Firewall settings: which ports permitted?

[mankie_80]

Hi everyone,

I've booted BitComet 0.70.6.24, started it up and seeded some of my own files and put a few requests for download. I got the seedfiles for loading back alright (thorugh a download manager) but the Comet program seems to be making no contact with other peers in the week I've had it up and running. Says it's connected but I have no visible signs that the roads are actually open (with this kind of software it's sometimes hard to determine if it's actually making connection or just *starting to* and stalling).

I'm running Norton Personal Firewall, so some settings need to be in place there. When i installed BitComet I put the firewall settings as follows:

allow TCP and UDP in/out at port 53 (dns port, needed to make netwrok connections)

allow TCP in/out at port 80 and in/out at ports 3000-9000 (main space of up/downloading)

allow TCP and UDP in/out at 27413 (listening port) (these settings are as "standard mode"; Norton differentiaytes between different modes, Home, Standard, on the road etc)

Is this OK or are there more ports that need, by default, to be open? I'm not into throwing the machine wide open to everything that might come in by torrent ("always allow bitcomet to use the internet on all ports") that would be asking for trojans and viruses, but it seems sinething could be blocking th program from I kicking off. theree's no obvious person around in my posse whom i know for sure is running BitComet, and I'm not in the kind of gamer circles wher it would seem natural to ask some half-acquaintance straight off "Are you running BitComet?" so any advice is welcome, please indicate what kinds of traffic (TCP or UDP, inbound or outbound) we're talking of.

PC settings: Windows XP Pro SP 1, Windows inbuilt firewall disabled by me 8itäs not much use anyway). No router and no home network dynamic IP. Bitcomet is not set to auto-start at system boot.

I've been running DC++ for a year without any trouble, so my ISP doesn't pose any problems.

thanx

Mankie, Sweden

[dawin45]

you should allow bittcomet to use all ports... if he wants 2... every time I start my bittcomet a random port is selected... youre firrewall is blocking it...are you ussing Dc++ when are you ussing bittcomet (whell if it that then the speed is so slow that you can't connect to other peers, or the torrent you are downloading is banned from bittcomet or its dead...

do you have a stealth mode open? that might be another reason...

well if you don't open all ports like athers do there is no reason that others will give you the files that you need... in seettings there is the button called port the and the button called random port the port selection should have a number in it... if you don't open all Udp ports I think well you are not gonna download anything... don't be so scared it's not that hard to open all ports and let bittcomet do his job...

[mankie_80]

you should allow bittcomet to use all ports... if he wants 2... every time I start my bittcomet a random port is selected... youre firrewall is blocking it...are you ussing Dc++ when are you ussing bittcomet (whell if it that then the speed is so slow that you can't connect to other peers, or the torrent you are downloading is banned from bittcomet or its dead...

do you have a stealth mode open? that might be another reason...

well if you don't open all ports like athers do there is no reason that others will give you the files that you need... in seettings there is the button called port the and the button called random port the port selection should have a number in it... if you don't open all Udp ports I think well you are not gonna download anything... don't be so scared it's not that hard to open all ports and let bittcomet do his job...

I don't think it's senseless to protect your PC, that's a lot more of my concern (viruses, system security etc) than fear of any visits from the police or some Sony/Warner agent. I'm aware that the thing will select a andom port but that don't mean I hav to throw all ports open, certainly not the dedicated ports in the lower range (below 1024; it doesn't run in stealth mode)

Anyway the program seems to be running decently now - says it's loaded 120 meg in each direction -and I've barred large ranges of ports,among them most up to 3000 (excepting a few) and all above 33000. Still would like some tips on how torrent uses TCP and UDp ports.

[kluelos]

There are two separate issues here. One is outbound communications from applications like your web browser, your email client, or your bittorrrent client. Outbound communications are generally set by application, not by port number. So the setting there would be more like "let BitComet talk to whoever it wants to".

The other is unsolicited communication, that you didn't specifically ask for, coming in to your machine. This is what opening ports is all about. The general answer, for most people, is "none", or to close all the ports. This is what your default setting should be. All of your normal activity on the internet will be sending out queries (to a server such as a web server) and getting a reply from them. Those replies were solicited, and the firewall will allow the replies through without any need for the port to be opened.

That's an important distinction. Replies are allowed. New communications that you didn't specifically ask for are blocked. They're not necessarily all bad, but none of them are for your benefit, being at best harmless. Some are not harmless.

Bittorrent is different, though, because it's peer-to-peer rather than client-server. That means that some of the peers WILL try to initiate contact with you, and you want them to be able to do so. This is what the listen port is all about.

You can either specify a particular port, or you can tell it to use a random port each time. It's one or the other, not both. I wish the interface made it clearer that it's one or the other, and not both. To use a specific port, enter its number and click "Apply". To use a random port, click "Use Random Port", and then "Apply".

Random port usage assumes that BitComet can communicate with your firewall, and successfully tell it to open and close ports upon command. The built-in Windows Firewall can do that. I don't know that Norton can. So your best option is to stick with one particular port. It should be in the range of 50000 to 65535, to avoid possible conflict with other applications, but that's the only reason.

As for your firewall, the listen port is the only one that you should have open. Generally, keep them all closed absent a very specific reason to open one, which you haven't said that you have.

Take, for example, port 80. You want that open ONLY if you are expecting unsolicited communication on that port. If you are running a web server, then that might be the case. But you're only using a web browser, not a server, so you don't want that port open at all. You don't want any un-asked-for communication on the port. The same is true for downloading, for email, for just about everything most people normally do on the internet. You want all of your ports closed to communication you did not ask for first.

When you do open a port, you want to make sure that you have some application running that is listening for communication on that port and handling any that it gets. BitComet does this, but only for its one specific listen port.

[mankie_80]

Thanks kluelos, that made some points clearer. Firewalls can be hard nuts to anyone who is not a computer pro, and though Noprton is efficient, it's never struck me as a very intuitive software, especially not when it comes to making detailed settings of your own for an application. it's a bit like an old butler who wants to push you down into the chair and take care of everything his own way (I remember, in the early days, getting this: "WARNING! A computer with the IP number 127.0.0.1 just attempted to intrude on your computer")

The point that solicited replies to a software don't need any specific instruiction "keep the port n open" to get through was just new to me, just one thing.

I remember hearing that even if many network functions on a pc have default ports (like, web traffic/http port 80, DNS queries port 53, POP3 mail port 110) in reality much of the communication for those is outsourced to random (and changeable) ports further up, and the main port acts like a sort of main node to that particular function. Do you recognize that?