Can anyone shed some light on these entries in my Firewall ?

Can anyone shed some light on these entries in my Firewall ?

am 19.05.2007 13:31:10 von navti

Can anyone shed some light on these entries in my Firewall ?

My firewall is set up to block all outbound UDP apart from NTP time
packets,

the host 192.168.0.2 is a mac running OSX 10.4.9

Fri, 2007-05-18 10:26:37 - UDP Packet - Source:192.168.0.2,8198
Destination:67.65.250.199,24882 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:71.59.25.30,6719 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:12.206.139.221,59778 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:71.80.1.166,30069 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:38 - UDP Packet - Source:192.168.0.2,8198
Destination:67.160.106.161,2428 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.31.133.79,48545 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:46 - UDP Packet - Source:192.168.0.2,8198
Destination:83.6.3.170,38874 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:51 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:51 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:56 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:26:56 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:01 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:01 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:06 - UDP Packet - Source:192.168.0.2,8198
Destination:83.20.156.188,65049 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:06 - UDP Packet - Source:192.168.0.2,8198
Destination:83.25.21.190,33025 - [Any(ALL) rule match]
Fri, 2007-05-18 10:27:59 - UDP Packet - Source:192.168.0.2,8198
Destination:144.135.167.129,1307 - [Any(ALL) rule match]

Re: Can anyone shed some light on these entries in my Firewall ?

am 19.05.2007 18:03:21 von ibuprofin

On 19 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
<1179574270.752122.209280@n59g2000hsh.googlegroups.com>, navti wrote:

>My firewall is set up to block all outbound UDP apart from NTP time
>packets,

You don't use DNS? (outbound to 53, from your any > 1024)?

>the host 192.168.0.2 is a mac running OSX 10.4.9

=============== re-sorted by destination IP ================
12.206.139.221,59778 Mediacom New York state
67.65.250.199,24882 SW Bell dynamic ADSL in Oklahoma state
67.160.106.161,2428 Comcast dynamic Washington state
71.59.25.30,6719 Comcast dynamic Georgia state
71.80.1.166,30069 Charter dynamic Virginia state
83.6.3.170,38874 TPNet.pl "Neostrada Plus" dynamic ADSL
83.20.156.188,65049 TPNet.pl "Neostrada Plus" Poznan, dynamic ADSL
83.25.21.190,33025 TPNet.pl "Neostrada Plus" Rzeszow, dynamic ADSL
83.31.133.79,48545 TPNet.pl "Neostrada Plus" Warszawa, dynamic ADSL
144.135.167.129,1307 Telstra bigpond.com in Oz
===============

Well, the destination addresses are dynamic IPs, almost all residential
systems, with high (dynamic) port numbers. On your end, it's consistent
at port 8198. That port is in the IANA "Registered Port" range, but
that really means anyone can use it for anything. A cursory glance at
the SANS Internet Storm Center (http://isc.sans.org/port.html) doesn't
show that much activity.

As the source is your system, I'd be using something like lsof which
should be available on OSX and find out what application is using port
9198. I'd also look at the 'netstat' and 'ps -awux' outputs.

[compton ~]$ whatis lsof netstat ps
lsof (8) - list open files
netstat (8) - Display network connections, routing tables,
interface statistics, masquerade connections and netlink messages
ps (1) - report process status
[compton ~]$

Old guy

Re: Can anyone shed some light on these entries in my Firewall ?

am 19.05.2007 19:19:31 von navti

On May 19, 5:03 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
> On 19 May 2007, in the Usenet newsgroup comp.security.firewalls, in article
>
> <1179574270.752122.209...@n59g2000hsh.googlegroups.com>, navti wrote:
> >My firewall is set up to block all outbound UDP apart from NTP time
> >packets,
>
> You don't use DNS? (outbound to 53, from your any > 1024)?
>
> >the host 192.168.0.2 is a mac running OSX 10.4.9
>
> =============== re-sorted by destination IP ================
> 12.206.139.221,59778 Mediacom New York state
> 67.65.250.199,24882 SW Bell dynamic ADSL in Oklahoma state
> 67.160.106.161,2428 Comcast dynamic Washington state
> 71.59.25.30,6719 Comcast dynamic Georgia state
> 71.80.1.166,30069 Charter dynamic Virginia state
> 83.6.3.170,38874 TPNet.pl "Neostrada Plus" dynamic ADSL
> 83.20.156.188,65049 TPNet.pl "Neostrada Plus" Poznan, dynamic ADSL
> 83.25.21.190,33025 TPNet.pl "Neostrada Plus" Rzeszow, dynamic ADSL
> 83.31.133.79,48545 TPNet.pl "Neostrada Plus" Warszawa, dynamic ADSL
> 144.135.167.129,1307 Telstra bigpond.com in Oz
> ===============
>
> Well, the destination addresses are dynamic IPs, almost all residential
> systems, with high (dynamic) port numbers. On your end, it's consistent
> at port 8198. That port is in the IANA "Registered Port" range, but
> that really means anyone can use it for anything. A cursory glance at
> the SANS Internet Storm Center (http://isc.sans.org/port.html) doesn't
> show that much activity.
>
> As the source is your system, I'd be using something like lsof which
> should be available on OSX and find out what application is using port
> 9198. I'd also look at the 'netstat' and 'ps -awux' outputs.
>
> [compton ~]$ whatis lsof netstat ps
> lsof (8) - list open files
> netstat (8) - Display network connections, routing tables,
> interface statistics, masquerade connections and netlink messages
> ps (1) - report process status
> [compton ~]$
>
> Old guy

thanks, i used your advice, turned out to be Skype.

re DNS , I use a SOHO firewall/router which does the DNS lookups for
the clients behind it,

it isnt subject to the firewall rules so i can block UDP.