Hi.

I have trying to find references to how to download torrents securely. After doing some google / forum searches, I have yet to find a definitive answer to my question.
I am trying to set up a machine for my parents with the following : Ubuntu 10.04 / xbmc ( MAYBE MCE )/network shares for baby sisters MAC book.

So far I have set up Ubuntu /XBMC with audio over HDMI. My next step is trying to decide whether or not showing them how to get torrents ( music, movies, etc ) is a wise choice. By the very nature of bittorrent, and the multiple ports served up by peers, I cant see a way to securely allow the service. I have set the firewall up to drop as a general policy, allowing only what is needed ( http, https, etc ). I am getting stumped when it comes to allowing torrent service though.

Setting up the torrent service to serve up files is not really the issue. I can assign the ports needed for inbound request easy enough. However, since so many ports are used ( not just 6888 ), configuring the outbound rules has got me confused. Above and beyond what ports to use I am curious about another aspect of the service though. Once i allow a connection, either outbound or inbound, is really secure?

As I stated above, I have searched and found nothing that really seems to address this issue ( maybe i missed it ). I have heard people talking about "torrent boxes". A dedicated box that is subnetted is not really an option for me.

Being that I am still learning the basics of fire-walling and service configuration, I am kinda gun shy. So, anyone that uses torrent cli, are knowledgeable about linux and its security, I would appreciate some pointers.

Thanks Guys

John

Torrents aren't really that big of a security option. Though they also arn't very parent friendly, depending on the technical sophisitication of the parents in question. You should be OK with whatever security is provided by your router (NAT and port forwarding) but you can also look into NAS devices that have built in bittorrent clients.

1 members found this post helpful.

yeah...I am dealing with people that are not really technically inclined as far as computers are concerned. It was going to be more of me setting up to download for them every now and then. as to dedicated NAS, not really an option. Thanks though. However, torrents arent really a security issue? hmm. A live connection to the box that responds to request for files seems like it must have some security issue that needs to be addressed. Guess I'll just forgo torrents all together.

Thanks Again,
John

i would setup rtorrent on the system, and then setup rutorrent using apache and configure it with mutual ssl authentication; then open a single port on the router for it and you can manage the whole thing with your browser. if you really want to get automated, you could just get some rss feeds, make some filters and have the whole thing automated, or at least partially automated.

I would also setup the torrent client to only accept encrypted peers, iptables etc.

1 members found this post helpful.

@ idlehands: The iptables is a large part of my concern. Being that other peers set up their cli to use random ports / non standard ports..how do I create a rule allowing OUTBOUND new to the other peers? I know i could do specific ports ( i have no way of guessing out side of the standard torrent client port of 6888 ) and then allowing established, related. Do you have a working set-up that seems to be secure and functional?

Thanks again
John

I'd recommend handling the torrent downloads for your parents, via SSH. You could run the torrent application in a hardened virtual machine (VM) on a separate account on their computer, with it's own set of firewall rules. You could even add another layer of isolation by using mandatory access control. If you don't have (or want) a command line based torrent application, you can install a web-based GUI solution in the VM guest, without the need to expose it to the Internet. That is, since you'd be accessing it via SSH, it would only need to listen on the VM guest's localhost address.

1 members found this post helpful.

I think what you need to do is find a way to allow the torrent program to make outbound connections, while other programs cannot even on the same ports. Pretty much every Windows personal firewall does this, but I don't think it's an approach usually taken by Linux firewalls. But it almost certainly can be done.

You don't need to allow any inbound connections at all, though not doing so may hurt your performance and is considered a bit anti-social. (If a significant portion of the swarm doesn't allow inbound connections it really hurts things).

1 members found this post helpful.

i am marking this as solved. reason: since i run a default of drop on all tables if i allow out bound on 5000(example) to any destination i should be ok. since my INPUT for established,related will see the link between my request out on 5000 and the peer client response on port whatever. I made a mountain out of a mole hill. I apologize for the waste of time. anyway, thanks guys.

However, in my research i noticed the dynamic firewall projects/scripts...looks kinda neat.