Re: [Astlinux-devel] Firewall states

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi David,

> Source          Port (#'s)	Destination   Port	Protocol	Packets	Bytes   TTL
> 192.168.17.104  54135      17.57.144.52  5223	TCP      10097   6326476	7199:42
> 192.168.17.201  58114      17.57.144.7   5223	TCP      4603    2941050	4:59

The 7199:42 (large) TTL indicates an active TCP connection.  When traffic occurs it is reset back to 7200.00 (5 days).

The 4:59 TTL is most likely a closed TCP connection counting down to 0 when the state expires.

Lonnie

> On Aug 8, 2020, at 2:28 PM, David Kerr <da...@ke...> wrote:
> 
> Thanks lonnie.  I'm sure I will have more questions once I dig into the proc/net/fn_conntrack file.  In the meantime how should I interpret these two lines...
> 
> Source          Port (#'s)	Destination   Port	Protocol	Packets	Bytes   TTL
> 192.168.17.104  54135      17.57.144.52  5223	TCP      10097   6326476	7199:42
> 192.168.17.201  58114      17.57.144.7   5223	TCP      4603    2941050	4:59
> 
> The local devices are Apple devices, the destination IPs are owned by Apple and port 5223 is for their push notification service.  Both are next to each other in the sorted (by bytes) table, but both have very different TTL.  So what if anything can I tell from the difference?
> 
> Thanks
> David
> 
> On Sat, Aug 8, 2020 at 3:05 PM Lonnie Abelbeck <li...@lo...> wrote:
> Hi David,
> 
> The data under "Firewall States:" originates from /proc/net/nf_conntrack
> 
> The TTL is the Time-To-Live of the conntrack state.
> 
> I have found the current format quite useful over the years.
> 
> BTW, the Prefs tab has a couple of filters:
> 
> _x_ Show Firewall States
>         Hide SRC Ports:
>         Hide DST Ports:
> 
> Any defined Source (SRC) or Destination (DST) ports
> will not be displayed.  Multiple ports are separated with a space character.
> 
> Lonnie
> 
> 
> 
> > On Aug 8, 2020, at 1:51 PM, David Kerr <da...@ke...> wrote:
> > 
> > I've been paying more attention to the firewall states on the status page to try and track down heavy internet users (though thankfully Comcast is back now -- but power is not).
> > 
> > A lot of the information reported is not very useful.  For example, a lot of bonjour traffic over port 5353 to 224.0.0.251 / ff02::fb currently occupying 6 of the top 11 entries.  And then there is lots of traffic within my internal networks.
> > 
> > Also, what is the TTL column, is it something to do when last traffic was seen?  Started?  Can we age off old data... about 2/3rd of my entries are showing 7199:xx in the TTL column and I am not sure how to interpret that.
> > 
> > All I really care about is recent traffic leaving and arriving across the external interface(s).  Other than manually filtering, is there a way we could make the status page's firewall states more helpful?
> > 
> > Thanks,
> > David
> > _______________________________________________
> > Astlinux-devel mailing list
> > Ast...@li...
> > https://lists.sourceforge.net/lists/listinfo/astlinux-devel
> 
> 
> 
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel