how do torrent clients circumvent router's firewall?

4

Could anyone please explain me how the deluge torrent client can get incoming requests to my local machine from the Internet, while I'm behind router's firewall and do not have any port forwarding etc.?

Initially I was going to ask about a strange network activity in my LAN, namely continuous incoming requests to 6881 port from different ip addresses, whereas I'd already stopped my torrent client deluge. But while I was composing the question I spotted that these requests ceased, so I concluded that the reason was in the deluge torrent client and the requests continue to come for a while after program's quit. Then I changed ports in the program's settings and the destination port of these requests changed too. So the reason of these requests is deluge.

So here is the situation. I was trying to setup the deluge torrent client, and opened ufw.log file. And what it showed to me surprised me a lot. It was showing constant incoming requests from different ip addresses to 6881 port. Here is an output of tail -f /var/log/ufw.log (I've cut sensible data):

Dec 28 18:13:32 foo-host kernel: [44034.890870] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=46.182.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=50 ID=13882 PROTO=UDP SPT=59696 DPT=6881 LEN=111 
Dec 28 18:13:32 foo-host kernel: [44035.682998] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=111.240.x.x DST=192.168.xxx.xxx LEN=294 TOS=0x00 PREC=0x00 TTL=113 ID=4012 PROTO=UDP SPT=17621 DPT=6881 LEN=274 
Dec 28 18:13:34 foo-host kernel: [44037.400502] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=210.187.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=55 ID=25753 PROTO=UDP SPT=57274 DPT=6881 LEN=111 
Dec 28 18:13:47 foo-host kernel: [44050.142172] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=118.81.x.x DST=192.168.xxx.xxx LEN=129 TOS=0x00 PREC=0x00 TTL=46 ID=29946 PROTO=UDP SPT=59765 DPT=6881 LEN=109 
Dec 28 18:13:54 foo-host kernel: [44056.727176] [UFW BLOCK] IN=eth0 OUT= MAC=xx:xx SRC=128.127.x.x DST=192.168.xxx.xxx LEN=131 TOS=0x00 PREC=0x00 TTL=113 ID=37504 PROTO=UDP SPT=13835 DPT=6881 LEN=111

So could anyone please give me an answer to this: how do torrent clients (may be only deluge) circumvent router's firewall?

Here is my router's configuration screen shot, so I suppose that the firewall is running. Also I cannot access a local webserver from the outside without port forwarding, so this convinces me more in this conclusion. asus dsl-n10 screen shot

user907860

Posted 2014-12-28T17:26:12.763

Reputation: 149

Why do you think that the traffic circumvented the router's firewall? You haven't shown anything of the router's configuration. – Michael Hampton – 2014-12-28T17:35:32.140

@MichaelHampton I have updated the question, saying why I'm convinced that the firewall is running – user907860 – 2014-12-28T17:44:06.090

1Does your router support uPNP? – Rowland Shaw – 2014-12-28T17:49:39.113

They don't your hardware support UPnP – Ramhound – 2014-12-28T17:56:19.503

@RowlandShaw , I do not know for sure. but according to this link http://bc.whirlpool.net.au/bc/hardware/?action=h_view&model_id=1273 it does. Google suggested nothing from the official asus website

– user907860 – 2014-12-28T17:56:37.130

Answers

4

It's inside the function of network connections. Your client (deluge) perform a request to internet hosts and "publish" port 6881 for incoming requests. Your firewall blocks the incoming connections ([UFW BLOCK]) for your pc but the requests from external hosts to your port 6881 is normal. There is nothing strange in this. Moreover, some incoming connection are forwarded to your Pc because in your firewall configuration you have rules for "related" traffic. This means that a software starting the connection internally (deluge) is authorized to receive traffic coming from external ip for which you have started a communication. You should not use a p2p software if you don't want to send traffic to external host or receive external requests.

maudam

Posted 2014-12-28T17:26:12.763

Reputation: 344

2

Your router supports uPNP, which allows programs like deluge to automatically ask it to forward ports while the program is running.

psusi

Posted 2014-12-28T17:26:12.763

Reputation: 7 195

When I was watching these requests coming, a checkbox "UPnP" was disabled, so I suppose that UPnP has nothing to do with this. – user907860 – 2014-12-29T06:48:22.683

@user907860, then in that case they must be connections that you initiated and are still considered open after closing the client. Until the router believes they are closed ( and the only way to detect this with UDP is with a timeout, which is normally kept fairly long to avoid closing connections prematurely ). – psusi – 2014-12-29T14:42:46.163

I apologize if I do not understand network stuff correctly, but isn't UDP is a connectionless thing? A couple of days ago I encountered similar question about tor https://trac.torproject.org/projects/tor/ticket/8215#comment:8 , which listens on some UDP ports, and one of the answers (I've posted the link to it) states that this is in order to receive UDP responses

– user907860 – 2014-12-29T14:54:40.097

I mean that it might be a bit misleading to call this a "connection", it seems to be rather some "fancy" "hardcoded" configuration of the router's firewall – user907860 – 2014-12-29T14:57:37.437

2@user907860, it is, but it isn't. What I mean is that there is no connection setup and teardown protocol like there is for TCP, but pretty much everyone that uses UDP in practice responds using the same port as the first message, so routers take advantage of this to infer that there is a "connection" going on that they need to forward, otherwise UDP would never be able to traverse a NAT firewall. – psusi – 2014-12-29T15:04:06.633

Asked: 2014-12-28T17:26:12.763

Viewed: 1 572 times

Active: 2014-12-29T03:17:10.357