For fun, I wanted to use gufw to block bittorrent traffic. In gufw, I’ve set Deny to both outgoing and ingoing and specified the port, and yet qbittorrent still appears to work. Is there anything else I have to do?
No expert here - but is random port generation configured for qbittorrnet? - might be harder to block random 
Not to mention, there are a LOT of options for settings in that app…
1 Like
The port listed in qbitorrent is for inbound traffic.
The outbound port is random.
EDIT: It is worth noting that blocking outbound bittorrent traffic is fairly hard to do.
Yes I have port 6881 in qbittorrent and in gufw I denied all port 6881 connections coming in or going out. But I am still able to download.
A couple of terminology things you need to understand.
An inbound/incoming connection refers to someone initiating a connection to you from the outside. In the case of bittorrent, this is someone connecting to you. An outgoing/outbound connection is you connecting to something else. In the case of bittorrent it could be another peer or the tracker.
The firewall generally allows response packets to an allowed outbound connection even if that port is blocked inbound. This means that even though it is somewhat counterintuitive, to block your own download traffic you need to block outbound connections.
Lastly, blocking bittorrent traffic is extremely difficult. The protocol is made to be as resistant to blocking as possible. Something like gufw isn’t going to be able to block bittorrent effectively unless you use a client that allows you manually put artificial limits on the communication. Alternatively, you could block all outbound traffic. This would definitely stop bittorrent traffic but it would also stop everything else.
If you could explain why you are trying to block bittorrent traffic, maybe we could offer a different solution. Although, as I said earlier, it is extremely difficult to block so maybe not.
2 Likes
I was doing it for fun. On the other hand, it would be nice to block some websites (but, this isn’t absolutely necessary for me). For example say I wanted to block
gentoo.org. After running dig gentoo.org I get the 89.16.167.134 ip address. So I run sudo ufw deny to 89.16.167.134 but for some reason I can access the site. I have checked and verified that the firewall is indeed running and running something like sudo ufw default deny outgoing blocks me from accessing anything. Could you help here?
Can you output your full ufw rules so we can see them?
Also, are you running both IPv4 and IPv6? If so, you need to block both.
sure:
Status: active
To Action From
-- ------ ----
[ 1] 89.16.167.134 DENY IN Anywhere
[ 2] Anywhere DENY IN 89.16.167.134
I myself am not using ipv6.
Those are both inbound rules.
You need an outbound rule to block outbound traffic.
Try this:
sudo ufw deny out to 89.16.167.134
If you don’t specify, ufw assumes you want an inbound rule.
It still doesn’t work unfortunately.
Can you share your rules again?
Also, are you 100% positive you aren’t running ipv6? It could be assigned automatically done by your router.
That being said, it looks like gentoo is behind a cdn.
Non-authoritative answer:
www.gentoo.org canonical name = www-cdn.gentoo.org.
www-cdn.gentoo.org canonical name = dualstack.k.sni.global.fastly.net.
Name: dualstack.k.sni.global.fastly.net
Address: 151.101.194.137
Name: dualstack.k.sni.global.fastly.net
Address: 151.101.130.137
Name: dualstack.k.sni.global.fastly.net
Address: 151.101.66.137
Name: dualstack.k.sni.global.fastly.net
Address: 151.101.2.137
Name: dualstack.k.sni.global.fastly.net
Address: 2a04:4e42:600::649
Name: dualstack.k.sni.global.fastly.net
Address: 2a04:4e42:400::649
Name: dualstack.k.sni.global.fastly.net
Address: 2a04:4e42:200::649
Name: dualstack.k.sni.global.fastly.net
Address: 2a04:4e42::649
I added some rules:
Status: active
To Action From
-- ------ ----
[ 1] 89.16.167.134 DENY IN Anywhere
[ 2] Anywhere DENY IN 89.16.167.134
[ 3] 89.16.167.134 DENY OUT Anywhere (out)
[ 4] Anywhere DENY OUT 89.16.167.134 (out)
[ 5] 151.101.2.137 DENY OUT Anywhere (out)
[ 6] 151.101.66.137 DENY OUT Anywhere (out)
[ 7] 151.101.130.137 DENY OUT Anywhere (out)
[ 8] 151.101.194.137 DENY OUT Anywhere (out)
[ 9] Anywhere DENY OUT 151.101.2.137 (out)
Can anything be done about that?
Can you share the output of ip a?
Ok:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether a8:a1:59:3c:87:65 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.8/24 brd 192.168.0.255 scope global dynamic noprefixroute enp4s0
valid_lft 6791sec preferred_lft 6791sec
inet6 fe80::c25d:7102:811e:12d9/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: anbox0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether fa:06:86:35:c5:4b brd ff:ff:ff:ff:ff:ff
inet 192.168.250.1/24 scope global anbox0
valid_lft forever preferred_lft forever
You are also running ipv6.
Add the ipv6 blocking for gentoo.org as well
sudo ufw deny out to 2001:41c8:0:936::136
sudo ufw deny out to 2001:41c8:0:936::139
That should block gentoo.org if you also want to block www.gentoo.org that will be harder because of the cdn.
Why not stick those in /etc/hosts then?