qBittorrent official forums


https://forum.qbittorrent.org/

proper ufw configuration?

https://forum.qbittorrent.org/viewtopic.php?t=1785

Page 1 of 1

proper ufw configuration?

Posted: Wed Mar 06, 2013 12:27 pm
by silvernightstar
I have qbittorrent set up to listen for incoming connections at port 38329 with UPnP enabled. I am sure my router's UPnP is configured correctly (verified using utorrent UPnP checker tool). I would like to properly set up ufw while also maintaining qbittorrent's optimal operation.

My ufw is currently configured as follows:

craymantis@SILVA:~$ sudo ufw status verbose
[sudo] password for craymantis:
Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing)
New profiles: skip

To                        Action      From
--                        ------      ----
192.168.1.2 8080          ALLOW IN    192.168.1.0/27  # qbittorrent webui
137,138/udp (Samba)        ALLOW IN    192.168.1.0/27
139,445/tcp (Samba)        ALLOW IN    192.168.1.0/27
192.168.1.2 51240/tcp      ALLOW IN    192.168.1.0/27  # openSSH
239.192.152.143 6771/udp  ALLOW IN    192.168.1.2    # qbittorrent local peer discovery
192.168.1.2 38329/udp      ALLOW IN    Anywhere        # qbittorrent listening port

At the surface, qbittorrent SEEMS to be working optimally; download speeds of newly added torrents reach maximum within 1 minute.

Just to check, doing a netstat, we see the established connections doing just fine:

craymantis@SILVA:~$ netstat -n -A inet
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State
tcp        0  21348 192.168.1.2:50611      186.6.3.33:23529        ESTABLISHED
tcp        0      0 192.168.1.2:48088      24.155.101.52:60331    ESTABLISHED
tcp        0      0 192.168.1.2:47712      202.156.115.62:45682    ESTABLISHED
tcp        0      0 192.168.1.2:41813      84.13.39.87:49274      ESTABLISHED
tcp        0  1644 192.168.1.2:55616      184.160.106.189:14255  ESTABLISHED
tcp        0      0 192.168.1.2:51240      192.168.1.11:65026      ESTABLISHED
tcp        0      1 192.168.1.2:46740      178.81.18.81:24091      SYN_SENT
tcp        0      0 192.168.1.2:53974      24.212.209.140:6881    ESTABLISHED
tcp        0  34950 192.168.1.2:40422      46.165.220.39:20491    ESTABLISHED
tcp        0      0 192.168.1.2:40163      85.25.100.68:58604      ESTABLISHED
tcp        0      0 192.168.1.2:57270      123.211.20.70:6881      ESTABLISHED
tcp        0      0 192.168.1.2:47849      199.115.116.197:61051  ESTABLISHED
tcp        0    52 192.168.1.2:51240      192.168.1.11:57147      ESTABLISHED
tcp        0      0 192.168.1.2:32790      86.28.121.173:56471    ESTABLISHED
tcp        0      0 192.168.1.2:53028      182.55.202.96:36023    ESTABLISHED
tcp        0      0 192.168.1.2:44207      175.139.24.101:21032    ESTABLISHED
tcp        0      0 192.168.1.2:445        192.168.1.11:56914      ESTABLISHED
tcp        0      0 192.168.1.2:36120      59.189.125.222:51413    ESTABLISHED
tcp        0      0 192.168.1.2:41467      68.183.228.173:12272    ESTABLISHED
tcp        0  16411 192.168.1.2:59079      174.114.3.73:26948      ESTABLISHED
tcp        0      0 192.168.1.2:33763      98.206.119.75:51204    ESTABLISHED
tcp        0      1 192.168.1.2:33243      115.87.113.24:17386    SYN_SENT
tcp        0    17 192.168.1.2:49650      180.222.140.39:18089    ESTABLISHED
tcp        0      0 192.168.1.2:57574      50.46.136.42:64532      ESTABLISHED
tcp        0      0 192.168.1.2:38490      67.232.52.197:35220    ESTABLISHED
tcp        0      0 192.168.1.2:40247      67.201.10.134:23717    ESTABLISHED
tcp        0      0 192.168.1.2:40729      101.162.35.191:51774    ESTABLISHED
tcp        0    17 192.168.1.2:59959      223.16.36.81:39746      ESTABLISHED
tcp        0      0 192.168.1.2:46857      202.216.122.164:45288  ESTABLISHED
tcp        0  3157 192.168.1.2:57915      93.102.139.22:26650    ESTABLISHED
tcp        0      0 192.168.1.2:47033      219.250.220.9:45787    ESTABLISHED
tcp        0      0 192.168.1.2:60580      112.209.42.2:42886      ESTABLISHED
tcp        0      1 192.168.1.2:47009      62.203.67.114:58997    LAST_ACK
tcp        0      0 192.168.1.2:55986      66.177.53.48:51413      ESTABLISHED
tcp        0      0 192.168.1.2:55834      14.201.39.85:38858      ESTABLISHED
tcp        0      0 192.168.1.2:44158      78.158.146.89:8843      ESTABLISHED
udp        0      0 192.168.1.2:32936      192.168.100.1:53        ESTABLISHED
udp        0      0 192.168.1.2:60347      192.168.100.1:53        ESTABLISHED

However, when we check /var/log/ufw.log, we see the following:

craymantis@SILVA:~$ grep BLOCK /var/log/kern.log | less
Mar  6 19:34:18 SILVA kernel: [ 7984.777649] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=201.251.59.171 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=24430 PROTO=TCP SPT=29602 DPT=40491 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:34:20 SILVA kernel: [ 7986.933588] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=71.192.30.30 DST=192.168.1.2 LEN=40 TOS=0x08 PREC=0x20 TTL=44 ID=0 DF PROTO=TCP SPT=51413 DPT=33129 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:34:38 SILVA kernel: [ 8004.779106] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=124.13.55.120 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=180 PROTO=TCP SPT=11188 DPT=56280 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:35:22 SILVA kernel: [ 8048.782053] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=182.201.139.38 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=29157 PROTO=TCP SPT=48571 DPT=45997 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:35:58 SILVA kernel: [ 8084.784162] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=101.103.15.7 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=17580 PROTO=TCP SPT=29481 DPT=37396 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:36:06 SILVA kernel: [ 8092.784521] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=116.89.15.17 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=1122 PROTO=TCP SPT=16881 DPT=33680 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:36:10 SILVA kernel: [ 8096.784784] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=99.36.116.92 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=32128 PROTO=TCP SPT=19862 DPT=39481 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:36:22 SILVA kernel: [ 8108.786261] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=180.222.140.39 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=25322 PROTO=TCP SPT=18089 DPT=53621 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:36:38 SILVA kernel: [ 8124.786848] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=112.204.149.24 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=16626 PROTO=TCP SPT=41779 DPT=32867 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:37:06 SILVA kernel: [ 8152.788442] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=95.150.79.187 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=12767 PROTO=TCP SPT=51413 DPT=49868 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:37:18 SILVA kernel: [ 8164.789351] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=62.5.227.193 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=31989 PROTO=TCP SPT=48650 DPT=55671 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:37:42 SILVA kernel: [ 8188.790853] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=97.96.234.171 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=16819 PROTO=TCP SPT=42757 DPT=44222 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:37:58 SILVA kernel: [ 8204.792302] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=187.133.182.171 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=31199 PROTO=TCP SPT=62160 DPT=58081 WINDOW=0 RES=0x00 RST URGP=0
Mar  6 19:38:22 SILVA kernel: [ 8228.794084] [UFW BLOCK] IN=eth0 OUT= MAC=00:66:fe:b5:c1:52:01:a5:ae:24:d5:2f:58:00 SRC=46.193.65.147 DST=192.168.1.2 LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=26153 PROTO=TCP SPT=45116 DPT=47188 WINDOW=0 RES=0x00 RST URGP=0

Based on the results above, the questions are:

1) How come some internet connections are allowed by ufw and successfully established (netstat) whereas others are blocked by ufw (ufw.log)?
2) In what way are these two kinds of connections different?
3) Because of these blocked connections, does it mean qbittorrent is not operating optimally as it should? If so, how can we fix ufw to accept these blocked connections?

Re: proper ufw configuration?

Posted: Wed Mar 06, 2013 1:13 pm
by Dayman
Who said that invalid packets shouldn't be dropped by default?

I'm not sure why DST is 192.168.1.2 everywhere though. I'd assume packets are dropped in FORWARD chain.

Re: proper ufw configuration?

Posted: Wed Mar 06, 2013 2:42 pm
by silvernightstar
[quote="Dayman"]
Who said that invalid packets shouldn't be dropped by default?

I'm not sure why DST is 192.168.1.2 everywhere though. I'd assume packets are dropped in FORWARD chain.
[/quote]

Thanks Dayman for the reply.

Actually, the local IP 192.168.1.2 is already the machine with qbittorrent and ufw, which in turn is behind a router and/or modem. So, these blocked packets are not forwards but actually directed at qbittorrent.

*Note: sensitive info such as IP addresses, ports, etc. were substituted with arbitrary values.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited