Security concerning Tor, BitTorrent and Firewall

Mike Perry mikepery at
Mon Feb 19 21:58:16 UTC 2007

Thus spake a a (werner12345 at

> Oh, excuses. I do not (at least not after the distinct replies) intend 
> to use this either to leech torrents or to leech Tor. Anyways, after 
> testing this for approximately three minutes, my ol' pa went totally 
> nutters on the realisation that this might circumvent the firewall (and 
> yes, he's usually nutters for a reason).
> A more accurate question on my behalf would therefore be: Can Tor (if 
> you use it without (or with, for that matter) port forwarding the 
> firewall, create "holes" in the firewall by allowing incoming 
> connections through the Tor proxy. The ?Torrent case kinda implies this 
> (riiight...?) as the other peers seemed to be able to connect to me at a 
> higher rate...

This is extremely unlikely. Most firewalls create holes for outgoing
TCP connections based on tuples of (IP dest, IP src, TCP dest, TCP
source). Unless your firewall is braindamaged, Tor should not open
incoming holes for bittorrent, since Tor only connects to Tor IPs and
ports for that first hop (which is all your firewall will see). 

(UDP is a different story, but neither Tor nor bittorrent use UDP).

One way to verify if your firewall is braindamaged is to download the
utility wireshark ( and start it up.

Once it's running, the following filter will show you all INCOMING TCP
connections to the machine running bittorrent:

(tcp.flags == 2) && (ip.dst == 192.168.0.XXX)

Replace 192.168.0.XXX with your bittorrent machine's IP.

You should see no packets other than for other holes opened in your

One alternate way your firewall could be broken is that it is allowing
UPNP (or Apple's equivalent.. forget its name). UPNP is used by client
applications to negotiate ports to open on the firewall. If your
bittorrent client supports UPNP and has it enabled, and your firewall
has it enabled, holes will open automatically independent of Tor.

You can also tell your dad that you are probably just as vulnerable
with just a single fixed (non-UPNP) port open for bittorrent as you
are running bittorrent with outgoing connecitons. So long as nothing
other than bittorrent listens on that port, the only thing exploitable
via that port should be bittorrent, and bittorrent is already
exploitable via traffic travelling over the outbound connections it
made (though outbound connections aren't visible to people scanning
your IP for exploitable clients).

> Or am I completely off the rails?

It's likely, see above ; ) 

It certainly should have nothing to do with Tor unless your firewall
manufacturer is really really dumb (not very likely).

> Or should this be put to rest because it is simply exploration of 
> exploitation ?

Very few sane people shoot down public discussion exploring
exploitation. The only way systems can hope to remain secure is if the
net IQ of people securing them exceeds that of those attempting to
break them. The only way for this to happen is public oversight and
discussion (ESPECIALLY of exploits involving closed-source systems -
closed-source companies have finite and small IQ compared to the rest
of the world). 

Unfortunately, fewer and fewer people in control of systems and law
are sane these days. So the world is about to get mighty interesting ;)

Mike Perry
Mad Computer Scientist evil labs

More information about the tor-talk mailing list