From owner-freebsd-questions@freebsd.org  Fri Jul 24 01:47:49 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B42BC36AEE8
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Fri, 24 Jul 2020 01:47:49 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com
 [IPv6:2607:f8b0:4864:20::f32])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4BCXC81pr2z4RBd
 for <freebsd-questions@freebsd.org>; Fri, 24 Jul 2020 01:47:47 +0000 (UTC)
 (envelope-from luzar722@gmail.com)
Received: by mail-qv1-xf32.google.com with SMTP id ed14so3500185qvb.2
 for <freebsd-questions@freebsd.org>; Thu, 23 Jul 2020 18:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=message-id:date:from:user-agent:mime-version:to:cc:subject
 :references:in-reply-to:content-transfer-encoding;
 bh=FywX5d8j6aySSINsirrF0LrHQyqkQqipJzuI3Z8Kg+Q=;
 b=Pmz7FH2Fx2Dib/Wr4PXtYtu1DGOwIpBW5w1f74KjMm98kqorAJVZXf1Wc4ZTc3I0v4
 +l39i2ZEDb+oVdAzVCtAS+sAMdjudBCzgzrZzKwsPNNEGG7OORMErJCQwiTQToRMHaNE
 /kSWkX+6SzpNJu9XGD32+EAgPD+M08EX9TcVJyAGBKZMFOrpu23PF0QCJOc6bPUsNxQY
 gti8+UuMi5xo62+EBs9bQUcPITG+yjBabThn3V1z0IFuAnheOI1CSXF53z6cynQQUoYB
 0PQQkmmXlNCASscfkOUyGJDf5+Ctu180dsI7iK/LNOyhDuHG7VLSyntw9BjocFajXGEA
 NpyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
 :cc:subject:references:in-reply-to:content-transfer-encoding;
 bh=FywX5d8j6aySSINsirrF0LrHQyqkQqipJzuI3Z8Kg+Q=;
 b=ne+bDnrpVgWaajj/2zYfGSxJ2f7xDBREQRtq5MI67tMJPaZZx+sFpd8zCEL+hGTy4r
 pw2hsg2zbFbTxjqISQqmA5r+W+mMO0eYT0IdPVKCpkQJrCussq0wnX/lrz19hBlUQlEC
 sZMXE3NoSRG7XQ8UoiNJYf7J5FB2O4aNL1GxPSw6yFlJWLKYt50Yt4SJ9BIT+J1FCVB5
 cMZDyxGKeD6U1dZdAfpa/6ii7fg4ZQQr7KO4iJ7ACMyp9RfrmUgjyMEmk6wzk/ok1HXu
 P/G/G6kKuEmmJbdZyUbSIBj2N4vtebkiZOqzNpWarbpGODv9edW2typM9u7ECSHxIpG7
 14BQ==
X-Gm-Message-State: AOAM532kE9kYrds2shKZ0B+X7ATelxW8dTTCRhSuswa0KcLGLup+Up7o
 3nsM5WyBxaS1nemcDBa4wse9EJUX
X-Google-Smtp-Source: ABdhPJyGehraIbkivZDuTS68wRtURwGMidgWZU7X6ZfpW7FzRE/2eE0W1npnl2R2Ml1utC4rDJe0ww==
X-Received: by 2002:a0c:ee4a:: with SMTP id m10mr7270910qvs.41.1595555266656; 
 Thu, 23 Jul 2020 18:47:46 -0700 (PDT)
Received: from [10.0.10.8] (cpe-65-25-51-0.neo.res.rr.com. [65.25.51.0])
 by smtp.googlemail.com with ESMTPSA id o2sm4390581qkh.102.2020.07.23.18.47.45
 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 23 Jul 2020 18:47:46 -0700 (PDT)
Message-ID: <5F1A3DC0.10702@gmail.com>
Date: Thu, 23 Jul 2020 21:47:44 -0400
From: Ernie Luzar <luzar722@gmail.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: RW <rwmaillists@googlemail.com>
CC: freebsd-questions@freebsd.org
Subject: Re: ipfw is making contact with 198.61.170.85 port 4021
References: <5F1A354B.7030508@gmail.com>
 <20200724022247.59475066@gumby.homeunix.com>
In-Reply-To: <20200724022247.59475066@gumby.homeunix.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4BCXC81pr2z4RBd
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=gmail.com header.s=20161025 header.b=Pmz7FH2F;
 dmarc=pass (policy=none) header.from=gmail.com;
 spf=pass (mx1.freebsd.org: domain of luzar722@gmail.com designates
 2607:f8b0:4864:20::f32 as permitted sender) smtp.mailfrom=luzar722@gmail.com
X-Spamd-Result: default: False [-3.64 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com];
 R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36];
 RCVD_COUNT_THREE(0.00)[3]; DKIM_TRACE(0.00)[gmail.com:+];
 RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
 NEURAL_HAM_SHORT(-0.62)[-0.618];
 FREEMAIL_TO(0.00)[googlemail.com];
 RECEIVED_SPAMHAUS_PBL(0.00)[65.25.51.0:received];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+];
 FREEMAIL_ENVFROM(0.00)[gmail.com];
 ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[];
 DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-1.00)[-0.997];
 R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[];
 NEURAL_HAM_LONG(-1.02)[-1.024]; MIME_GOOD(-0.10)[text/plain];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::f32:from];
 RCVD_TLS_ALL(0.00)[]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 01:47:49 -0000

RW via freebsd-questions wrote:
> On Thu, 23 Jul 2020 21:11:39 -0400
> Ernie Luzar wrote:
> 
>> A firewall should not be making its own contact with any public ip 
>> address. This is a security hole.
>>
>> I have not played with ipfw since before it was rewritten to become 
>> ipfw2 so I do not know when this internal "call home"  function was 
>> added. pf and ipf are not doing this. I block it to be secure.
>>
>> Can any one provide any info about this?
> 
> It might help if you explain what you have actually seen.

I see log entries in the hosts /var/log/security file for outbound 
packets going to the ip address and port number comming from 10.0.10.1 
which is the private ip address of the host. sendmail is turned off and 
nothing else is running on the host