Confused about port forwarding for qbit with ufw

Daneela · 2023-09-19 16:31:51

I have edited /etc/ufw/applications.d/ufw-bittorent to use the custom port i have forwarded from my router with qbittorrent:

Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To Action From
-- ------ ----
51250/tcp (qBittorrent) ALLOW IN Anywhere
51250/tcp (qBittorrent (v6)) ALLOW IN Anywhere (v6)

Now the part that concerns me is that while qbit is open, canyouseeme.org says the port is open, when i close qbit the connection gets rejected. Is the port ACTUALLY open while qbit is open (which i wouldn't want since it's running 24/7) and am i doing something wrong? All i want is the firewall to forward my port for qbit and block it for everything else.

mpan · 2023-09-19 19:34:12

Note: file “/etc/ufw/applications.d/ufw-bittorent” is owned by package ufw itself. If you edited it, you will have to later deal with merging .pacnew files. Creating your own UFW rules avoids this problem.

The firewall doesn’t block or grant access based on what software occupies a given port. It merely determines, what to do with a packet addressed to a port.⁽¹⁾ If qBittorrent is not there, the packet will bounce off of a closed port. If you run something else on that port, it will receive the packet.

The exposure from having a high, random port open is low. A packet arriving at an unuccopied port is harmless.⁽²⁾ The threat model is different from that of either completely unfiltered traffic or having specific, well-known ports open. So there is very little reason to care about firewall letting it pass.

If you really care, because it fits your particular policy, you may simply enable the rule while starting qBittorent and disable after qBittorrent quits. For any single-process application you simply wrap it in a script, which does that for you. For services it’s most convenient to make them systemd units. Then you can turn on/off the rules before/after the service starts/stops. This can be done in multiple ways.

You may have a separate template unit, which pokes out holes upon start and closes them while stopping. Then the service requiring the holes depends on said unit. I use this method myself, though it is also more complicated to set up initially:

 $ systemctl cat ufw-rules@.service
# /usr/local/lib/systemd/system/ufw-rules@.service
[Unit]
Description=Controls UFW rule named in the parameter.
Requires=ufw.service
After=ufw.service network.target
StopWhenUnneeded=true

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=ufw allow %i
ExecStop=ufw delete allow %i

… and then in dependent service:

…
[Unit]
…
Requires=ufw-rules@RULENAME.service
After=ufw-rules@RULENAME.service
…

An alternative approach, which I did not test, but was suggested to me and seems reasonable is using `ExecStartPre=` and `ExecStopPost=` to invoke UFW commands.

Of course in either case this can’t be a user unit: it would make controlling UFW impossible.
____
⁽¹⁾ Strictly speaking it is technically possible to create firewall rules recognizing software or protocol contents. But not in a firewall manager like UFW, they cause significant load on the machine, and are royal pain to implement. Way beyond, what is useful for protection in this threat model.
⁽²⁾ As with everything the risk is not exactly zero, but — for comparison — it is at a level lower than having a firewall process the packet.

Daneela · 2023-09-19 20:28:25

Thanks a lot for the quick response, i'll likely be putting this to use later!

mpan · 2023-09-19 21:07:38

But please consider, what I wrote about usefullness of doing so (3rd paragraph) before spending time on something, that is likely to offer so little benefit.

Arch Linux

#1 2023-09-19 16:31:51

Confused about port forwarding for qbit with ufw

#2 2023-09-19 19:34:12

Re: Confused about port forwarding for qbit with ufw

#3 2023-09-19 20:28:25

Re: Confused about port forwarding for qbit with ufw

#4 2023-09-19 21:07:38

Re: Confused about port forwarding for qbit with ufw

Board footer