off and I can see that both uploading
and downloading still occurs.

Wildman seems to be saying the same thing.

So, something doesn't make sense here on what happens when we
turn UPnP off.

[William Unruh]

On 2015-12-30, Paul M. Cook <pmc...@gte.net> wrote:
> On Mon, 28 Dec 2015 18:26:58 -0500, David W. Hodgins wrote:
>
>> bittorrent will still work, even if the incoming port is not reachable,
>> but as a "leacher" it will be much slower.
>
> I'm still trying to figure out what that sentence means.

I think he means that bittorrent will work for you to download, but your
machine cannot be used for uploading to others. That means that
bittorrent will regard you as a leacher, and will not give you optimum
download speeds (probably by servicing non-leachers-- ie people who are
willing to allow others to download from them-- faster service)

>
> 1. Bittorrent will still work (that it does, with or without
> UPNP set on the router).
>
> 2. So, "why" would leaching be slower?

No. bit torrent is slower IF you are a leacher.

[Jasen Betts]

with no port forwarding you have no pubic torrent socket. Basically
your torrent client can't interact with other clients that don't
have a public socket. it can still interact with clients that do.

Apparently the torrent protocol allows uploads over connections
initiated by the source peer.

--
\_(ツ)_

[Paul M. Cook]

On Thu, 31 Dec 2015 03:10:25 +0000, William Unruh wrote:

> I think he means that bittorrent will work for you to download, but your
> machine cannot be used for uploading to others. That means that
> bittorrent will regard you as a leacher, and will not give you optimum
> download speeds

Putting together what you said, plus what David W. Hodgins said, plus
what Jasen Betts said, is this how it works?

(1) If I turn off UPnP on the router (and in Transmission?) then nobody
can connect to "me" for me to "upload" to them with them using my public
IP address through a port forwarded through my router via UPnP.

(2) This means that I can only upload to other clients that have a public
socket, but if the other clients don't have a public socket, I can't
upload to them (or, said more directly, they can't get files from me).

(3) Since bittorrent maintains two download queues, the first priority
going to those who are uploading data and the second going to those
who are not uploading data, if I'm not uploading data, then I will
only download data when the first queue is empty.

(4) That means two different things.
- For those people with public sockets, I will be in the first
queue because they can get data from me even though I don't
have a public socket myself.
- For those people without public sockets, I will be in the
second queue because, to them, I'm not uploading any data
because I don't have a public upload socket open.

(5) Overall, this will probably increase my download times
(depending on a combination of how many other people have
public sockets open and on how full that first queue is).

(6) If I want to upload data to everyone, in order to ensure I'm in
the first queue, I will need to "open" a port for uploading data.

(7) The "easiest" way to open that outgoing (upload) port is to enable
UPnP in my router (and in the Transmission GUI?).

(8) HERE IS WHERE I'M STILL CONFUSED!
The "safest" way to open that outgoing upload port is to set up
something called "port forwarding" in the router.

MY QUESTION:
If all this is correct, then all I really need to learn next is
how to set up port forwarding in the router.

The router has a menu for "port forwarding" & "port triggering."
The first dropdown menu has a "Service Name" for me to select:
(The choices are ftp, http, icuii, ip phone, netmeeting h.323,
news, quake II & III, real audio, telnet, & vpn/pptp).
Notice "bittorrent" is conspicuously missing from the dropdown menu.

Once I select a service name, the rest of the choices are:
- External Start Port = ?
- External End Port = ?
- Internal Start Port = ?
- Internal End Port = ?
- Internal IP address = (this would be the IP address of my computer)

So, I have to figure out what is an External and Internal port, and
then what is the difference between a Start and End port.

One bit of confusion is that Transmission is picking random ports.
http://i68.tinypic.com/1rrfq0.jpg

So, how do I set up port forwarding in the router when Transmission
doesn't know what port it will be using at any given time?

Do I tell Transmission to pick a STATIC port?

[J G Miller]

It looks like the message I wrote the other day about Transmission
and port forwarding did not sent.

On Thu, 31 Dec 2015 00:18:06 -0500, Paul M. Cook wrote:

> Once I select a service name, the rest of the choices are:
> - External Start Port = ?
> - External End Port = ?
> - Internal Start Port = ?
> - Internal End Port = ?
> - Internal IP address = (this would be the IP address of my computer)
>
> So, I have to figure out what is an External and Internal port, and
> then what is the difference between a Start and End port.

All very simple - since you should have a basic understanding of the terms
internal, external, start, and end.

In the case of transmission, it uses just ONE port for control purposes,
and you can pick any one that is not being used by something else.

Ports are numbered from a minimum of 0 to a maximum of ,(because
they are 16 bit).

Ports 0 to 1024 are reserved for system services and require administrative
privileges (root) in order to use them.

So that leaves 1025 and above to 65535, but many of these are used by
different programs and to see what is assigned look in the file /etc/services.

Now in the case of transmission you can choose anything not in use.

So if you have transmission running on host1, a choice could be
to use port 43101.

So in transmission on host 1 you have to go into the network setup options
menu and tell it to use port 43101.

Then on the router, one sets the

external start port to 43101
external end port to 43101

internal start port to 43101
external end port to 43101

and internal IP address to that of host 1

Transmission uses both UDP and TCP for this port, so you must
ensure in your router configuration that the forwarding rule
is applied to both protocols.

Similarly if you also have transmission running on host 2, you could then
choose port 43102 and enter the values appropriate, and for host 3 choose
port 43103 ...

This way you can have transmission running on hosts 1, 2, and 3 all running
at the same time and the traffic is forwarded to the appropriate host.

The reason for not choosing consecutive numbers for each host 43101, 43102,
43103 which could be done, is to illustrate a more general scheme.

If you have an application which uses a range of ports, eg rtorrent,
then you would need to specify a larger number for the end point,
eg start 49160 and end 49199 for host 1, start 49260 and end 49299
for host 2, etc.

As you can see from the choice of the numbering, it is easy to see
which ports are forwarded to host 1, host 2, and host 3.

[William Unruh]

Port forwarding works by taking any packet with destination address the
router, and port the given port, and readdressing it so that that packet
goes to IP of your computer,and the port you told it to forward to.

Often the router will allow you to pick the incoming port number.
as well as giving you a list of the common ports that are often forwarded.

Note that for outgoing, the system will usually pick a random port and
the router will remember that port number and return any incoming
packets to that port. Ie, you do not forward outgoing packets.

Sorry I have no idea what thos STart/End ports are all about.

[Char Jackson]

On Thu, 31 Dec 2015 18:18:42 -0000 (UTC), William Unruh <un...@invalid.ca>
wrote:

Start and End simply refer to cases where you need to open a contiguous
range of ports. For example, if you wanted to open/forward ports 43101 thru
43199, then 43101 would be the Start of that range and 43199 would be the
End of that range. Everything in between is also opened/forwarded.

By providing the capability to define a range by its start and end like
that, you're saved from having to open umpteen number of individual ports.

In cases where you only want to open a single port, the Start and End ports
are the same.

[Paul M. Cook]

On Thu, 31 Dec 2015 18:18:42 +0000, William Unruh wrote:

> Sorry I have no idea what thos STart/End ports are all about.

Me neither!
Not yet, anyway.

This whole port forwarding & UPnP stuff is new to me, so, a
lot goes over my head.

[Paul M. Cook]

On Thu, 31 Dec 2015 13:54:09 -0600, Char Jackson wrote:

>>> - External Start Port = ?
>>> - External End Port = ?
>>> - Internal Start Port = ?
>>> - Internal End Port = ?
>>> - Internal IP address = (this would be the IP address of my computer)

> In cases where you only want to open a single port, the Start and End ports
> are the same.

Thanks for explaining that the "start" and "end" ports merely define a
range of ports, e.g., the hundred ports between port 10001 to port 10100.

If I just want Transmission bittorrent to work faster for upload,
do I set the "external" range or the "internal" range?

I would *guess* it's the "internal" range, but I'm not sure.

[Paul M. Cook]

On Thu, 31 Dec 2015 13:46:10 +0000, J G Miller wrote:

Everything you said cleared up a lot of my confusion:
(1) Transmission uses one port so I can pick any (upper) unused port.
(2) A look at /etc/services shows what ports are in use
For example openvpn 1194/tcp & openvpn 1194/udp
In my case, there are no ports in /etc/services between
port 27374 & 30865, so your example of 43101 works fine.
(3) The computer where Transmission runs is currently on 192.168.1.10
But that is a temporary IP address (assigned by DHCP from the router).
I assume I'd want to force that IP address to be static from the router.
(4) Then, I can set, on the router, the external range to:
External start port to 43101
External end port to 43101
And, I can set, on the router, the internal range to:
Internal start port to 43101
External end port to 43101
(5)And then I set the "Internal IP address = 192.168.1.10".
(6)And I'd have to do that (somehow) for both TCP & UDP.
(7)Lastly I'd have to set up transmission to use the same port!

Are the assumptions above correct?
(A) Should I set up the computer to get a static IP address from the router?
(B) Must I set the *same* port 43101 on Transmission (I assume the answer is yes)?
(C) Why do I even need the "External" port setup?
(Why don't I just need to set the "Internal" port, since it's for uploading?)

[Paul M. Cook]

On Thu, 31 Dec 2015 03:00:09 +0000, Jasen Betts wrote:

> with no port forwarding you have no pubic torrent socket. Basically
> your torrent client can't interact with other clients that don't
> have a public socket. it can still interact with clients that do.
>
> Apparently the torrent protocol allows uploads over connections
> initiated by the source peer.

This makes sense that what you're saying is:
(1) If I don't enable port forwarding or UPnP in the router, then
transmission can't have an incoming public port.
(2) If Transmission can't have an incoming public port, then other
clients without a public socket can not get data from me
(3) If other clients can't get data from me, they will put me
in the second download torrent priority queue, which only
downloads data from them when the first priority queue is
empty.

One question I have is that transmission uses the term:
"Listening port" which is the "Port used for incoming connections".

The router seems to have an "External port" & an "Internal Port"
in the port-forwarding dialog.

Are these all actually the same thing but with different words?

[Jasen Betts]

On 2015-12-31, Paul M. Cook <pmc...@gte.net> wrote:

set both, use a range 6881 to 6889 if you want to run several instances
simultaneously.

--
\_(ツ)_

[J G Miller]

On Thursday, December 31st, 2015, at 15:32:39h -0500, Paul M. Cook wrote:

> (1) Transmission uses one port so I can pick any (upper) unused port.

As far as I am aware (corrections please if not) transmission uses just one
control port for communication with other p2p clients but having established
contact and agreed on what other port to use and checked that it can be opened,
then the actual data transfer occurs on that other port.

Those will be the "random ports" you mentioned in an earlier message
that transmissin was using.

> I assume I'd want to force that IP address to be static from the router.

Yes whenever you run a program such as transmission it is running as a "service"
or "daemon" and in order for the router to do the port forwarding to any host
running a daemon, it has to know its IP address.

So you need to have it on a static IP address because the router does not have
the necessary software to discover which host the service is running on (if the
host was using say Avahi or slp to advertise the service) and for cases of
instances of the same service on multiple hosts, it would not know which one
to chose.

If you do not want to set a fixed IP on the actual machine you can get your
router to always assign the same IP address from the DHCP pool by a rule using
the host's NIC MAC address.

> (6)And I'd have to do that (somehow) for both TCP & UDP.

This should be clear from the GUI for the router on how to do that.

> (C) Why do I even need the "External" port setup?
> (Why don't I just need to set the "Internal" port, since it's for uploading?)

You are confusing things here internal/external are not synonyms for
uploading/downloading.

The router has two sides

host1 ]
host2 ] --- LAN (internal) --- [router] --- (external) WAN (Internet) --- some_other_p2per
host3 ]

What you are doing is mapping the external port number to the internal port number.

So because the transmission program tells the remote p2p client/server that it is
using port 43101 for communications, the router has to make sure that it maps
its external port 43101 to 43101 on the host where there transmission is running.

What the port forwarding does is connect the external port number to the internal
port number.

Usually the external port and the internal port are the same but this is not
always necessary and for some special cases may have to be different.

Suppose you were at a remote site and wanted to ssh into your home LAN but the
administration at the remote site blocked port 22 but not port 80 (because that normall
carries web traffic). What you could then do on your router is forward incoming external
port 80 to port 22 on your host running the sshdaemon and at the remote site tell the ssh
client to use port 80 and not the usual port 22 when connecting to your router's WAN
side (with an IP address usually allocated by your ISP).

Incidentally home/SOHO routers are not full routers since the internal ethernet
ports are on a switch and all have a common IP address, not individual LAN IP addresses.

I suggest you visit this website

<http://portforward.com/english/routers/port_forwarding/>

which more than likely has screenshots of how to do port forwarding configuration
for your model or router, and indeed it apparently does ...

<http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm>

[Paul M. Cook]

On Thu, 31 Dec 2015 21:38:03 +0000, Jasen Betts wrote:

> set both, use a range 6881 to 6889 if you want to run
> several instances simultaneously.

But, what exactly "is" an external port and an internal port?

(1) Let's say I set my router to hand a static IP address to my
Linux computer, and let's say that's 192.168.1.10

(2) Then, let's say I set up Transmission on that Linux computer
to use static port 6881 (Transmission calls that port the
"Listening Port" and Transmission describes it as the
"Port used for incoming connections".)

(4) Let's say my external IP address is 1.2.3.4 for argument's sake.

(5) Let's assume it's a basic tenet in firewalling to only enable
what you have to enable, so, let's assume all I want to enable
is the ability for my Transmission bittorrent client to upload
files to other bittorrent clients, whether or not those other
clients have a public socket. (This allows me access to both
bittorrent queues, which eventually gets me faster downloads.)

(6) Given all that above, I would "guess" that what I'm trying to
open is an "external" port, i.e., a port to the outside world
where someone on the Internet tries to connect to
1.2.3.4:6881 which my router directs to 192.168.1.10:6881

Is that a correct assumption, if all I want to do is enable my
Bittorrent client to upload to other clients, that I want to only
open an "external" port on the router (and not an internal port)?

[J G Miller]

On Friday, January 1st, 2016, at 10:42:35h -0500,
Paul M. Cook asked yet again:

> But, what exactly "is" an external port and an internal port?

This was all be carefully explained in detail in

Thursday, December 31st, 2015, at 23:30:05h -0000 (UTC)
in message <n64dpt$91n$1...@dont-email.me>

even with a little ASCII picture.

Perhaps these dictionary definitions will help you to understand
the meaning of external, internal, and port.

From The Collaborative International Dictionary of English v.0.48 [gcide]:

External \Ex*ter"nal\, n.
Something external or without; outward part; that which makes
a show, rather than that which is intrinsic; visible form; --
usually in the plural.
[1913 Webster]

From The Collaborative International Dictionary of English v.0.48 [gcide]:

Internal \In*tern"al\, a. [L. internus; akin to interior. See
{Interior}.]
[1913 Webster]
1. Inward; interior; being within any limit or surface;
inclosed; -- opposed to {external}; as, the internal parts
of a body, or of the earth.
[1913 Webster]

From The Free On-line Dictionary of Computing (20 July 2014)

port
port number

1. <networking> A logical channel or channel endpoint in a
communications system. The {Transmission Control Protocol}
and {User Datagram Protocol} {transport layer} protocols used
on {Ethernet} use port numbers to distinguish between
(demultiplex) different logical channels on the same {network
interface} on a computer.

Each {application program} has a unique port number associated
with it, defined in /etc/services or the {Network Information
Service} "services" database. Some {protocols}, e.g. {telnet}
and {HTTP} (which is actually a special form of telnet) have
default ports specified as above but can use other ports as
well.

Some port numbers are defined in {RFC 3232} (which replaces
RFC 1700). Ports are now divided into: "Well Known" or
"Privileged", and "Ephemeral" or "Unprivileged" (comprising
"Registered", "Dynamic", "Private").

[Paul M. Cook]

On Fri, 01 Jan 2016 16:05:58 +0000, J G Miller wrote:

> This was all be carefully explained in detail in

I just got to that most excellent explanation and was reading and
re-reading the internal/external port explanation when I saw this
post here.

I'm sorry, I was out last night and wasn't able to read anything until now.

In that earlier post, I easily understood what you kindly explained
about how Transmission opens up one port, and what you explained well
about how I could assign a static IP address on either the computer or
on the router (by telling the router the MAC address of the computer).

I'm working on this internal/external port concept now, and will respond
to *that* post, so as to keep it together.

The final summary should be forthcoming when I figure out the difference
between and internal and external port, and why I have to open up both
UDP and TCP traffic through that opened port.

Thanks for your wonderfully detailed explanations!

[J G Miller]

On Friday, January 1st, 2016, at 11:15:15h -0500, Paul M. Cook confessed:

> I'm sorry, I was out last night and wasn't able to read anything until now.

Always best to try and read all the followups before posting questions
especially those which have you already asked.

> I'm working on this internal/external port concept now, and will respond
> to *that* post, so as to keep it together.

Good, just try to keep in mind that the router is a device which connects
the LAN, the INTERNAL side, to the WAN (usually the Internet), the EXTERNAL
side.

So for things to work (ie communications to/from the Internet), the router
has to connect the internal port to an external port, and an external port
to an internal port.

In normal factory default operation, home (SOHO) routers are always open to
allow traffic from an internal host on any port (so internal port) to any
external host on any port (so external port).

It is the incoming traffic which is barred by default unless an internal
host on that port has already established communications on with that
particular external IP address on that particular port.

If you think of an old fashioned telephone exchange operations board,
somebody has to put a patch wire in the socket for the incoming call from
the network to the socket to the local exchange line to the home phone.

This is effectively what you are doing with incoming port forwarding rules
(from external port to internal port).

> The final summary should be forthcoming when I figure out the difference
> between and internal and external port, and why I have to open up both
> UDP and TCP traffic through that opened port.

Yes -- on the Internet there are numerous communications protocols but
the most basic are TCP and UDP (and also IMCP which is used by ping):

UDP (user datagram protocol) which is non-guaranteed (hence often described
as non-reliable) datagram delivery.

TCP (transmission control protocol) which guarantees delivery of data and
also guarantees that packets will be delivered in the same order in which
they were sent.

For a brief summary take a look at

<http://www.diffen.COM/difference/TCP_vs_UDP>

The difficult part about networking and networking issues is not really
the concepts involved (getting packets from host A to host B) but
remembering all the terms and what they mean ;+}

By the time you have read, learnt, and inwardly digested all this
information you will be able to go around all your friends and
neighbors and help them to make sure their routers are configured
more securely (use WPA2 and never WEP) ;+) ;+)

<http://www.diffen.COM/difference/WPA_vs_WPA2>

[Paul M. Cook]

On Thu, 31 Dec 2015 23:30:05 +0000, J G Miller wrote:

> What the port forwarding does is connect the external port number
> to the internal port number.

I'm reading and re-reading what you wrote, and I'm also adjusting my
router as I read and reread, but, this seems to be the key sentence
that I hadn't realized in the least when this quest was started!

The "port forwarding" is just connecting an internal port on the LAN
(i.e., 192.168.1.10:43101) to an external port on the WAN (for example,
1.2.3.4:43101).

I'm also reading the reference you provided, which lead me to this:
http://portforward.com/help/portforwarding.htm

So now I see that all requests don't just go to an IP address, but, they
all go to an IP address plus a port. If that port is well known (such
as port 80, and if I have a "service" running on that port on my laptop)
then the router might be able to connect the external request to the right
internal laptop & port (which is where the Ubuntu /etc/services file comes
into play, I think).

But, there is no "Transmission" (bittorrent) service defined in the
/etc/services file, so, I have to tell the router what to do with the
incoming requests to my external port 1.2.3.4:43101.

The router will be told to connect that external port 1.2.3.4:43101 to
an internal port 192.168.1.10:43101, which is where Transmission will
be set to listen for incoming connections.

I'm reading your suggested URL now to make sense of it:
http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm

But, one question in the back of my mind is what does the router do
to a request without port forwarding to 1.2.3.4:43101. Of course,
the router summarily drops that request, but, then, how does ANY
traffic get through the router if the router blocks all incoming
requests to all ports?

Certainly the router lets in *some* requests from the outside.
Otherwise hackers would never get in. Right?

[J G Miller]

On Friday, January 1st, 2016, at 12:23:42h -0500, Paul M. Cook realized:

> So now I see that all requests don't just go to an IP address, but, they
> all go to an IP address plus a port.

Yes, yes, yes, this is exactly the case.

In our analogy with the operator and patch cords at the telephone exchange,
there is with TCP/IP networking in addition to the telephone number (the
IP address) a port number, so it is like somebody have one telephone number
but a black phone, a yellow phone, a red phone (for calls to the Kremlin)
and only one phone is the right one, so the patch cord has to connect
to the specific phone (internal port) as well.

So if the Kremlin red phone calls, one would not want it connected to the
yellow phone, but to your internal red phone so that when the conversation
starts, one does not make the mistake of asking is that Xi Jinping (because
the yellow phone rang) when it is in fact Vladimir Putin calling from his
red phone.

> If that port is well known (such as port 80, and if I have a "service"
> running on that port on my laptop) then the router might be able to connect
> the external request to the right internal laptop & port

Exactly so, but without ensuring that the web server you have running on
your laptop is fully secure with proper configuration directives to only
allow LAN hosts access to "sensitive" directories where needed, and that
you have eliminated any possible SQL or PHP injection inquiry faults, etc,
opening up your web server to the Internet is not a sensible thing to do.

> But, there is no "Transmission" (bittorrent) service defined in the
> /etc/services file

Because nobody has registered Transmission as using a particular port.
And if they did, then all the ISPs would have to do was block traffic
on that port and it would not work properly, so people would then choose
random alternative ports as they do now, so going to the trouble of
registering a particular port for transmission is pointless ...

> The router will be told to connect that external port 1.2.3.4:43101 to
> an internal port 192.168.1.10:43101, which is where Transmission will
> be set to listen for incoming connections.

Exactly. Exactly.

> But, one question in the back of my mind is what does the router do
> to a request without port forwarding to 1.2.3.4:43101.

Hopefully it does what it should do.

If your local host has already established a connection (which would
of course be TCP, because UDP is connectionless) with a remote host
on 43101, it would allow incoming traffic with that same remote host
on that port. If another IP address tried to connect, the router
(or rather the iptables or equivalent in the router) would just
drop all traffic from that remote host on that port and send it to
/dev/null or the bitbucket.

> how does ANY traffic get through the router if the router blocks all incoming
> requests to all ports?

As I have tried to explain above and in the other message, if your
local host1 has already initiated and established a connection with a
remote host on a particular port, it allows incoming traffic from
that same IP address and same port and forwards it to the local host1.

> Otherwise hackers would never get in. Right?

The way hackers can bypass the router security are generally via two routes.

The hacker gets one its botnet hosts to send you an e-mail with an attachment
which you think is just a document but is actually an executable and when
you open it, it runs the executable which installs a program which initiates
contact with the botnet and becaue it initiated contact, it allows incoming
traffic from the botnet on that port.

Alternatively you use Windoze and Internet Explorer and visit a web site
with malicious code (perhaps javascript or even java) which Internet Explorer
runs and installs sofware which does the same as above.

The other possible route, is that the hacker is able to connect to your
router administration interface because you have used a weak password
or even not even set one different from the factory default and have
turned on Internet access to the administration interface, or the router
manufacturer stupidly left in a backdoor in the firmware, perhaps to
allow ISPs to do meddle with your router.

The worst ISPs are ones such as Sky in the UKofGB&NI which officially
do not allow you to use anything but the router which they supply and
which has most administrative functions blocked to the user because
the administrator account is locked, and only access to a simple
non-privileged interface is provided.

<https://nakedsecurity.sophos.com/2013/10/15/d-link-router-flaw-lets-anyone-login-using-joels-backdoor/>

<http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/>

<http://www.theregister.co.uk/2014/01/06/hacker_backdoors_linksys_netgear_cisco_and_other_routers/>

See also how bad uPnP implementations by some networking device companies on some routers
can be misused by hackers at

<http://www.computerworld.COM/article/2972756/cybercrime-hacking/attackers-are-using-insecure-routers-and-other-home-devices-for-ddos-attacks.html>

This is of course why you need to keep the firmware updated on your router.

Obviously once a hacker can login to the administrator account on the router,
then she/he can open up whatever ports she/he chooses and to connect to machines
on your LAN.

A secondary line of defence is to have software firewalls running on each
of your machines which will safeguard against this failure, but the problem
is for hosts running embedded systems (Smart TVs, Wifi Radios, satellite receivers,
internet connected coffee machines and refrigerators etc) for which the manufacturer
did not care about LAN security.

What could be worse than coming home to find that crackers have gotten access to
your refrigerator/freezer and turned the freezer off so that all your frozen food
has melted and started decomposing, when you open the freezer compartment door?

[Paul M. Cook]

On Fri, 01 Jan 2016 16:55:09 +0000, J G Miller wrote:

> Always best to try and read all the followups before posting questions
> especially those which have you already asked.

I'm still reading and re-reading both your explanation and the helpful
links you provided (which, really, tell me how to do almost EVERYTHING
I need to do.

I never got the algorithm down to keeping track of which articles I
should reply to because my nntp client puts unread articles in bold
and read articles not bolded, so, once I read it, I can't find it
again in all the other articles.

Anyway, I'm reading and re-reading your references, which are spot
on the money!

It's interesting that the article says that Transmission can *only* use
port 51413 so I will be using that port, in future messages.
http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm

It's strange that the article clearly says Transmission uses only that
one port, because the Transmission GUI just as clearly intimates otherwise
(by giving you a selection of what Transmission calls the "Listening port").
Transmission: Edit > Preferences > Network > Listening port = {54689}
Pick a random port every time Transmission is started = yes/no

It's also interesting that the articles have methods for setting a static
IP on Windows and consoles, but not Ubuntu:
http://portforward.com/networking/staticip.htm

But, I'll probably set up the Ubuntu static IP address from the router anyway,
which you well explained was simply by matching the wlan0 MAC address to
force the router DHCP to hand my Ubuntu laptop the same IP address each time.

> In normal factory default operation, home (SOHO) routers are always open to
> allow traffic from an internal host on any port (so internal port) to any
> external host on any port (so external port).

I didn't know this bit of information that all outgoing ports are allowed,
which makes a lot of sense and which will help me understand how *any*
traffic gets through the router, since I would have thought that Transmission
uploads to other clients from the
inside out (but, in reality, Transmission actually apparently uploads to
other clients from the outside in!).

> It is the incoming traffic which is barred by default unless an internal
> host on that port has already established communications on with that
> particular external IP address on that particular port.

Finally this makes sense! I'm not sure how hackers get in, but, what you're
saying is that all incoming ports are barred, by default, unless a request
first went out from inside the LAN.

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

> In our analogy with the operator and patch cords at the telephone exchange,
> there is with TCP/IP networking in addition to the telephone number (the
> IP address) a port number, so it is like somebody have one telephone number
> but a black phone, a yellow phone, a red phone (for calls to the Kremlin)
> and only one phone is the right one, so the patch cord has to connect
> to the specific phone (internal port) as well.

The analogy of the telephone patch cord is a great one which I hope
to remember.

To me, it's like the operator is downstairs in a large bank building
with the switchboard in the basement when the call from outside comes
in for Mr. Banks.

The operator patches in the call from an external line to the internal
line for Mr. Banks' office.

Thanks for that "port forwarding" analogy.

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

> Because nobody has registered Transmission as using a particular port.
> And if they did, then all the ISPs would have to do was block traffic
> on that port and it would not work properly, so people would then choose
> random alternative ports as they do now, so going to the trouble of
> registering a particular port for transmission is pointless ...

This is very interesting that "defining" a port for Transmission would
be futile, due, essentially, to human nature.

Thanks for that observation.

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

> The other possible route, is that the hacker is able to connect to your
> router administration interface because you have used a weak password
> or even not even set one different from the factory default and have
> turned on Internet access to the administration interface, or the router
> manufacturer stupidly left in a backdoor in the firmware, perhaps to
> allow ISPs to do meddle with your router.

This makes sense that hackers get in directly from the outside through
the admin interface, since the administration interface is open to a
connection all the time by default.

It also makes sense that hackers, more often than not, get in by sneaking
something onto your system (via email or the web, as you noted), and then,
once on the system, whatever malware they gave you can initiate its own
communications to the outside.

[J G Miller]

On Friday, January 1st, 2016, at 14:43:12h -0500, Paul M. Cook wrote:

> It's interesting that the article says that Transmission can *only* use
> port 51413 so I will be using that port, in future messages.
> http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm

WARNING, WARNING, Will Robinson ;+)

You misread that article. It is not saying Transmission can only use
port 51413.

It is saying that if you choose 51413 (a random port number within the allowed
range (1024-65535) not used by anything else) you have to use that
same port number in the Transmission configuration and on the router
port forwarding rule for external port and internal port.

> It's also interesting that the articles have methods for setting a static
> IP on Windows and consoles, but not Ubuntu

Because the whole site is oriented to Windoze and really wants to sell you
their Windoze based software for setting up rules for the Windoze firewall
and Windoze router administration software.

> But, I'll probably set up the Ubuntu static IP address from the router anyway,
> which you well explained was simply by matching the wlan0 MAC address to
> force the router DHCP to hand my Ubuntu laptop the same IP address each time.

Nooooooooooo.

You have to use the host's NIC MAC address NOT the router's
WAN NIC MAC address.

On your host just do

ifconfig

and probably your NIC is assigned to eth0 and from there you can see the
MAC address

eth0 Link encap:Ethernet HWaddr NN:NN:NN:NN:NN:NN

where NN are hexadecimal "digits" (0 through 9, or A through F).

If you try the command

arp

you will see the MAC addresses (under the HWaddress column)
of neighboring hosts as well.

If you want to check that your NIC is "genuine" or at least has been
counterfeited with an appropriate MAC address for that manufacturer,
you can go to

<http://wintelguy.COM>

and lookup who the manufacturer should be for a particular MAC address.

> what you're saying is that all incoming ports are barred, by default,
> unless a request first went out from inside the LAN.

That is the standard mode of operation for consumer SOHO routers.

If you were manually setting up a firewall on your Ubuntu system
using IPTABLES (the basic kernel level tool for creating firewall
rules) you would have to have a rule

iptables -t filter -A INPUT -p all -m conntrack
--ctstate ESTABLISHED,RELATED -i ${IFACE} -j ACCEPT

As you can see the key words there to allow this functionality to be allowed
are for all ports (-p all) on the interface (usually eth0)

ESTABLISHED,RELATED and ACCEPT

[J G Miller]

On Friday, January 1st, 2016, at 14:53:25h -0500, Paul M. Cook wrote:

> The operator patches in the call from an external line to the internal
> line for Mr. Banks' office.

Yes, except Mr Banks has more than one phone so the patch has to go not
just to his office (IP address) but to the appropriate phone (port number).

And I forgot to mention that if you asked if it was Xi Jinping when
Vladimir Putin was calling, that would be a "protocol error". ;+)

[Wildman]

On Fri, 01 Jan 2016 20:24:01 +0000, J G Miller wrote:

> On Friday, January 1st, 2016, at 14:43:12h -0500, Paul M. Cook wrote:
>
>> It's interesting that the article says that Transmission can *only* use
>> port 51413 so I will be using that port, in future messages.
>> http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm
>
> WARNING, WARNING, Will Robinson ;+)
>
> You misread that article. It is not saying Transmission can only use
> port 51413.
>
> It is saying that if you choose 51413 (a random port number within the allowed
> range (1024-65535) not used by anything else) you have to use that
> same port number in the Transmission configuration and on the router
> port forwarding rule for external port and internal port.

Also, Transmission can be set to use a random port each time the
program is started. For the benefit of the OP, Port 51413 is only
the default port and can easily be changed.

--
<Wildman> GNU/Linux user #557453
More gun laws will reduce gun violence just
like Obamacare reduced insurance rates.

[J G Miller]

On Friday, January 1st, 2016, at 15:11:48h -0500, Paul M. Cook wrote:

> This makes sense that hackers get in directly from the outside through
> the admin interface, since the administration interface is open to a
> connection all the time by default.

The administration interface should never be open on the WAN (Internet)
side by default. It should only every be opened on the WAN (Internet)
site if the administrator account is provided with a very strong password
and preferably access is only allowed to a specific or specific range
of external IP addresses.

> It also makes sense that hackers, more often than not, get in by sneaking
> something onto your system (via email or the web, as you noted)

Yes "social" (as in what traditional con-merchants have always used)
deception is so much easier.

Now what did you say you had set the password to?

[See what I did there ............]

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

>> But, there is no "Transmission" (bittorrent) service defined in the
>> /etc/services file
>
> Because nobody has registered Transmission as using a particular port.
> And if they did, then all the ISPs would have to do was block traffic
> on that port and it would not work properly, so people would then choose
> random alternative ports as they do now, so going to the trouble of
> registering a particular port for transmission is pointless ...

Interesting!

So, given the nature of what Transmission does, you don't actually want
a well-defined service for whatever port would be assigned to it, 'cuz
they (the powers that be) would just block it out of hand.

Now it begins to make sense!

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

> <https://nakedsecurity.sophos.com/2013/10/15/d-link-router-flaw-lets-anyone-login-using-joels-backdoor/>

OMG.
User Agent String = (essentially) Backdoor by Joel!

[Paul M. Cook]

On Fri, 01 Jan 2016 18:34:51 +0000, J G Miller wrote:

> A secondary line of defence is to have software firewalls running on each
> of your machines which will safeguard against this failure,

It's enough effort for me to just start understanding the ports in my
router firewall, let alone then implementing a software firewall.

I'll leave *that* to later!

[Paul M. Cook]

On Thu, 31 Dec 2015 23:30:05 +0000, J G Miller wrote:

> As far as I am aware (corrections please if not) transmission uses just one
> control port for communication with other p2p clients but having established
> contact and agreed on what other port to use and checked that it can be opened,
> then the actual data transfer occurs on that other port.
>
> Those will be the "random ports" you mentioned in an earlier message
> that transmissin was using.

This explanation makes sense, but is actually confusing.

I guess the only thing that matters is what ports I have to open up in
the router and what ports to set in Transmission, and, as long as I
make them the same (and if they're not system ports or otherwise used),
it should work.

What is confusing is that the web page you provided is fantastically
done, but it says clearly that Transmission only uses 1 port: 51413
http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm

Yet the Transmission GUI implies that you can set any port, and any
number of ports.

So, that's confusing because the information doesn't match.

Anyway, I've already set up the router to UDP/TCP port forward 51413
exactly as your well written article above suggested, as shown below:
https://i.imgur.com/BQ9QNno.gif

Likewise, I set Transmission to use the same port 51413:
https://i.imgur.com/x6RaL8n.gif

Unfortunately, Transmission test results said the "Port is closed",
so, I have to debug why Transmission thinks the port is closed:
https://i.imgur.com/RUccJ3j.gif

[Paul M. Cook]

On Fri, 01 Jan 2016 16:59:32 -0500, Paul M. Cook wrote:

> What is confusing is that the web page you provided is fantastically
> done, but it says clearly that Transmission only uses 1 port: 51413
> http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm
>
> Yet the Transmission GUI implies that you can set any port, and any
> number of ports.

Please disregard this statement above because you explained that I had
interpreted the article wrong in a subsequent post that I hadn't read
at the time I wrote that above.

[Paul M. Cook]

On Fri, 01 Jan 2016 20:24:01 +0000, J G Miller wrote:

> You misread that article. It is not saying Transmission can only use
> port 51413.

Ooops. It sure *sounded* like it said that, but since it was confusing,
I like it better than your explanation matches what Transmission is
allowing me to set.

[Paul M. Cook]

On Fri, 01 Jan 2016 20:24:01 +0000, J G Miller wrote:

> You have to use the host's NIC MAC address NOT the router's
> WAN NIC MAC address.
> On your host just do
> ifconfig
> and probably your NIC is assigned to eth0 and from there you can see the
> MAC address

Thanks for the MAC address hints.

While I had never understood nor ever messed with router port forwarding
& UPnP before, I am pretty familiar with MAC addresses, so, I'm comfortable
with what I need to do on the router to set up a static IP address for
the laptop based on the current (spoofed) wlan0 MAC address of the laptop.

Setting a static IP address for the laptop will be a bit more confusing
for me than it would be for most people though, because, while my laptop
is always wireless (so I will have to match the MAC address on wlan0 and
not on eth0), I purposefully spoof my wlan0 MAC address frequently on my
laptop using a script by a guy named Marek Novotny (see script below).

So, while this changing of the MAC address will make static IP
assignment by the router harder for me than for most people, I know
exactly what to do in order to make that static IP assignment work.

Given that I change (spoof) my wlan0 MAC address frequently, I probably
should explore how to make the laptop IP address static using the
Ubuntu OS itself, but, that may be something for a later date to
learn how to do.

BTW, if you're interested in Marek's script for changing the MAC
address, here is my copy of it (he may have a later version) that
I pulled off the alt.os.unix newsgroup a few months ago.

$ cat $(which changemac.sh)
#!/bin/bash
#################################################
# Script: changemac.sh
# written by: Marek Novotny (modified slightly)
# version: 0.4
# date: 2015-10-17
# notes: MAC Address Changing Ubuntu
# See also: http://wintelguy.com for valid MAC OUIs
# https://www.adminsub.net/mac-address-finder
#################################################
# In the future, change the MAC address in /etc/network/interfaces.
# That way, the interface starts up safer, with the fake mac
# When the interface goes down it gets re-configured.
# You can put the hide_me script in /etc/if-pre-up.d
# and the change would go in before the interface comes up.
# use sudo if you're not root (otherwise add ifconfig to sudoers.d)

if [ $(id -u) != 0 ] ; then
priv="sudo"
else
priv=""
fi

# grab the NIC interface (e.g., devID=wlan0)
# WIP: Add a check if device ID is "tun?" or "ppp?", don't change it
devID=$(ip route get 8.8.8.8 | awk 'NR==1 {print $5}')
# Get the device MAC address
MACaddr=$(ifconfig $devID | grep HWaddr | awk '{print $5}')
echo "old MAC: $MACaddr"

# Set up a list of organizationally unique identifiers OUI
# https://www.adminsub.net/mac-address-finder
OUIArray=(
00:01:2a # telematica sistems inteligente
00:02:b3 # intel corporation
00:03:47 # intel corporation
... list truncated for Usenet post ...
f0:4d:a2 # dell inc.
f4:06:69 # intel corporate
fc:8f:c4 # intelligent technology inc.
)

# if [ $# -eq 0 ]
# then
# echo -n "Enter new MAC: "
# read $newMAC
# else
RANGE=$((${#OUIArray[@]} + 1))
i=$RANDOM
let "i %= $RANGE"
OUI=${OUIArray[$i]}

# generate a new NIC specific identifier
NIC=$(date | md5sum | sed 's/../&:/g' | cut -b 9-17)
newMAC="$OUI$NIC"
# fi

echo "new MAC: $newMAC"

# Offer to replace old mac addr with the new
echo "Do you wish to assign $newMAC to $devID?"
echo "Press 1 to assign $newMAC to $devID? (otherwise press 2)"
select yn in "Yes" "No" ; do
case $yn in
Yes )
$priv ifconfig $devID down
sleep 2 # allow interface to go down
$priv ifconfig $devID hw ether $newMAC
sleep 2 # allow time to assign MAC to interface
$priv ifconfig $devID up && $priv ifconfig $devID | grep HWaddr
break
;;
No )
exit 0
;;
esac
done

## END ##

[J G Miller]

On Friday, January 1st, 2016, at 16:25:05h -0500, Paul M. Cook wrote:

> So, given the nature of what Transmission does, you don't actually want
> a well-defined service for whatever port would be assigned to it, 'cuz
> they (the powers that be) would just block it out of hand.

What I should have explained further was that it in reality, it is more
likely that the ISP would not block that port (unless compelled to do so
by a court order or possibly just a request from the City of London
[England] Police) but that they would slow down traffic assigned to
that port number (traffic shaping).

If you read the HOWTOs/FAQs for some other p2p client software, the authors
recommend not using well known the well known p2p port numbers for exactly
that reason (traffic shaping slowdown) but to use some random (usually
higher number) port.

[Paul M. Cook]

On Fri, 01 Jan 2016 15:04:50 -0600, Wildman wrote:

> Also, Transmission can be set to use a random port each time the
> program is started. For the benefit of the OP, Port 51413 is only
> the default port and can easily be changed.

Thank you for pointing out the "random" port option.

I had seen that, and wondered how that fits in the picture of assigning
ports, since the random port doesn't have a range.

So, I "guessed" that you can't really both set Transmission to a
random port and set a range in your router to port forward.

It seems, to me, only logical that the random port setting in
Transmission can only be used if you turn UPnP on in the router.

Otherwise, it seems to me, if you have UPnP turned off, then
you have to set a range of ports in the router.

The problem is that Transmission doesn't seem to have a range
option to limit the random ports to the same range that you
set in the router.

So, it seems, to me, logical that:

(A) If you set the router to UPnP, then you can also set Transmission
to use random ports, but,
(B) If you set the router to a range of static ports, the problem is
that you can't limit Transmission to use those static ports only.
Given that:
(C) Effectively, you can only set Transmission to a single port if
you also have UPnP turned off in the router since that's the
only way you can guarrantee that Transmission will use the same
port as you have opened up in the router.

So, I think *that* is why the article on how to set up Transmission
may have promulgated using only *one* port.

DISCLAIMER: I am only starting to understand this stuff, so take
everything I assume with a large bag of salt.

[Paul M. Cook]

On Fri, 01 Jan 2016 21:03:48 +0000, J G Miller wrote:

> The administration interface should never be open on the WAN (Internet)
> side by default. It should only every be opened on the WAN (Internet)
> site if the administrator account is provided with a very strong password
> and preferably access is only allowed to a specific or specific range
> of external IP addresses.

I don't think my SOHO router will allow a range of IP addresses, nor,
can the password be all that secure since it seems to be limited to
8 characters.

You can put in more than 8 characters, and it won't complain, but,
it seems to look at only the first 8 characters.

Worse, my router doesn't seem to let you change the admin username,
so, the admin account is always "admin".

So, if that's how all SOHO routers work, that's not all that secure.

[Paul M. Cook]

On Fri, 01 Jan 2016 22:22:11 +0000, J G Miller wrote:

> If you read the HOWTOs/FAQs for some other p2p client software, the authors
> recommend not using well known the well known p2p port numbers for exactly
> that reason (traffic shaping slowdown) but to use some random (usually
> higher number) port.

At this point, I understand a *lot* more than I did before.
I'll try to write up a summary for others to benefit.

At the moment though, I "think" I did everything right, but, still,
Transmission is saying the port is "closed" when I test it.
https://i.imgur.com/RUccJ3j.gif

Wondering if this setting makes any difference, I had to look it up:
[ ]Use UPnP or NAT-PMP port forwarding from my router

While I know we're not using UPnP now, I don't know if we discussed whatever
"NAT-PMP" is yet. Googling, I see NAT-PMP stands for Network Address
Translation Port Mapping Protocol.
https://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol

It seems to be "similar" to UPnP, so, I don't think it's a good idea
to check that box.

Do you concur?

[J G Miller]

On Friday, January 1st, 2016, at 17:30:39h -0500,

Paul M. Cook wrote:

> It seems, to me, only logical that the random port setting in
> Transmission can only be used if you turn UPnP on in the router.

Correct. That is why uPnP is convenient, but as we all should now know,
perhaps not very safe.

> The problem is that Transmission doesn't seem to have a range
> option to limit the random ports to the same range that you
> set in the router.

Not in the GUI because the developers have never bothered to add it in,
but it can be manually set in the configuration file.

See "Peer Port" at

<https://trac.transmissionbt.COM/wiki/EditConfigFiles>

(I have a vague feeling that this may have been broken in
some old versions of Transmission, but if you are using 2.84
it should work as expected.)

And if you do use it, do not use too wide a range of numbers:
no more than 250 perhaps at the very most, but 50 should be more
than adequate.

Also if you want to review your understanding of implementing
port forwarding with respect to transmission, take a look at

<https://trac.transmissionbt.COM/wiki/PortForwardingGuide>

[Paul M. Cook]

On Sat, 02 Jan 2016 00:09:56 +0000, J G Miller wrote:

> Not in the GUI because the developers have never bothered to add it in,
> but it can be manually set in the configuration file.

There's a Transmission configuration file?

Looking about, I see there are config files here:
$HOME/.config/transmission/settings.json

$ grep port settings.json
"peer-port": 51413,
"peer-port-random-high": 65535,
"peer-port-random-low": 49152,
"peer-port-random-on-start": false,
"port-forwarding-enabled": true,
"rpc-port": 9091,

> See "Peer Port" at
> <https://trac.transmissionbt.COM/wiki/EditConfigFiles>
>
> (I have a vague feeling that this may have been broken in
> some old versions of Transmission, but if you are using 2.84
> it should work as expected.)

My version is 2.82 (14160).

[Paul M. Cook]

Thanks to everyone here, below is a summary I wrote of my current
understanding of just the UPnP versus Port Forwarding issue for
setting up the Transmission bittorrent client on Linux (Ubuntu) for
optimal speed.

It's written in my words, so, if there are errors in my understanding,
I'm fine with you pointing them out!

My summary of what was learned in this thread about UPnP & Port Forwarding

(0) The way things work is that an incoming request to WAN external IP
1.2.3.4 on port 12345 hits the SOHO router. Without port forwarding,
the SOHO router will drop that request (or any request to
any port).

But, with port forwarding, the router sees the external port WAN
request for 1.2.3.4:43101 and it forwards that external port to
a static LAN internal port of 192.168.1.10:43101, which the
Transmission client is listening on for upload requests (which
apparently require both TCP & UDP messages).

(Transmission settings are in $HOME/.config/transmission/settings.json)

(1) Since bittorrent maintains two download queues, the first priority
going to those who are uploading data and the second going to those
who are not uploading data, if I'm not uploading data, then I will
only download data when the first queue is empty.

(2) That means two different things if I don't open a port to the world:
- For those people with public sockets, I will be in the first
queue because they can get data from me even though I don't
have a public socket myself.
- For those people without public sockets, I will be in the
second queue because, to them, I'm not uploading any data
because I don't have a public upload socket open.

(3) Overall, not opening a port will probably increase my download
times (depending on a combination of how many other people have
public sockets open and on how full that first queue is).

(4) The *easiest* way to open a port for those external clients who
do not have a public socket is to simply turn on UPnP on both
the SOHO router and in Transmission. Optionally, if UPnP is
turned on in Transmission, I can set Transmission to use a
random port each time the application is started.

(5) The *safest* way to open a port is to turn off UPnP in both the
SOHO router and in the Transmission app, and just manually
forward a port in the router & set that same port in Transmission.
Pick a random port between 49152 & 65535. The default is 51413.
https://trac.transmissionbt.com/wiki/PortForwardingGuide

However, there are a bunch of things you have to do in order
to accomplish that task:
(a) You'll need to have your computer on a static IP address
on the LAN (e.g., 192.168.1.10).
This can be set (based on the computer wlan0 MAC address)
by the router, or, this can be set on the Ubuntu computer.
(b) You'll need to select an unused external/internal port set
to forward UDP & TCP packets to (e.g., port 51413)
(This port needs to be between 1025 and 65535.)
(c) You'll want to doublecheck your /etc/services files to ensure
whatever port you chose is not being otherwise used.
In my case, there are no ports in /etc/services between
port 27374 & 30865, and only 3 ports higher than 30865
{57000,60177,60179}, so, all other ports are fair game.
Application = trans

NOTE: There are other things you can set to improve Transmission speeds!
http://falkhusemann.de/blog/2012/07/transmission-utp-and-udp-buffer-optimizations/

REFERENCES:
http://portforward.com/help/portforwarding.htm
http://portforward.com/english/routers/port_forwarding
http://portforward.com/english/routers/port_forwarding/Netgear/WNDR3400v2/Transmission.htm
http://techsupportalert.com/content/optimizing-transmission-bittorrent-client-speed.htm
https://trac.transmissionbt.com/wiki/PortClosed

[Char Jackson]

On Fri, 01 Jan 2016 12:23:42 -0500, "Paul M. Cook" <pmc...@gte.net> wrote:

>The "port forwarding" is just connecting an internal port on the LAN
>(i.e., 192.168.1.10:43101) to an external port on the WAN (for example,
>1.2.3.4:43101).

Actually, it's exactly the other way around, which you've corrected in later
posts, I think, but I wanted to make sure.

Port forwarding, in your NAT/SOHO router, pre-configures your router to
accept traffic arriving at its WAN port (i.e., from the Internet,
typically), and forward it to a specific IP:port on your LAN. You do this
pre-config work on the router, and then some amount of time later, traffic
arrives at the router's WAN port and utilizes your work.

The opposite scenario, connecting an internal (LAN) port to an external
(WAN) port, happens automatically when you initiate traffic in that
direction. The router not only allows traffic to flow in that outbound
direction, it also creates a session table entry (sometimes called a
connection table) that essentially says traffic arriving in response to that
outbound traffic should be allowed. That happens for both TCP and UDP, BTW.

In the absence of neither port forwarding nor prior outbound traffic,
inbound traffic arriving at the router's WAN port will be dropped. Put
another way, inbound traffic (WAN -> LAN) is checked to see if an entry in
the session table matches, or a port forwarding rule exists and matches, and
if both conditions are false the traffic is dropped.

Note that port forwarding can be something that you do manually, or
something that happens automatically via uPNP, to bring this full circle. If
you only allow port forwarding as something that you do manually, at least
you have some control over it. If you allow uPNP, port forwarding happens
programmatically, behind your back. Sometimes that's more convenient, but I
have a hard time thinking it's ever more secure, so I agree with the advice
to disable uPNP.

[J G Miller]

On Friday, January 1st, 2016, at 19:43:59h -0500,
Paul M. Cook asked:

> There's a Transmission configuration file?

Did you not see the text at the top of the page

QUOTE
Editing Configuration Files
...
For the location of these files, look at the Configuration Files page.
UNQUOTE

> $ grep port settings.json
> "peer-port": 51413,
> "peer-port-random-high": 65535,
> "peer-port-random-low": 49152,
> "peer-port-random-on-start": false,
> "port-forwarding-enabled": true,
> "rpc-port": 9091,

Yes, peer-port are the ones you are interested in.

Incidentally, for easier searching try

grep --color 'peer-port' settings.json

> My version is 2.82 (14160).

Should work fine.

Incidentally my recollection about random communication port
in a range not working may have been misplaced with
respect to transmission and was probably an experience with
deluge because when I was trying it out, I recall it was in
a GUI setting which of course transmission does not have.

[J G Miller]

On Friday, January 1st, 2016, at 19:07:29h -0500, Paul M. Cook reported:

> At the moment though, I "think" I did everything right, but, still,
> Transmission is saying the port is "closed" when I test it.

Did you restart transmission after making all the changes?
Sometimes it (and other software) can be unreliable at
changes whilst running.

However more than probable that is not the issue, so here
is the check list with the most likely cause being #2

1) On the router did you assign a fixed IP to the MAC
address of wlan0

2) Did you check that the IP address on the host had changed,
either by manually restarting the WiFi or rebooting the machine,
and then checking again with ifconfig that wlan0 had the
fixed IP address that you think it should

3) On the router did you check, after rebooting the router, that
the rule was there to forward both TCP and UDP from external port NNNN
to intenal port NNNN

4) Did you check that transmission was set to use port NNNN as the
communications control port?

5) Did you restart transmission just to be sure the new setting was
activated and then do the check port test?

> It seems to be "similar" to UPnP, so, I don't think it's a good idea
> to check that box.

Leave that box unchecked since turning it on will cause transmission to
try both when it does not need to because you are doing the port forwarding
on the router.

Also if you are p2ping with a private tracker make sure that DHT and PEX
are turned off, or you will get banned from using the private tracker.

[J G Miller]

On Friday, January 1st, 2016, at 20:36:22h -0500, Paul M. Cook wrote:

> (1) Since bittorrent maintains two download queues

This is incorrect. bittorrent is a protocol. The number of queues
and their priority is something which is client dependent. The clients
may contain code which lowers their upload priority to other clients
who are not sharing (leech only mode) either wilfully or because their
communication control port is blocked.

> (2) That means two different things if I don't open a port to the world:
> - For those people with public sockets, I will be in the first
> queue

No there are many queues. The remote p2p client may be sharing
many other files and the sharing of those other files may be set
at a much higher priority than the one you are trying to get.
Also some clients allow setting a maximum number of connections
per torrent. So if remote p2p client is already sharing with
say 4 others, and has a maximum of 4 clients set, you will just
have to wait until one of those other 4 drops off before you
can download from that particular remote p2p client.

> (3) Overall, not opening a port will probably increase my download
> times (depending on a combination of how many other people have
> public sockets open and on how full that first queue is).

p2p is all about sharing which means both uploading (seeding) and
downloading (leeching). If other people were not prepared to share,
you would not be able to download anything, so it is only fair and
proper for you to be connectable and share what you have downloaded
with others who are trying to download.

> Optionally, if UPnP is turned on in Transmission, I can set
> Transmission to use a random port each time the application is started.

You do not have to use uPnP in order to turn on random port feature.
What you do have to do is to set a limit on the random port range
and then use that random port range (external port start through external
port end to forward to internal port start through internal port end)
in your port forwarding on the router.

> The default is 51413.

So do not use the default - pick something else.
Security by obscurity must never be relied upon, but it
does not hurt.

Also something else which should have been emphasized --
do not run a p2p client from your own userid.

Create a separate user p2p with its own password and home
directory etc and run any p2p client solely under that user
account.

NEVER EVER, EVER run p2p client as root, because it is not
just a client but is a daemon as well, and daemons with bugs
are ways of compromising (ie cracking into) a system.

(And on distributions which have sudo facilities, ensure that
the p2p account cannot sudo to anything.)

[Paul M. Cook]

On Sat, 02 Jan 2016 17:03:18 +0000, J G Miller wrote:

> Create a separate user p2p with its own password and home
> directory etc and run any p2p client solely under that user
> account.

I loved all your corrections, and I understood all but this one.
I can "guess" why, which, I guess, is so that you have plausible deniability?
Or is there another reason not to use you own login for P2P downloads?

[J G Miller]

On Saturday, January 2nd, 2016, at 15:12:54h -0500, Paul M. Cook wrote:

> I can "guess" why, which, I guess, is so that you have plausible deniability?
> Or is there another reason not to use you own login for P2P downloads?

As explained the p2p software is running as a client but also as a daemon.

If there is some, unyet discovered bug in the daemon part of the software,
a cracker could connect to the daemon and possibly get shell access.

If the daemon is running as p2p, then only the files belonging to p2p
are compromised and anything else which is world readable and of course
that keeps files belonging to pmcook safe so long as files/directories
for pmcook are not world readable of course.

Afterall pmcook may use gnucash or some other personal finance tool
and would not want details of his transactions revealed to unauthorized
malicious intruders, because, unless it has changed and I am not aware
that it has,

"GnuCash does not use any built-in encryption."

If the daemon was running as root, it is game over, and the cracker
can as root do anything, unless of course limitations were imposed by
either selinux or apparmor.

Disapointingly (as far as I am aware) none of the main distributions
have included an apparmor profile for transmission or similar p2p
software to limit capabilities.