Hi members

I wonder myself why eMule opens more than 60 TCP ports when it works


To check it, type in DOS Shell "netstat -a -o"
The list of all processes using TCP/UDP ports appears
The right column is the PID of the process (link PID-ProcessName is shown in the task manager)
=> The PID of eMule has more than 60 TCP ports opened

I don't if it's normal but it's many opened doors for pretty things like LovSan... (135, her phone number)

Why not only only the port opened with the server you logged on ?
Maybe this port is only used for search queries, etc... but i would hardly understand that eMule needs to open one port for one active connection (upload or download)

If somebody has an idea, Thanx

The server only gets you in touch with other clients, then you open a connection to them. and you keep opening connection for transfers and checking your QR and all sorts of things.

So it's a normal thing.

And in EmulePlus you get to specify how many connections can be open at once, and over 5 secs.

setting those setttings low, helps alot if you use a win98 or lesser OS. but on an NT mashine you can easy have 60 open at once. i have mine set to max 50 over 5 sec and and a max of 384 at any one time.

DaVinci

Ports number seems to be chosen randomly (around 1000 to 6000)
I've got the firewall of WXP active, why does it let eMule use others ports than the only one i specified in its properties ? (4662 for service eDonkey)

I suggest you try a different firewall than XP. It doesnt offer the security of other firewalls.

some firewalls have a feature which lets a program open as many connections going out as it likes and then letting answers come in from those connections.

what i mean by this is, that you need to tell the firewall in XP to block all ports, and then open then ones you need.

if you do not tell it to close a port, it will use it when a program on the computer tells it to.

the firewall in XP is not that bad, it's just very hard to set up, whereas zonealarm is easy to set up, but hard to control.

if you really want control, you will need a hardware firewall, or make a firewall scrip and run it on a linux box.

DaVinci

If a port is opened by a process, nothing except this process can use it ? (to execute code by example)
If the answer is yes, how virus (worms) can installed themselves by these ports, normally owned by others processes ? (which then open their own ports, like trojans)

I can install Kerio or BlackIce, do you know which one is the best (for use with P2P)

I use kerio...depends on preference really. Use what you like, and works.

I've just installed Kerio

In its config window, i have created a service with source and destination port 4661 allowed, and UPnP (applications can dynamicaly open ports) but it still blocks eMule (low Id).

With the XP firewall config, eMule was directly in the list of services that can be activated.
I'm not sure that 4661 is the good one, or is enough to make eMule works :-(

Did you disable windows XP firewall?

Yes, i disabled it and i killed his process (alg.exe) before installing Kerio

When i launched Kerio install, it told me that there was still an active firewall or shared connection
But Kerio seems to work correctly (i can browse the Net)
I think Kerio has to be configured to allow eMule to speak with the server you want to be logged on

But i don't know the source port and the destination port to allow

http://www.emule-project.net/faq/ports.htm

I opened these TCP ports :
- 4661 to any
- any to 4661
- 4662 to any
- any to 4662

and these UDP ports :
- 4672 to any
- any to 4672
- any to 4665

I try to log on a server (Razorback) which uses port 4661, it doesn't work, still low Id or no answer

I heard about allowing a specific application (eMule) to open all TCP/UDP ports it wants, but i can't find it in Kerio...

File/Admin/Firewall/Advanced/Filter Rules...

look for emule plus icon (I have 4) and edit it so it looks like the following:

Protocol / Local / Remote
-----------------------------
TCP Out / Any Port / Anyport:Any Address
TCP In / Any Port / Anyport:Any Address
UDP Out / Any Port / Anyport:Any Address
UDP In / Any Port / Anyport:Any Address

I've got Kerio WinRoute 5.0.1

I can't find "File/Admin/Firewall/Advanced/Filter Rules..." in administrator console

I think I've got 2 places to set this :
"Traffic Policy" and "Definition\Services"
In these 2 places, i can open ports but i can't assign to 1 application one, several or unlimited ports

I can do TCP Any/Any and UPD Any/Any but i can't link it to the app i want. If i do that without specifying a defined app, it may be dangerous (all my ports will be opened for all app ?)

I'm using Kerio Personal Firewall....havent tried winroute, so I can't help you out i'm afraid.

I'm afraid i have to read the WinRoute manual (> 200 pages...)

When i finish, i'll send you how do this, if i find...

But if somebody uses WinRoute with an P2P application working on it (all ports can be opened, but only by this app), forward the tip.... ;-)

QUOTE (Yasko @ Aug 29 2003, 10:29 PM)

If a port is opened by a process, nothing except this process can use it ? (to execute code by example) If the answer is yes, how virus (worms) can installed themselves by these ports, normally owned by others processes ? (which then open their own ports, like trojans) I can install Kerio or BlackIce, do you know which one is the best (for use with P2P)

That´s one of the problems with desktop firewalls: people have no idea what they can and especially can not do.
E.g. i´ve heard people complain that they´ve cought a trojan, dialer or virus even though they use ZA or whatever.
That´s simply not what desktop firewalls can do.
If you want to have protection against viruses, install an antivirus tool.

IMHO desktop firewalls (not talking about hardware firewalls) are not needed at all as long as you use Win 2000/XP patched and up to date and some critical ports closed (services not started).

Firewalls do NOT provide security, they just give you the feeling that you are safe and therefore rather make you behave carelessly.
(personal opinion of the author)

my views : "Better safe than sorry "

Yes, you're surely right...
Without adding the fact that you have many chances to become a NetParanoid with some ICF (BlackIce, 1 scan alert every 10 seconds after an eMule session...)

I went back to the XP firewall, WinRoute is a little bit complicated for a standalone computer (no LAN) using P2P.
But it seems to offer useful services normally reserved to hardware, espacially the NAT (to mask IP and ports of all LAN computers behind those of the gateway)

I'll try a more simple (Personal Edition ?)

Try the personal firewall from Kerio...i think winroute was a bit excessive especially since it wasn't networked.

@Yasko:
I think you need some more basic understanding of TCP/IP-Protocol:
2 Clients can only communicate with each other directly, if there exists an active port-port-connection beetween them: so your as a port can only connect to one ip at a time your emule opens a new port (randomly chosen) to connect to the port the other client listens on (4662 usually) for connections. As your client normally not only asks one other client for download at the same time it opens quite a few ports. These connections are only kept for a few moments (unless you download data from the other side). So it is really normal that there are that many ports 'open' when emule runs.

Now to security risks: basically security risks arise, if sb. tries to code in c/c++ (or assembler, or some other low-level language) and is not really careful as those languages do not make boundary checks or checks for incorrect arguments in function calls. So there is the possibility that a buffer (or an array) may overflow, which might lead to the possibility to execute any code within the usercontext of the application. The lovesan/msblast 'virus' uses a known exploit for the M$-rpc which is listenning on port 135 for connection attempts (it is used for communication within a lan). In emule in releases before .30a there were a few possible security holes, too. Basically unmanaged code is quite a security risk all the time although it can give applications real good performance. If you like to know more about security or TCP/IP just google a bit - it is all public knowledge.

http://www.emule-project.net/board/index.p...showtopic=27790

Yasko is this what your looking for?

@ reanimated838uk :
Thanks for the link, i'll try it

@ kidan :
If i understand, there are 2 necessary conditions to compromise security :
- a port opened by local service, an application...
- Unsafe code in this app, which can lead to unmanaged exceptions

Somebody who connects on a listening port opened by another app, can do nothing more than use the functions provided by the app interface (and maybe exploit its problems)
That's it ?

Yeah, that pretty much sums it up. Somehow the port-thing is only needed for a remote attack. For local exploits (like some special ID3-v2-tag in a .mp3 with older winamps) only unsafe code is needed. Sadly allmost every bigger c/c++-application has got some flaws in it. So even when you think your firewall blocks everything your pc can still be compromised (but it is far more unlikely). The only secure solution is not to connect vital systems to any other system AND not to have data-exchange with untrusted sources. Of course this is not practical for a home user.

PS: Knowledge is the best protection, so if you are interested in this topic, give google a chance .

turn off XP firewall, and get norton firewall. Its great for emule as it only opens the ports needed and auto closes any it dosent all you have to do is scan your computer for internet enabled applications and you are away. Btw hi all new member here and convert emule plus is top notch

OK, i'll check if it works
Thanks members