Azureus and the TCP port 6881

[Marcelo Chiapparini]

Dear debianners,

I've just installed Azureus as my .torrent client. During its
configuration the wizard checks for the 6881 TCP port reporting the
following message: "Testing port 6881... NAT error". I would like to
know how to open this port. I've surfed the list, googled the web
without success. I am wired to the Internet by an ADSL connection. I
wonder if this problem involves my Internet provider...
Thanks in advance for any help!

Regards

Marcelo

--
Marcelo Chiapparini
chi...@oi.com.br

--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

[Chris Howie]

Marcelo Chiapparini wrote:
> I've just installed Azureus as my .torrent client. During its
> configuration the wizard checks for the 6881 TCP port reporting the
> following message: "Testing port 6881... NAT error". I would like to
> know how to open this port. I've surfed the list, googled the web
> without success. I am wired to the Internet by an ADSL connection. I
> wonder if this problem involves my Internet provider...
> Thanks in advance for any help!

1) Don't use port 6881. Pick something random in the 49152-65535 range.

2) Check your router/modem and make sure it's forwarding the port to your machine.

--
Chris Howie
http://www.chrishowie.com

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d-(--) s:- a--->? C++(+++)$> UL++++ P++++$ L+++>++++ E---
W++ N o++ K? w--$ O M- V- PS--(---) PE++ Y+ PGP++ t+ 5? X-
R(+)>- tv-(--) b- DI+> D++ G>+++ e>++ h(--)>--- !r>+++ y->+++
------END GEEK CODE BLOCK------

[Chris Howie]

Debian-user wrote:
>> 1) Don't use port 6881. Pick something random in the 49152-65535 range.
>

> What's wrong with using port 6881?

Please *DO NOT* set your 'From' address to the list address. It's confusing as
I have no way to tell who sent the message. Adjust your mail client settings
before replying to this message.

Not using 6881 makes it easier for the network to survive, because ISPs have
started blocking common p2p ports. If we shift to the upper, unassigned range
(49152-65535) they can't really block those without hurting other things (some
implementations of passive FTP, for example). It also makes p2p traffic more
difficult to track (though still relatively simple).

[Andrew Sackville-West]

On Mon, 30 Jan 2006 18:28:27 -0500
Chris Howie <cdh...@nerdshack.com> wrote:

> Marcelo Chiapparini wrote:
> > I've just installed Azureus as my .torrent client. During its
> > configuration the wizard checks for the 6881 TCP port reporting the
> > following message: "Testing port 6881... NAT error". I would like to
> > know how to open this port. I've surfed the list, googled the web
> > without success. I am wired to the Internet by an ADSL connection. I
> > wonder if this problem involves my Internet provider...
> > Thanks in advance for any help!
>
> 1) Don't use port 6881. Pick something random in the 49152-65535 range.

Are you suggesting this for a reason? or just for diagnostic purposes. I don't do much with torrent, but once in a whileI do and it never seems to quite work very well. and yes I port forward something like 6881-6999 or some such. just curious

A

[Debian-user]

Chris Howie wrote:

> 1) Don't use port 6881. Pick something random in the 49152-65535 range.

What's wrong with using port 6881?

Curiously,

--
Scott
www.angrykeyboarder.com
© 2006 angrykeyboarder™ & Elmer Fudd. All Wights Wesewved

[Gene Heskett]

On Monday 30 January 2006 17:59, Marcelo Chiapparini wrote:
>Dear debianners,
>
>I've just installed Azureus as my .torrent client. During its
>configuration the wizard checks for the 6881 TCP port reporting the
>following message: "Testing port 6881... NAT error". I would like to
>know how to open this port. I've surfed the list, googled the web
>without success. I am wired to the Internet by an ADSL connection. I
>wonder if this problem involves my Internet provider...
>Thanks in advance for any help!
>

More than likely you'll need to setup a NAT rule in iptables. I have
the NAT being done in the router, by forwarding this range of ports
directly to this machines address. Its all setup in the router for
that.

But I also have to open up iptables a wee bit on my firewall box, with
this rule:
-----------
#!/bin/bash
BTFORWARDADDR=192.168.xx.3 PORTSTART=6881 PORTEND=6999
/sbin/iptables -A FORWARD -s $BTFORWARDADDR -p tcp --dport $PORTSTART:
$PORTEND -j ACCEPT
-----------
Where the "xx" is a real number of course.

>Regards
>
>Marcelo
>
>--
>Marcelo Chiapparini
>chi...@oi.com.br

--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

[Chris Howie]

Andrew Sackville-West wrote:
>>1) Don't use port 6881. Pick something random in the 49152-65535 range.
>
> Are you suggesting this for a reason? or just for diagnostic purposes. I don't do much with torrent, but once in a whileI do and it never seems to quite work very well. and yes I port forward something like 6881-6999 or some such. just curious

I've already replied to that question on this thread.

But basically it makes it harder for ISPs to censor p2p traffic, as they've
started doing of late. If everyone picks a random port in the unassigned port
range (49152-65535) there's not a whole lot the ISPs can do short of block the
whole range, which would in turn break a lot of things.

IMO a good solution to ISPs censoring bittorrent traffic would be to have all
traffic (tracker and data) wrapped in TLS or SSL and have the port number
change every tracker update. The last random port would be left open for
clients that hopped aboard the tracker right before the last update.

E.g. when a torrent is started, pick a random port A in the unassigned range,
open it for traffic and notify the tracker. At the next update, pick a new
port B, open that one and send the new port to the tracker. Next update pick
yet another port C, open that one, inform the tracker of port C and close port
A. Next update, open D, give D to the tracker, close B, and so on. Everyone's
happy, providing that every client updates on roughly the same schedule.

Watch ISPs try to filter that. The TLS/SSL wrapper keeps them from filtering
by analyzing the protocol.

[John Hasler]

Chris Howie writes:
> Watch ISPs try to filter that. The TLS/SSL wrapper keeps them from
> filtering by analyzing the protocol.

They may simply block anything they can't analyze.
--
John Hasler

[Chris Howie]

John Hasler wrote:
> Chris Howie writes:
>>Watch ISPs try to filter that. The TLS/SSL wrapper keeps them from
>>filtering by analyzing the protocol.
>
> They may simply block anything they can't analyze.

That's a recipie for disaster for any ISP -- they would have to anticipate
every application that will be used by their clients and authorize it on their
analyzer. And if something like this did happen, chances are every moderately
sophisticated computer user subscribed to that ISP would complain or switch away.

[Scott]

Chris Howie wrote:
> Debian-user wrote:
>>> 1) Don't use port 6881. Pick something random in the 49152-65535 range.
>>
>> What's wrong with using port 6881?
>
> Please *DO NOT* set your 'From' address to the list address. It's confusing as
> I have no way to tell who sent the message. Adjust your mail client settings
> before replying to this message.

Calm down. Software malfunction.

I just discovered the problem before I got back here and saw your reply.
It wasn't intentional.

>
> Not using 6881 makes it easier for the network to survive, because ISPs have
> started blocking common p2p ports. If we shift to the upper, unassigned range
> (49152-65535) they can't really block those without hurting other things (some
> implementations of passive FTP, for example). It also makes p2p traffic more
> difficult to track (though still relatively simple).

I see. Thanks for the clarification.

[Edward Shornock]

On Mon, Jan 30, 2006 at 04:54:12PM -0700, Debian-user wrote:
> Chris Howie wrote:
>
> >1) Don't use port 6881. Pick something random in the 49152-65535 range.
>
> What's wrong with using port 6881?

Some trackers will reject any connections from clients on the default
port(s).

[Scott]

Humm. I've never heard that before and so far it's not been a problem.
Thanks for the info.

[Chris Howie]

Scott wrote:
> Calm down. Software malfunction.
>
> I just discovered the problem before I got back here and saw your reply.
> It wasn't intentional.

Sorry, I didn't mean to come across as angry or upset, I only meant to add
emphasis for the case where it might be intentional (it's happened before).

[John Hasler]

I wrote:
> They may simply block anything they can't analyze.

Chris Howie writes:
> That's a recipie for disaster for any ISP -- they would have to
> anticipate every application that will be used by their clients and
> authorize it on their analyzer. And if something like this did happen,
> chances are every moderately sophisticated computer user subscribed to
> that ISP would complain or switch away.

Many ISPs would tell you that "sophisticated" users should have business
accounts. According to CenturyTel, for example, residential service is for
"educational and entertainment purposes only". They want consumers, not
users. The modem/router/firewall they supply is configured with a short
list of "pinholes" for specific services, mostly games. Very, very few of
their customers ever reconfigure it.

[Marcelo Chiapparini]

Hello Gene,

thank you very much for your answer. However, I am a completly ignorant
regarding NAT... after reading your advice, I went to the NAT howto and
I was scared...

On Mon, 2006-01-30 at 19:26 -0500, Gene Heskett wrote:
> On Monday 30 January 2006 17:59, Marcelo Chiapparini wrote:
> >Dear debianners,
> >
> >I've just installed Azureus as my .torrent client. During its
> >configuration the wizard checks for the 6881 TCP port reporting the
> >following message: "Testing port 6881... NAT error". I would like to
> >know how to open this port. I've surfed the list, googled the web
> >without success. I am wired to the Internet by an ADSL connection. I
> >wonder if this problem involves my Internet provider...
> >Thanks in advance for any help!
> >
> More than likely you'll need to setup a NAT rule in iptables.

iptables is, in fact, an (from the man page) "administration tool for
IPv4 packet filtering and NAT". You suggest to use iptables to set up a
NAT rule, isn't?

> I have
> the NAT being done in the router,

my router, I guess, is with my IP provider... I can't do anything in
that machine...

> by forwarding this range of ports
> directly to this machines address. Its all setup in the router for
> that.
>
> But I also have to open up iptables a wee bit on my firewall box, with
> this rule:

I don't have a firewall installed in my machine...

> -----------
> #!/bin/bash
> BTFORWARDADDR=192.168.xx.3 PORTSTART=6881 PORTEND=6999
> /sbin/iptables -A FORWARD -s $BTFORWARDADDR -p tcp --dport $PORTSTART:
> $PORTEND -j ACCEPT
> -----------
> Where the "xx" is a real number of course.

My problem is that I want to open port 6881 (or another one,following
Chris Howie's tip) for Azureus. I have sarge installed in my machine at
home, wired to my Internet Provider trough an ADSL connection. I would
like to be able to open the ports without having to study the gory
details of NAT... sorry, I am not lazy, I don't have the time for it...

With the best regards,

Marcelo

--
Marcelo Chiapparini
chi...@oi.com.br

--

[Gene Heskett]

On Monday 06 February 2006 07:30, Marcelo Chiapparini wrote:
>Hello Gene,
>
>thank you very much for your answer. However, I am a completly
> ignorant regarding NAT... after reading your advice, I went to the
> NAT howto and I was scared...
>
>On Mon, 2006-01-30 at 19:26 -0500, Gene Heskett wrote:
>> On Monday 30 January 2006 17:59, Marcelo Chiapparini wrote:
>> >Dear debianners,
>> >
>> >I've just installed Azureus as my .torrent client. During its
>> >configuration the wizard checks for the 6881 TCP port reporting the
>> >following message: "Testing port 6881... NAT error". I would like
>> > to know how to open this port. I've surfed the list, googled the
>> > web without success. I am wired to the Internet by an ADSL
>> > connection. I wonder if this problem involves my Internet
>> > provider...
>> >Thanks in advance for any help!
>>
>> More than likely you'll need to setup a NAT rule in iptables.
>
>iptables is, in fact, an (from the man page) "administration tool for
>IPv4 packet filtering and NAT". You suggest to use iptables to set up
> a NAT rule, isn't?
>
>> I have
>> the NAT being done in the router,
>
>my router, I guess, is with my IP provider... I can't do anything in
>that machine...

Then you are essentially at his mercy. I'd lock it up as tightly as I
could with iptables, portsentry, and tcpwrappers. I use them all.

>> by forwarding this range of ports
>> directly to this machines address. Its all setup in the router for
>> that.
>>
>> But I also have to open up iptables a wee bit on my firewall box,
>> with this rule:
>
>I don't have a firewall installed in my machine...

Ouch! Do so ASAP! There are scripts around to take some of the mystery
and apprehension out of that, and I've heard that 'firestarter' is a
good one although I've never used any of those types of tools myself.

With the upcoming cybersecurity exersize, I'd try to be well prepared.
From what I read, the network will be dossed pretty good by this. I do
expect to see an entry or 2 in my logs although attackers have only
made it to the logs 3 times in 3 years and thats as far as they got.

An aggressive scan by satan & its ilk from outside, finds nothing, and
doesn't make the logs here. So I think I've in pretty good shape.

>> -----------
>> #!/bin/bash
>> BTFORWARDADDR=192.168.xx.3 PORTSTART=6881 PORTEND=6999
>> /sbin/iptables -A FORWARD -s $BTFORWARDADDR -p tcp --dport
>> $PORTSTART: $PORTEND -j ACCEPT
>> -----------
>> Where the "xx" is a real number of course.
>
>My problem is that I want to open port 6881 (or another one,following
>Chris Howie's tip) for Azureus. I have sarge installed in my machine
> at home, wired to my Internet Provider trough an ADSL connection. I
> would like to be able to open the ports without having to study the
> gory details of NAT... sorry, I am not lazy, I don't have the time
> for it...
>
>With the best regards,
>
>Marcelo
>
>
>--
>Marcelo Chiapparini
>chi...@oi.com.br

--

[Seth Goodman]

On Monday, February 06, 2006 6:30 AM -0600, Marcelo Chiapparini wrote:

> my router, I guess, is with my IP provider... I can't do anything in
> that machine...

If you are behind a NAT router, that is the place that you have to
forward ports. Ask your ISP how to log in to your router. Get a manual
for the router online, if necessary. There is undoubtedly a
configuration page for port forwarding. You want to forward the port
that you select with the proper protocol (for Azureus that's both TCP
and UDP) to the local IP of your machine. If the machine uses DHCP to
get an IP, most routers will forward to the machine name. If it won't,
you'll need to assign the machine a static IP to permit port forwarding.

Since the way you do this is different for every router, I can't really
give you anything more specific.

Let us know how it works out.

--
Seth Goodman