Gufw not blocking Bittorrent traffic

For fun, I wanted to use gufw to block bittorrent traffic. In gufw, I’ve set Deny to both outgoing and ingoing and specified the port, and yet qbittorrent still appears to work. Is there anything else I have to do?

No expert here - but is random port generation configured for qbittorrnet? - might be harder to block random :grin: Not to mention, there are a LOT of options for settings in that app…

1 Like

The port listed in qbitorrent is for inbound traffic.

The outbound port is random.

EDIT: It is worth noting that blocking outbound bittorrent traffic is fairly hard to do.

Yes I have port 6881 in qbittorrent and in gufw I denied all port 6881 connections coming in or going out. But I am still able to download.

A couple of terminology things you need to understand.

An inbound/incoming connection refers to someone initiating a connection to you from the outside. In the case of bittorrent, this is someone connecting to you. An outgoing/outbound connection is you connecting to something else. In the case of bittorrent it could be another peer or the tracker.

The firewall generally allows response packets to an allowed outbound connection even if that port is blocked inbound. This means that even though it is somewhat counterintuitive, to block your own download traffic you need to block outbound connections.

Lastly, blocking bittorrent traffic is extremely difficult. The protocol is made to be as resistant to blocking as possible. Something like gufw isn’t going to be able to block bittorrent effectively unless you use a client that allows you manually put artificial limits on the communication. Alternatively, you could block all outbound traffic. This would definitely stop bittorrent traffic but it would also stop everything else.

If you could explain why you are trying to block bittorrent traffic, maybe we could offer a different solution. Although, as I said earlier, it is extremely difficult to block so maybe not.


I was doing it for fun. On the other hand, it would be nice to block some websites (but, this isn’t absolutely necessary for me). For example say I wanted to block After running dig I get the ip address. So I run sudo ufw deny to but for some reason I can access the site. I have checked and verified that the firewall is indeed running and running something like sudo ufw default deny outgoing blocks me from accessing anything. Could you help here?

Can you output your full ufw rules so we can see them?

Also, are you running both IPv4 and IPv6? If so, you need to block both.


Status: active

     To                         Action      From
     --                         ------      ----
[ 1]              DENY IN     Anywhere
[ 2] Anywhere                   DENY IN

I myself am not using ipv6.

Those are both inbound rules.

You need an outbound rule to block outbound traffic.

Try this:

sudo ufw deny out to

If you don’t specify, ufw assumes you want an inbound rule.

It still doesn’t work unfortunately.

Can you share your rules again?

Also, are you 100% positive you aren’t running ipv6? It could be assigned automatically done by your router.

That being said, it looks like gentoo is behind a cdn.

Non-authoritative answer:  canonical name =      canonical name =
Address: 2a04:4e42:600::649
Address: 2a04:4e42:400::649
Address: 2a04:4e42:200::649
Address: 2a04:4e42::649

I added some rules:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1]              DENY IN     Anywhere
[ 2] Anywhere                   DENY IN
[ 3]              DENY OUT    Anywhere                   (out)
[ 4] Anywhere                   DENY OUT              (out)
[ 5]              DENY OUT    Anywhere                   (out)
[ 6]             DENY OUT    Anywhere                   (out)
[ 7]            DENY OUT    Anywhere                   (out)
[ 8]            DENY OUT    Anywhere                   (out)
[ 9] Anywhere                   DENY OUT              (out)

Can anything be done about that?

Can you share the output of ip a?


1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp4s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether a8:a1:59:3c:87:65 brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic noprefixroute enp4s0
       valid_lft 6791sec preferred_lft 6791sec
    inet6 fe80::c25d:7102:811e:12d9/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: anbox0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether fa:06:86:35:c5:4b brd ff:ff:ff:ff:ff:ff
    inet scope global anbox0
       valid_lft forever preferred_lft forever

You are also running ipv6.

Add the ipv6 blocking for as well

sudo ufw deny out to 2001:41c8:0:936::136
sudo ufw deny out to 2001:41c8:0:936::139

That should block if you also want to block that will be harder because of the cdn.

Why not stick those in /etc/hosts then?