pf and bittorrent
Dave
I've got an obsd pf gateway. Behind it is a centos5 client that i want
to be able to use bittorrent. I've added rules to my pf.conf redirecting
incoming bittorrent ports 6881 through 6999 to the centos box, and allowing
outgoing traffic, yet i get no downloads, and errors when trying to connect
to the trackerless server or something like that. Does anyone have this
working?
Thanks.
Dave.
Guillaume Aubert
You need to allow incoming traffic from ports 6881 to 6999.
G. Aubert.
Dave
Thanks for your reply. Here are my pf rules for bittorrent.
bittorrent = "192.168.0.4/32"
bittorrent_port = "6881:6999"
# bittorrent
rdr on $ext_if inet proto tcp from any to any port $bittorrent_port ->
$bittorrent port $bittorrent_port
rdr on $ext_if inet proto udp from any to any port $bittorrent_port ->
$bittorrent port $bittorrent_port
# bittorrent
pass in quick on $ext_if inet proto tcp from any to $bittorrent port
$bittorrent_port flags S/Sa keep state
pass in quick on $ext_if inet proto udp from any to $bittorrent port
$bittorrent_port keep state
# bittorrent
pass out quick on $int_if inet proto tcp from any to $bittorrent port
$bittorrent_port Flags S/SA keep state
pass out quick on $int_if inet proto udp from any to $bittorrent port
$bittorrent_port keep state
Thanks.
Dave.
"Guillaume Aubert" <aubertg...@gmail.com> wrote in message
news:1185960213....@r34g2000hsd.googlegroups.com...
Clever Monkey
I see you are discussing this else-thread, but for reference, here are
the germane parts of my pf.conf for BitTorrent:
BitTorrent="50001"
# BitTorrent
rdr on $ext_if inet proto { udp, tcp } from any to $ext_if port
$BitTorrent -> ($int_if:network) port $BitTorrent
# Allow BitTorrent traffic, and shortcut the rest of the rules
pass in quick on $ext_if inet proto { tcp, udp } from any to any port
$BitTorrent
I'm not sure if this is ideal or not, but it works. In the past I had
to redirect to specific internal hosts, but the wildcarding seem to work
ok. Note I changed the BitTorrent port to 50001. I found I did not
seem to need a range. I'm probably not letting myself connect to as
many peers, but (as I said) this works Good Enough for me.
--
clvrmnky <mailto:spam...@clevermonkey.org>
Direct replies will be blacklisted. Replace "spamtrap" with my name to
contact me directly.
Dave
Thanks for your reply. I'd prefer to use the standard ports, so as to
assure maximum compatibility. I've added the rules, which bittorrent client
do you use is it on a linux box and how is it invoked?
Thanks.
Dave.
"Clever Monkey" <spam...@clevermonkey.org.INVALID> wrote in message
news:Rx4si.20322$13....@nnrp.ca.mci.com!nnrp1.uunet.ca...
Guillaume Aubert
This is my old rules :
rdr on $ext_if proto tcp from any to ($ext_if) port 6881:6889 -> $P2P
port 6881:*
pass in quick on $ext_if proto tcp from any to $user_ip port
6880><6890 flags S/SA keep state
But now I use only one port with uTorrent with success :
rdr on $ext_if proto tcp from any to ($ext_if) port $PORT -> $user_ip
port $PORT
pass in quick on $ext_if proto tcp from any to $user_ip port $PORT
keep state
G. Aubert.
Christian Weisgerber
> I think BitTorrent don't use UDP
There are at least two common extensions to the basic BT protocol
that use UDP:
* The client and tracker can optionally communicate over UDP. Given
the simple request/reply protocol, this makes sense, but despite
fairly widespread client support, UDP trackers are rare.
* The "trackerless" mode introduced by the mainline client has the
nodes communicate over UDP.
--
Christian "naddy" Weisgerber na...@mips.inka.de
Clever Monkey
> Thanks for your reply. I'd prefer to use the standard ports, so as to
> assure maximum compatibility. I've added the rules, which bittorrent client
> do you use is it on a linux box and how is it invoked?
> Thanks.
>
to the right host.
Contrary to my last comment, if I change the ruleset to rdr BT traffic
to a specific host:port, I (surprise!) get more peer connections.
I think folks recommend using the non-default ports because so many ISPs
will block them. I suspect traffic-shaping is becoming more common,
so this is unlikely to be an issue over time. Though, I guess this is
why many apps recommend you bump the port you use to a single
"ephemeral" port. Since you announce your IP and port to peers, they
know which one to talk to you back on.
Christian Weisgerber
> Thanks for your reply. I'd prefer to use the standard ports, so as to
> assure maximum compatibility.
I think it needs pointing out that BitTorrent isn't tied to any
particular port numbers. Port 6881 and subsequent ones is just the
default setting where the Mainline client listens for incoming
connections.
(Note that there are trackers that explicitly refuse clients that
use the default port numbers, because these can be a target for
filtering/traffic shaping by ISPs, so "to assure maximum compatibility"
you actually want to use a different range.)
There are three subcommunications to consider:
(1) The local client connects to the remote tracker. The port number
is specified in the tracker URL in the torrent file.
(2) The local client connects to a remote client. The connection will
be from an ephemeral port to whatever port the remote client has
specified via the tracker.
(3) A remote client connects to the local client. The connection
will be from some random port to whatever port the local client
has specified via the tracker.