BitTorrent security questions

I'm running a Linux desktop behind a NAT router with a
broadband connection to the Internet. I've also installed
an iptables based firewall (Firestarter) with a completely
permissive outbound traffic policy and an inbound traffic
policy of NO connections from any host allowed and NO
services on any port allowed for anyone.

I frequently use BitTorrent (Azureus 2.3.0.6) to download
files from the web. In order to support this I enabled
port forwarding on the NAT router for ports 6882-6889 for
service BitTorrent. With these settings BitTorrent seemed
to be running all right.

Recently, after I had installed an update for Azureus
(v.2.3.0.6), I noticed a new colored button in the status
bar which would be either yellow or red indicating a
"Possible NAT (TCP) problem".

In the course of investigating this, I also noticed an item
"NAT/Firewall test" in the Azureus Tools menu which would
test the "incoming TCP/UDP listen port" which I had set to
6886. When I ran this test, it failed with the message
"Testing port 6886 ... NAT error". The test dialog box
also offered the following explanation: "In order to get
the best out of Azureus, it's highly recommended to be
fully accessible from the Internet. This tool lets you
test and/or change the port used to accept incoming peer
connections."

I took this recommendation to mean that I should open my
firewall for the ports used by bittorrent. Accordingly, I
added the inbound traffic policy "Allow service BitTorrent
for port 6881-6889 for everyone."

With that the NAT status indicator button in the Azureus
status bar turned green ("NAT OK (TCP)"). Also, some of
the torrent health indicators for ongoing downloads turned
green, meaning "everything is going fine" whereas before
they had generally been yellow, meaning "you're connected
to peers, tracker is OK but you may have a NAT problem if
your torrents stay on yellow status all the time."

After I'd made these changes everything seemed fine and
subjectively it seemed as though Azureus was working better
and down/uploading faster.

Then I did a Shields Up (grc.com) port scan for the range of
ports 6881-6889 while Azureus was running and downloads
were proceeding. The result: 6881 stealthed, 6882-6885 and
6887-6889 closed, 6886 OPEN. Ouch! I'd been running my
system with this configuration for more than a week.

I immediately removed the firewall rule "Allow service
BitTorrent for port 6881-6889 for everyone" and did another
Shields Up port scan. The result: 6881-6889 stealthed.
BitTorrent down/uploads were still running fine.

Next I also disabled port forwarding for ports 6882-6889 in
the NAT router. BitTorrent down/uploads were still running
fine.

Several questions:

1. When my system was configured with port forwarding
enabled in the router and BitTorrent allowed for ports
6881-6889 in the inbound traffic rules of my firewall, the
Shields Up port scan diagnosed port 6886 as open whenever
Azureus was running. Did that constitute a major security
hazard that a malicious hacker could have exploited? Could
he have installed malware via this "open" port, or was this
port only open for the BitTorrent protocol? If malware had
been installed would it have remained in my user area (I
wasn't running Azureus as root) or could I have been
rooted?

2. What were the security implications when I was running
Azureus with NAT router port forwarding enabled for
6882-6889 but firewall closed to traffic coming in on
6881-6889? Was there a possibility of a security
compromise in that configuration?

3. What is the point of aiming for green settings for the
NAT status of the incoming TCP/UDP listen port 6886 and for
"torrent health", settings which potentially introduce
security hazards, when BitTorrent appears to be functional
even when these settings are in the yellow or red range?

Thanks in advance.

Robert

.