[Freedombox-discuss] FreeedomBox data leakage, firewall issues.
A. F. Cano
afc54 at comcast.net
Thu May 2 20:11:46 BST 2024
On Thu, May 02, 2024 at 05:25:11PM +0200, Petter Reinholdtsen wrote:
> [A. F. Cano]
> > I have long noticed that there is usually some data going out of the
> > external interface. I have always assumed it was housekeeping stuff,
> > such as dns. However, Cockpit is now showing data going out at 1 Mbps
> > and receiving at 300-400 Mpbs. Something is going on that looks very
> > suspicious.
>
> It seem very different from mine, which is behind NAT-ing and only
I'm not behind NAT.
> available via pagekite. As far as I can tell, only Tor and pagekite
> traffic is present when I run 'iftop'. Did you try to press 'p' to get
> the port number displayed? Any idea if it is TCP or UDP? My 'sudo lsof
Aha! All that traffic is from/to port 3478, which, according to this:
https://www.speedguide.net/port.php?port=3478
is what the STUN server uses. This page says this means "Session
Traversal Utilities for NAT", but since I'm not behind NAT, do I really
need this running? It was my impression that it was required to use the
matrix synapse server, which I use all the time. Furthermore, why is it
sending all that data when it's not in use? No one is connected to the
matrix server.
Interesting... After turning off the Coturn app, the transmitting has
gone to 0 but the receiving is still going strong:
fbx:3478 => hosted-by.atakehosting.:22 0b 0b 0b
<= 51.8Kb 58.0Kb 83.5Kb
fbx:3478 => 20.198.76.220:16501 0b 0b 0b
<= 11.6Kb 17.6Kb 21.0Kb
fbx:3478 => 20.204.191.192:10065 0b 0b 0b
<= 10.3Kb 14.1Kb 16.5Kb
fbx:3478 => 20.235.10.172:11218 0b 0b 0b
<= 10.9Kb 11.1Kb 10.3Kb
fbx:3478 => 20.219.76.250:22798 0b 0b 0b
<= 10.9Kb 10.8Kb 10.6Kb
fbx:3478 => 20.235.52.217:16842 0b 0b 0b
<= 10.7Kb 10.6Kb 10.5Kb
fbx:3478 => 20.204.88.179:22948 0b 0b 0b
<= 9.94Kb 10.5Kb 10.3Kb
fbx:3478 => 20.235.88.156:18662 0b 0b 0b
<= 10.3Kb 10.4Kb 9.68Kb
fbx:3478 => 20.198.75.192:16897 0b 0b 0b
<= 10.7Kb 10.3Kb 10.8Kb
fbx:3478 => 20.198.105.102:29339 0b 0b 0b
<= 10.5Kb 10.2Kb 10.5Kb
fbx:3478 => 20.219.6.192:15243 0b 0b 0b
<= 10.5Kb 10.1Kb 9.42Kb
fbx:3478 => 20.235.53.133:28456 0b 0b 0b
<= 10.3Kb 10.1Kb 2.95Kb
fbx:3478 => 20.235.51.83:25582 0b 0b 0b
<= 9.56Kb 9.49Kb 9.33Kb
fbx:3478 => 20.235.147.234:11290 0b 0b 0b
<= 10.1Kb 9.45Kb 9.33Kb
fbx:3478 => 20.204.179.88:26048 0b 0b 0b
<= 9.38Kb 9.30Kb 8.56Kb
fbx:3478 => 4.213.68.43:10686 0b 0b 0b
<= 0b 8.36Kb 9.98Kb
fbx:3478 => 4.213.64.122:24385 0b 0b 0b
<= 9.00Kb 7.12Kb 1.78Kb
fbx:3478 => 20.235.54.175:27404 0b 0b 0b
<= 7.88Kb 1.95Kb 499b
I can connect to the matrix server from my usual internal machine I use
for the video conferencing but of course there is no one slse at the
moment to conference with, so I don't know if the lack of the
STUN/Coturn server might or might not affect them.
> -i|grep EST|grep -v localhost' only show pagekite after I stopped tor.
Ok, after stopping the Coturn app, this command only shows privoxy,
sshd, apache2 and syncthing entries. Very useful command.
The sshd entries all reflect the connections from internal machines, so
no problem here.
One privoxy entry is pointing to the mastodon server. Since I have a
tab open for that, ok. Others point to internal machines, so also ok.
One though points to
privoxy 566165 privoxy 5u IPv4 11129305 0t0 TCP fbx:45490->104.26.2.82:https (ESTABLISHED)
Per ipinfo.io this is in San Franciso, California. As it is an https
connection, probably one of my open tabs.
One apache2 connection points to an internal machine, the other to:
pool-108-50-237-254.nwrknj.fios.verizon.net
Not sure what this is. It's an https connection. This web page doesn't
give much information beyond apparently not being dangerous
https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/108.53.237.254
Finally there are 2 syncthing connections:
syncthing 1005851 syncthing 19u IPv4 10899136 0t0 TCP fbx:48456->162.212.157.128:22067 (ESTABLISHED)
This one is in Glenview, Illinois. Not sure why syncthing is connecting
to the outside since all I wanted was to sychronize internal machines
and the phone when on internal wifi.
The other one is internal.
So, after stopping the Coturn app, connections seem much more
reaaonable. I would still like to know what the coturn app was sending
where and why I keep receiving 300-400 Kbps on port 3478 and what all those
bits are.
In any case, thank you very much for replying. You pointed me to the
culprit. Now the FreedomBox is transmitting 10-15 Kbps and still receiving
about 300 Kbps on port 3478.
> --
> Happy hacking
> Petter Reinholdtsen
Augustine
More information about the Freedombox-discuss
mailing list