Re: [Astlinux-devel] Firewall states

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks lonnie.  I'm sure I will have more questions once I dig into the
proc/net/fn_conntrack file.  In the meantime how should I interpret these
two lines...

Source          Port (#'s) Destination   Port Protocol Packets Bytes   TTL
192.168.17.104  54135      17.57.144.52  5223 TCP      10097   6326476
7199:42
192.168.17.201  58114      17.57.144.7   5223 TCP      4603    2941050 4:59

The local devices are Apple devices, the destination IPs are owned by Apple
and port 5223 is for their push notification service.  Both are next to
each other in the sorted (by bytes) table, but both have very different
TTL.  So what if anything can I tell from the difference?

Thanks
David

On Sat, Aug 8, 2020 at 3:05 PM Lonnie Abelbeck <li...@lo...>
wrote:

> Hi David,
>
> The data under "Firewall States:" originates from /proc/net/nf_conntrack
>
> The TTL is the Time-To-Live of the conntrack state.
>
> I have found the current format quite useful over the years.
>
> BTW, the Prefs tab has a couple of filters:
>
> _x_ Show Firewall States
>         Hide SRC Ports:
>         Hide DST Ports:
>
> Any defined Source (SRC) or Destination (DST) ports
> will not be displayed.  Multiple ports are separated with a space
> character.
>
> Lonnie
>
>
>
> > On Aug 8, 2020, at 1:51 PM, David Kerr <da...@ke...> wrote:
> >
> > I've been paying more attention to the firewall states on the status
> page to try and track down heavy internet users (though thankfully Comcast
> is back now -- but power is not).
> >
> > A lot of the information reported is not very useful.  For example, a
> lot of bonjour traffic over port 5353 to 224.0.0.251 / ff02::fb currently
> occupying 6 of the top 11 entries.  And then there is lots of traffic
> within my internal networks.
> >
> > Also, what is the TTL column, is it something to do when last traffic
> was seen?  Started?  Can we age off old data... about 2/3rd of my entries
> are showing 7199:xx in the TTL column and I am not sure how to interpret
> that.
> >
> > All I really care about is recent traffic leaving and arriving across
> the external interface(s).  Other than manually filtering, is there a way
> we could make the status page's firewall states more helpful?
> >
> > Thanks,
> > David
> > _______________________________________________
> > Astlinux-devel mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>