Could anyone please explain me how the deluge torrent client can get incoming requests to my local machine from the Internet, while I'm behind router's firewall and do not have any port forwarding etc.?
Initially I was going to ask about a strange network activity in my LAN, namely continuous incoming requests to 6881 port from different ip addresses, whereas I'd already stopped my torrent client deluge. But while I was composing the question I spotted that these requests ceased, so I concluded that the reason was in the deluge torrent client and the requests continue to come for a while after program's quit. Then I changed ports in the program's settings and the destination port of these requests changed too. So the reason of these requests is deluge.
So here is the situation. I was trying to setup the deluge torrent client, and opened ufw.log file. And what it showed to me surprised me a lot. It was showing constant incoming requests from different ip addresses to 6881 port. Here is an output of tail -f /var/log/ufw.log (I've cut sensible data):
Dec 28 18:13:32 foo-host kernel: [44034.890870] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=46.182.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=50 ID=13882 PROTO=UDP SPT=59696 DPT=6881 LEN=111
Dec 28 18:13:32 foo-host kernel: [44035.682998] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=111.240.x.x DST=192.168.xxx.xxx LEN=294 TOS=0x00 PREC=0x00 TTL=113 ID=4012 PROTO=UDP SPT=17621 DPT=6881 LEN=274
Dec 28 18:13:34 foo-host kernel: [44037.400502] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=210.187.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=55 ID=25753 PROTO=UDP SPT=57274 DPT=6881 LEN=111
Dec 28 18:13:47 foo-host kernel: [44050.142172] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=118.81.x.x DST=192.168.xxx.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=46 ID=29946 PROTO=UDP SPT=59765 DPT=6881 LEN=109
Dec 28 18:13:54 foo-host kernel: [44056.727176] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=128.127.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=37504 PROTO=UDP SPT=13835 DPT=6881 LEN=111
So could anyone please give me an answer to this: how do torrent clients (may be only deluge) circumvent router's firewall?
Here is my router's configuration screen shot, so I suppose that the firewall is running. Also I cannot access a local webserver from the outside without port forwarding, so this convinces me more in this conclusion. 
Answer
It's inside the function of network connections. Your client (deluge) perform a request to internet hosts and "publish" port 6881 for incoming requests. Your firewall blocks the incoming connections ([UFW BLOCK]) for your pc but the requests from external hosts to your port 6881 is normal. There is nothing strange in this. Moreover, some incoming connection are forwarded to your Pc because in your firewall configuration you have rules for "related" traffic. This means that a software starting the connection internally (deluge) is authorized to receive traffic coming from external ip for which you have started a communication. You should not use a p2p software if you don't want to send traffic to external host or receive external requests.
No comments:
Post a Comment