From owner-freebsd-questions@freebsd.org Fri Jul 24 01:46:17 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 528C336AC4B for ; Fri, 24 Jul 2020 01:46:17 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.kundenserver.de", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BCX9N0h2Dz4RFH for ; Fri, 24 Jul 2020 01:46:15 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de ([94.222.8.146]) by mrelayeu.kundenserver.de (mreue108 [212.227.15.183]) with ESMTPA (Nemesis) id 1N49d1-1kypO80Sh7-0107V9; Fri, 24 Jul 2020 03:46:13 +0200 Date: Fri, 24 Jul 2020 03:46:11 +0200 From: Polytropon To: Ernie Luzar Cc: "freebsd-questions@freebsd.org" Subject: Re: ipfw is making contact with 198.61.170.85 port 4021 Message-Id: <20200724034611.53c30377.freebsd@edvax.de> In-Reply-To: <5F1A354B.7030508@gmail.com> References: <5F1A354B.7030508@gmail.com> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:pxHRnzUy+XuGGJncfyHAZcw4cAQ3yocYu2L9ZZMZgEOYDe3wOmJ 1J/Y9+jJN6jztazsW1uHxjcynFGYCuMFUPCAESRt6vSyPfpMupt2q2iNmLVtm+EAYwKknhj lwPmo2jPUXxLX5KjSlSQQrEcwmqtubq11SkRehpMPLmNsGzX1oofGEzlFxtzdaXCghNR8Ib wK6afQlM8+/GyAP5m9F3w== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:ABh5WaQHlc4=:9+BWLSoYMUwnPGMoa/5R5Y q2Ud+9b2QK/nojJTRPVfjpdZ8XNBVuLattwAUa9Gx4sWnF/yX5D8CaH4CrnhSKL/DyqEJkrwj 6+XOSHzga/mqMqsgH0DVrpt2R9pU9pEIcqrYOr714jKFkVLzksxBMJBS80sgXdfkGFn3FzTCY RZG58JLU5Bcpwgdav+8sjKQGWhDrTASL5Rddz7MyUW9vfp45LG3NHIaLmIWSzpWyuSipt1XYW 5lJp2YzO9OZHR5Moz48LTvUYP8DMBdRyj+sV8u5XxY9D3SwrndkEjaYs81G/5SQk2Q2o5SCMW PQyLPycVuMzIFHzrxn5x/K/WtFcWcPcRblCa8oN5s5JxnBzWFvHs6VanfMyHbib+2J3FhL/a2 y4bha55lAfpbOUN2WachHY3KBbYGsm4NcydG4e67UF08hvKJSO48OIOfHk7MA6fDYjnMkj4Wv O0aDlUXgCKEXJUH52G/fXO65YAYeAqTj1vxR0W9SLS+JDbMRfhQ6J3u5JMm6pe2hYhd+ro50R 2BYGlrUC2hPSJ2CJcPohEVFNEf4f75BqYgYw1rTVCbBsnc5RF4KyXZqAV7EDNcnmLq2R6f5Hg 7B2ABidiW3sPwbqGS3iOXPZ4vf0FvnW2OKRO+hdl506WjZzBiybY5Dz/6N+W5ZCVbgqz6GE0y 8b+41KuptsCdQSgProeLGRbrjpm1pyD9JSpesl3hAP8U4MdDun3TaivWNuLSem99XjCZtyDyP D+tz0sOFEO3K1bUgzqBiNvt9vYoJ6/ROc9jRWm8j8KAyhtolKJb5/MWWZo7iQKYDJcN3t5a9a vtBILJLikZKyNNL76PNWVanVubjCa2RSB+GRdSlc5xHNOnPargqrjJJaOMSHFHUE6IrhXvp X-Rspamd-Queue-Id: 4BCX9N0h2Dz4RFH X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd@edvax.de has no SPF policy when checking 217.72.192.74) smtp.mailfrom=freebsd@edvax.de X-Spamd-Result: default: False [2.73 / 15.00]; HAS_REPLYTO(0.00)[freebsd@edvax.de]; TO_DN_EQ_ADDR_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; MV_CASE(0.50)[]; HAS_ORG_HEADER(0.00)[]; NEURAL_HAM_SHORT(-0.68)[-0.682]; RCPT_COUNT_TWO(0.00)[2]; FREEMAIL_TO(0.00)[gmail.com]; RECEIVED_SPAMHAUS_PBL(0.00)[94.222.8.146:received]; RCVD_TLS_LAST(0.00)[]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8560, ipnet:217.72.192.0/20, country:DE]; ARC_NA(0.00)[]; REPLYTO_EQ_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[edvax.de]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.29)[0.294]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_SPAM_LONG(0.72)[0.716]; MID_CONTAINS_FROM(1.00)[]; RCVD_IN_DNSWL_NONE(0.00)[217.72.192.74:from]; R_SPF_NA(0.00)[no SPF record]; RWL_MAILSPIKE_POSSIBLE(0.00)[217.72.192.74:from]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2020 01:46:17 -0000 On Thu, 23 Jul 2020 21:11:39 -0400, Ernie Luzar wrote: > A firewall should not be making its own contact with any public ip > address. This is a security hole. If ipfw should have done that - yes, that would be correct. However, it is not the purpose of a firewall to contact anything, anywhere, and ipfw has not done so in decades. May I ask why you assume that ipfw is the problem here? Do you have any specific logs or messages that you can post to the list? Sidenote: The IP 198.61.170.85 belongs to alerts0.envisacor.com. The homepage belongs to something called "Envisacor" which states about itself that it is "a premiere ODM to the Security and Home Automation industries" and is doing "design including IP based-products". So maybe it's in fact something in your network you bought from that company that is phoning home? Just guessing. But at least it looks like a valid assumption... > I have not played with ipfw since before it was rewritten to become > ipfw2 so I do not know when this internal "call home" function was > added. Never. > Can any one provide any info about this? If _you_ can provide some more information? :-) Do you have any logs that show what is the originator of the connection, what connection it is, and maybe if there is some content transmitted? Tools like tcpdump or wireshark can be helpful here. But if you have firewall logging, maybe you can show some lines from the log related to that IP address? -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...