Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Where does this traffic come from?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 592
Location: Germany

PostPosted: Thu Nov 27, 2014 9:50 am    Post subject: Where does this traffic come from? Reply with quote

Hey there,

my system blocks some outgoing traffic, which I can not assign to a program or process:
Code:
Nov 25 05:46:47 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32661 DF PROTO=TCP SPT=845 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:46:47 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36029 DF PROTO=TCP SPT=691 DPT=55679 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:46:57 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5139 DF PROTO=TCP SPT=981 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:46:58 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5140 DF PROTO=TCP SPT=981 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:58:48 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10982 DF PROTO=TCP SPT=1022 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:58:49 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10983 DF PROTO=TCP SPT=1022 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:59:04 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59752 DF PROTO=TCP SPT=843 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 05:59:05 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59753 DF PROTO=TCP SPT=843 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 06:05:10 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58623 DF PROTO=TCP SPT=805 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 06:05:11 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58624 DF PROTO=TCP SPT=805 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 07:24:37 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61388 DF PROTO=TCP SPT=1017 DPT=49510 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 25 07:24:38 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61389 DF PROTO=TCP SPT=1017 DPT=49510 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 27 10:29:02 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4863 DF PROTO=TCP SPT=884 DPT=35335 WINDOW=29200 RES=0x00 SYN URGP=0
Nov 27 10:29:03 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4864 DF PROTO=TCP SPT=884 DPT=35335 WINDOW=29200 RES=0x00 SYN URGP=0


It seems as if this traffic is somehow NFS related, but until now, I was unable to figure it out exactly. As you may have noticed, the source port and the destination port are dynamic. rpc.statd and rpc.mountd are bound to static ports (4001 and 4002 for rpc.statd and 4000 for rpc.mountd).
Of course, all NFS mounts work without problems.

Any ideas?

Best,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1764

PostPosted: Thu Nov 27, 2014 5:02 pm    Post subject: Reply with quote

Try `lsof -n | grep <remote IP>' on your chatty device
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 592
Location: Germany

PostPosted: Thu Nov 27, 2014 5:07 pm    Post subject: Reply with quote

szatox,

thank you for your reply. The problem is, that the system tries to establish the connection only twice at a time, so "lsof -n | grep ip.of.my.workstation" only shows four SSH connections and one HTTPS connection.

Best,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7170

PostPosted: Fri Nov 28, 2014 1:03 pm    Post subject: Reply with quote

You should notice source port are bellow 1024, so they aren't as random as you think they are.
Do you have a windows machine on, windows loves to send stupid packets and broadcast anything like UPNP discovery packet or its network announce.
Or your computer is using something that share the same stupid concept like avahi
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 592
Location: Germany

PostPosted: Fri Nov 28, 2014 5:28 pm    Post subject: Reply with quote

Although I have one Windows7 client here, these log lines always appear right after mounting some NFS shares or restarting the NFS daemon. Since no incoming traffic is blocked (and logged), my assumption is that the NFS server initiates the connections.

The following source ports were used so far:
846
822
826
848
721
836
765
754
795
682
832
708
900
753
838
999
739
962
997
781
894
725
1008
921
752
879
753
928
969
845
691
981
1022
843
854
835
805
1017
887
1004
667
690
862
845
1015
731
919
991
942
941
970
926
688
942
721
937
842
840
960
787
884
901
709
731
860
859
702
820

...to me, this looks really dynamic :\

Best,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum