Firewalling

From VuzeWiki
Jump to: navigation, search


Firewalls, like routers, may interfere with incoming connections. This is their job, but when we want peers to connect to us, our firewall should know which connections to allow.

In general, go into your software firewall configuration and make sure that Vuze is allowed outgoing and incoming connections (and if there is such an option, enable Vuze to act as a server). Possibly the firewall is only configured for applications, but it might also require port-specific configuration.

  • You can find the port to open in Tools -> Options -> Connections -> Incoming TCP listen port. You may ban IPs in Azureus, too.

Here are some brief guides to the more common firewalls as examples of typical configuration steps.


Microsoft Windows XP Service Pack 2 users[edit]

Microsoft has a guide to opening individual ports. You may also configure Windows Firewall to allow access by application; add Azureus.exe and javaw.exe to the exceptions list.

Windows XP users, also please note that, even if you think you disabled/configured this firewall, the Windows XP firewall has a habit of re-enabling itself when you're not looking. So please do still check it, just to make sure.


PC-cillin 2005 Users[edit]

  1. Go to Network Security -> Personal Firewall and highlight your connection (denoted with a green dot)
  2. Select the Edit -> Exception list tab.
  3. Click Add and enter a description; e.g., "Azureus".
  4. Click "Specified Application" and enter the path to javaw.exe (Azureus v2.3.0.4) or azureus.exe (v2.3.0.6 and newer).
  5. For connection, select "Incoming"; for Action, select "Allow."
  6. On protocol select TCP.
  7. Select Specified Ports and type the port number you wish to use in the box (please also view why you should consider changing the 6881 standard port)
  8. Ensure IP setting is on All IP Addresses.
  9. Press OK to return to Personal Firewall Profile window, and press OK on this window as well
  10. Press Apply.
  11. Now in the Azureus window go to Tools -> NAT/Firewall test and hit the Test button you should get TESTING PORT XXXXX ...OK!
  12. Repeat the above steps, but on protocol select UDP.


Panda Internet Security (Windows)[edit]

Using the default settings in Panda Internet Security, programs aren't allowed to act as a server. To change this:

  1. Double click on the panda head on the tray
  2. Click on the Settings... button for Firewall Protection
  3. Click on the Settings... button for Program with access to the network
  4. Select the javaw.exe (AZ 2.3.0.4 or older) or the azureus.exe (AZ 2.3.0.6 or newer) process and click Advanced settings
  5. On Connect from other computers (server) select the check-box Allow (act as a server)
  6. Optionally, select on which TCP/UDP port(s) you want to allow to java/Azureus to bind to.

Repeat the steps for the java.exe process (if necessary).


Configuring the OpenBSD Packet Filter (OpenBSD)[edit]

You need to set up a redirect rule for each BitTorrent client pc behind your NAT/firewall. Don't forget to change the respective clients' port settings to reflect this. For example:

  • <LAN_IP1> is internal IP address of 1st client (e.g. 192.168.0.2)
  • <LAN_IP2> is internal IP address of 2nd client (e.g. 192.168.0.3)
  • <EXT_INT> is external interface (e.g. 'dc0')
  • <PORT1> is TCP port setup in Azureus
  • <PORT2> is TCP port setup in another client

For OpenBSD up to version 4.6:

Set some variables in you're /etc/pf.conf:

   ext_int="dc0"
   lan_ip1="192.168.0.2"
   lan_ip2="192.168.0.3"
   port1="15301"
   port2="6885"

Setup some redirections from the extenal interface to the ip address and port on your lan:

   rdr on $ext_int proto tcp from any to any port $port1 -> $lan_ip1 port $port1
   rdr on $ext_int proto udp from any to any port $port1 -> $lan_ip1 port $port1
   rdr on $ext_int proto tcp from any to any port $port2 -> $lan_ip2 port $port2
   rdr on $ext_int proto udp from any to any port $port2 -> $lan_ip2 port $port2

as well as a rule to actually pass the packets through the external interface:

   pass in on $ext_int proto tcp from any to $lan_ip1 port $port1 flags S/SA keep state
   pass in on $ext_int proto udp from any to $lan_ip1 port $port1 flags S/SA keep state
   pass in on $ext_int proto tcp from any to $lan_ip2 port $port2 flags S/SA keep state
   pass in on $ext_int proto udp from any to $lan_ip2 port $port2 flags S/SA keep state

For OpenBSD 4.7 and up:

Set some variables in you're /etc/pf.conf:

   ext_int="dc0"
   lan_ip1="192.168.0.2"
   lan_ip2="192.168.0.3"
   port1="15301"
   port2="6885"

as well as a rule to actually pass the packets through the external interface and thru the firewall:

   pass in on $ext_int proto tcp from any to any port $port1 rdr-to $lan_ip1
   pass in on $ext_int proto udp from any to any port $port1 rdr-to $lan_ip1
   pass in on $ext_int proto tcp from any to any port $port2 rdr-to $lan_ip2
   pass in on $ext_int proto udp from any to any port $port2 rdr-to $lan_ip2

for more info:

   # man 5 pf.conf

or

   ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt
   ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.pdf

Configuring Iptables (Linux)[edit]

To use iptables you will have to have it setup (nowadays it's generally pre-installed on most distros). On the more advanced distros it may be necessary to compile / configure it yourself if it is not included. Please refer to your distribution help pages and www.google.com if you need to do this yourself. Once setup;

  • <LAN_IP> is internal ip address (e.g. 192.168.0.2)
  • <EXT_INT> is external interface (e.g. 'eth0')
  • <PORT> is tcp port setup in azureus

If you're port forwarding from the iptables machine to an internal computer, run:

   /sbin/iptables -t nat -A PREROUTING -p tcp -i <EXTINT> --dport <PORT> -j DNAT --to <LANIP>:<PORT> 
   /sbin/iptables -t nat -A PREROUTING -p udp -i <EXTINT> --dport <PORT> -j DNAT --to <LANIP>:<PORT> 
   /sbin/iptables -A FORWARD -p tcp -i <EXTINT> -d <LANIP> --dport <PORT> -j ACCEPT 
   /sbin/iptables -A FORWARD -p udp -i <EXTINT> -d <LANIP> --dport <PORT> -j ACCEPT

If you run Azureus on the same machine that iptables is active on, use this command instead:

   /sbin/iptables -I INPUT 1 -i <EXT_INT> -p tcp --tcp-flags SYN,RST,ACK SYN --dport <PORT> -m state --state NEW -j ACCEPT 
   /sbin/iptables -I INPUT 1 -i <EXT_INT> -p udp --dport <PORT> -m state --state NEW -j ACCEPT

If you are new to iptables under linux it may be beneficial for you to read http://www.linuxguruz.com/iptables/howto/maniptables.html and http://www.hackorama.com/network/portfwd.shtml to familiarise yourself with the available commands. http://easyfwgen.morizot.net/gen/ may be of help to configure your firewall rules.


Also, for a little more automation and sophistication, there are some good iptables-based firewall scripts that work well. For example, gShield and the somewhat more complex Shorewall, among others. These scripts take in human-readable text config files, describing rules in higher-level terms than the bare iptables lines, and then configure iptables for you.


Configuring SuSE-firewall[edit]

If you use SuSE Linux on your router/firewall to connect to the internet you can do the following to forward the ports used by Azureus to your client:

Open /etc/sysconfig/SuSEfirewall2, and locate FWFORWARDMASQ (it's in 14.). Now, assuming your client's (the box running Azureus) ip is 192.168.0.3, set this to read: FWFORWARDMASQ="0/0,192.168.0.3,tcp,portnumbergoeshere 0/0,192.168.0.3,udp,portnumbergoeshere"

(Note that a rule like "0/0,192.168.0.3,tcp,portnumbergoeshere" simply means that incoming tcp connections over port portnumbergoeshere from any address (0/0) will be forwarded to your the machine 192.168.0.3, on the same port.)

For this to work, you have to have FW_ROUTE (5.) set to "yes" in the same file.

After making these changes, save the file and then start yast. Go to "Security and users" (or similar), and there choose "Firewall". Now simply go through all dialogs and finish them; at the end it will restart your firewall with these new rules. Watch out; depending on your config you can lock yourself out of your (remote) machine!

To restart the firewall you can probably also do:

  # /sbin/SuSEfirewall2 stop; /sbin/SuSEfirewall2 start

Or simply ;-)

  # /sbin/SuSEfirwall2 restart

access for Azureus.


Simple IPCop setup instructions (Linux) (as if this excellent howto wasn't enough... :))[edit]

1) Login to the web interface.

2) Go to Services, select Port Forwarding.

3) Fill in fields for a new rule:

  • Protocol: TCP
  • Alias IP: Default IP
  • Source Port: chooseportnumber
  • Destination IP: your Azureus box
  • Destination port: portnumbergoeshere
  • Remark: (Optional) Azureus BitTorrent
  • Enabled: (check)
  • Source IP: (blank)


4) Press "Add" button to save and activate.

5) Repeat the above steps for

  • Protocol: UDP

Mac OS X[edit]

First, you must disable any firewall software that is running. Then:

  1. At the top of the screen, click Finder and open System Preferences.
  2. Click Show All -> Sharing -> Internet & Network.
  3. Select the Firewall tab. Tick every box that you need. It is far from comprehensive; you need to find out which ports are used by your IRC, ICQ and other clients.
  4. Click on the "New..." button and select "Other" from dropdown menu. Enter the following fields.
    1. TCP Port Number: _____ <-- whatever port you're using in Azureus
    2. UDP Port Number: _____ <-- by default, same port as above
    3. Description: Bittorrent
  5. Read why you should consider changing the standard 6881 port.
  6. Click "Save" and repeat these steps for every rule you wish to add.

Check your manual and help pages for instructions on how to do this with other firewalls.