For fun, I wanted to use gufw to block bittorrent traffic. In gufw, I’ve set Deny to both outgoing and ingoing and specified the port, and yet qbittorrent still appears to work. Is there anything else I have to do?
No expert here - but is random port generation configured for qbittorrnet? - might be harder to block random Not to mention, there are a LOT of options for settings in that app…
The port listed in qbitorrent is for inbound traffic.
The outbound port is random.
EDIT: It is worth noting that blocking outbound bittorrent traffic is fairly hard to do.
Yes I have port 6881 in qbittorrent and in gufw I denied all port 6881 connections coming in or going out. But I am still able to download.
A couple of terminology things you need to understand.
An inbound/incoming connection refers to someone initiating a connection to you from the outside. In the case of bittorrent, this is someone connecting to you. An outgoing/outbound connection is you connecting to something else. In the case of bittorrent it could be another peer or the tracker.
The firewall generally allows response packets to an allowed outbound connection even if that port is blocked inbound. This means that even though it is somewhat counterintuitive, to block your own download traffic you need to block outbound connections.
Lastly, blocking bittorrent traffic is extremely difficult. The protocol is made to be as resistant to blocking as possible. Something like gufw isn’t going to be able to block bittorrent effectively unless you use a client that allows you manually put artificial limits on the communication. Alternatively, you could block all outbound traffic. This would definitely stop bittorrent traffic but it would also stop everything else.
If you could explain why you are trying to block bittorrent traffic, maybe we could offer a different solution. Although, as I said earlier, it is extremely difficult to block so maybe not.
I was doing it for fun. On the other hand, it would be nice to block some websites (but, this isn’t absolutely necessary for me). For example say I wanted to block
gentoo.org. After running
dig gentoo.org I get the
22.214.171.124 ip address. So I run
sudo ufw deny to 126.96.36.199 but for some reason I can access the site. I have checked and verified that the firewall is indeed running and running something like
sudo ufw default deny outgoing blocks me from accessing anything. Could you help here?
Can you output your full ufw rules so we can see them?
Also, are you running both IPv4 and IPv6? If so, you need to block both.
Status: active To Action From -- ------ ---- [ 1] 188.8.131.52 DENY IN Anywhere [ 2] Anywhere DENY IN 184.108.40.206
I myself am not using ipv6.
Those are both inbound rules.
You need an outbound rule to block outbound traffic.
sudo ufw deny out to 220.127.116.11
If you don’t specify, ufw assumes you want an inbound rule.
It still doesn’t work unfortunately.
Can you share your rules again?
Also, are you 100% positive you aren’t running ipv6? It could be assigned automatically done by your router.
That being said, it looks like gentoo is behind a cdn.
Non-authoritative answer: www.gentoo.org canonical name = www-cdn.gentoo.org. www-cdn.gentoo.org canonical name = dualstack.k.sni.global.fastly.net. Name: dualstack.k.sni.global.fastly.net Address: 18.104.22.168 Name: dualstack.k.sni.global.fastly.net Address: 22.214.171.124 Name: dualstack.k.sni.global.fastly.net Address: 126.96.36.199 Name: dualstack.k.sni.global.fastly.net Address: 188.8.131.52 Name: dualstack.k.sni.global.fastly.net Address: 2a04:4e42:600::649 Name: dualstack.k.sni.global.fastly.net Address: 2a04:4e42:400::649 Name: dualstack.k.sni.global.fastly.net Address: 2a04:4e42:200::649 Name: dualstack.k.sni.global.fastly.net Address: 2a04:4e42::649
I added some rules:
Status: active To Action From -- ------ ---- [ 1] 184.108.40.206 DENY IN Anywhere [ 2] Anywhere DENY IN 220.127.116.11 [ 3] 18.104.22.168 DENY OUT Anywhere (out) [ 4] Anywhere DENY OUT 22.214.171.124 (out) [ 5] 126.96.36.199 DENY OUT Anywhere (out) [ 6] 188.8.131.52 DENY OUT Anywhere (out) [ 7] 184.108.40.206 DENY OUT Anywhere (out) [ 8] 220.127.116.11 DENY OUT Anywhere (out) [ 9] Anywhere DENY OUT 18.104.22.168 (out)
Can anything be done about that?
Can you share the output of
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether a8:a1:59:3c:87:65 brd ff:ff:ff:ff:ff:ff inet 192.168.0.8/24 brd 192.168.0.255 scope global dynamic noprefixroute enp4s0 valid_lft 6791sec preferred_lft 6791sec inet6 fe80::c25d:7102:811e:12d9/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: anbox0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether fa:06:86:35:c5:4b brd ff:ff:ff:ff:ff:ff inet 192.168.250.1/24 scope global anbox0 valid_lft forever preferred_lft forever
You are also running ipv6.
Add the ipv6 blocking for gentoo.org as well
sudo ufw deny out to 2001:41c8:0:936::136 sudo ufw deny out to 2001:41c8:0:936::139
Why not stick those in