# Unknown TCP Connections



## rdlfree (Jul 15, 2012)

I have a base FreeBSD desktop installed and notice tracffic that is not started by me. I have nothing open and see that my IPFW firewall logs are getting filled up with the following attempts, see #Log below. The key is I can look up and block - true - but why with a default install and with the following apps (Gnome2, firefox, gimp, libreoffice, and HPLID). There should not be any traffic with nothing running buy NPT and NIC stuff. 

```
# FreeBSD Version
$ uname -a
FreeBSD r1 9.0-RELEASE-p3 FreeBSD 9.0-RELEASE-p3 #0: Tue Jun 12 02:52:29 UTC 2012
root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64

#Log (host and IP removed)
Jul 15 11:13:03  ipfw: 299 Deny TCP x.x.x.x2:39675 72.247.114.46:443 out via em0
Jul 15 11:13:05  ipfw: 299 Deny TCP x.x.x.x2:50450 207.109.73.43:80 out via em0
Jul 15 11:13:05 last message repeated 2 times
Jul 15 11:13:05  ipfw: 299 Deny TCP x.x.x.x2:50449 207.109.73.43:80 out via em0
Jul 15 11:13:41  ipfw: 299 Deny UDP x.x.x.x2:123 69.64.72.238:123 out via em00
Jul 15 11:13:46  ipfw: 299 Deny UDP x.x.x.x2:123 216.66.0.142:123 out via em0
Jul 15 11:13:52  ipfw: 299 Deny UDP x.x.x.x2:123 108.61.73.244:123 out via em0
Jul 15 11:13:59  ipfw: 299 Deny TCP x.x.x.x2:50450 207.109.73.43:80 out via em0
Jul 15 11:14:00  ipfw: 299 Deny TCP x.x.x.x2:61743 64.215.255.122:80 out via em0
Jul 15 11:14:33  ipfw: 299 Deny TCP x.x.x.x2:50450 207.109.73.43:80 out via em0

#IPFW Rules That Applies
# Allow out non-secure standard www function
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state

# Allow out secure www function https over TLS SSL
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# deny and log everything else that.s trying to get out.
# This rule enforces the block all by default logic.
$cmd 00299 deny log all from any to any out via $pif
```


----------



## kpa (Jul 15, 2012)

What you're seeing is out of state final packets of connections that were terminated without the other participant being able to respond quickly enough. It's perfectly normal with TCP and laggy connections. You might want to allow UDP port 123 (ntp) too if you want your system to stay in correct time.


----------



## rdlfree (Jul 15, 2012)

KPA thanks... not use to IPFW.

I do have other rules, I only posted the rules that applied. I have a rule for NTP that works - thanks.


----------



## anomie (Jul 16, 2012)

Does your ipfw(8) ruleset have a

```
check-state
```
??


----------



## rdlfree (Jul 16, 2012)

anomie said:
			
		

> *Question:*
> >Does your ipfw(8) ruleset have a
> >Code: check-state
> >??



*Answer:*
Yes I have the following: $cmd 00015 check-state

My concern is that these same IPs just run and run and run denied by default IPFW deny rule. Regardless of a reboot and even when I close all open apps (Running in Gnome2). I have tried rebooting and it just keeps running denied on IPFW rule 299 - the same above IPs. I am running tail -f on /var/log/security to watch deny results. Makes no sense???? What would cause this. Can it just be "out of state final packets" or do I have a hung process/app that keeps opening once I login into Gnome (i.e., Epiphany or something... etc.).


----------



## rdlfree (Jul 17, 2012)

*Mark resolved:*

Ok the paranoia can stop  This is good news. Thanks to http://www.dedoimedo.com/computers/lsof.html I have found the cause of so much traffic by using the *lsof -i tcp* command. This command will show all network interfaces using tcp connections. The answer is for those interested is gnome applets: gweather, clock-app, gnome-ses, and gvfsd-htt. 

Please close this thread and mark as solved - but there is an active bug with gnome-applets. I fixed it myself by removing and discovered through use of UNIX commands.


----------



## rdlfree (Jul 17, 2012)

There is a known BUG in gnome-clock-applet see https://bugzilla.redhat.com/show_bug.cgi?id=669907. It causes unwanted http connections to interesting IPs? I removed the applet and then re-added and so far it is quiet. As soon as I remove it the http traffic stops try these commands to see what is going on. I used lsof to see which pid had what connection.


# netstat â€“taupe
# netstat -l --tcp -p
# netstat -l --udp -p -n
# netstat -i
An interesting â€œwatchdogâ€ use of netstat is with the -c switch, which will print a continuous listing of whatever you have asked it to display, refreshing every second. This is a good way to observe changes that are happening (connections being opened, etc.).

Not sure what we can do further here, but there is a security bug in gnome-clock-applet is the short explanation.


----------

