CaffeineAddict
Well-Known Member
The following are my nftables rules to allow qBittorrent:
Established and related traffic is fully allowed.
The default policy is to drop packets.
Output:
Input:
I feel these rules are too weak and allowing way more than what's needed, is there any way or method to harden them so that it applies to as close to the qBittorrent as possible?
One weakness of
In this case however every new state is new traffic which defeats the purpose of statefulness since too much is allowed.
filter_4
is IPv4 table namenew_out_4
is outbound IPv4 chain name (statefull)new_in_4
is inbound IPv4 chain name (statefull)Established and related traffic is fully allowed.
The default policy is to drop packets.
Bash:
# New IPv4traffic
add rule filter_4 input ct state new goto new_in_4
add rule filter_4 output ct state new goto new_out_4
Output:
Bash:
# qbittorrent - DHT
# NOTE: We start from port 1024 which is most widely used, but some peers may set it at lower
# dport should be removed?
add rule filter_4 new_out_4 udp sport 1161 udp dport 1024-65535 accept
# qbittorrent - part of full range of ports used most often
add rule filter_4 new_out_4 udp dport { 6881-6968, 6970-6999 } accept
# NAT Port mapping protocol (qbittorrent)
add rule filter_4 new_out_4 udp dport 5351 accept
# qBittorrent - BitTorrent
# NOTE: We start from port 1024 which is most widely used, but some peers may set it at lower
add rule filter_4 new_out_4 tcp dport 1024-65535 accept
Input:
Bash:
# qBittorrent - DHT
# qBittorrent UDP listener, usually for DHT
add rule filter_4 new_in_4 udp sport 1024-65535 udp dport 1161 accept
# qBittorrent - BitTorrent
# qBittorrent TCP listener, BitTorrent protocol
add rule filter_4 new_in_4 tcp sport 1024-65535 tcp dport 1161 accept
# qBittorrent - Embedded tracker port
add rule filter_4 new_in_4 tcp sport 1024-65535 tcp dport 9000 accept
I feel these rules are too weak and allowing way more than what's needed, is there any way or method to harden them so that it applies to as close to the qBittorrent as possible?
One weakness of
nftables
compared to Windows firewall is that you can't restrict rules to specific programs, but strength is that nftables is stateful firewall.In this case however every new state is new traffic which defeats the purpose of statefulness since too much is allowed.