Firewalls traffic monitor shows traffic to unopened port after allowed outbound

Discussion in 'other firewalls' started by chrizio, Feb 19, 2012.

Thread Status:
Not open for further replies.
  1. chrizio

    chrizio Guest

    Sunbelt Personal Firewall
    The traffic logs show one interesting point

    (first)
    [15:35:24] action = 'permitted', descr = 'Firefox', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2524, rport = 443, direc = 'out', ruleId = 137740288, proc = 'c:\Program Files\Mozilla Firefox\firefox.exe'
    [15:35:25] action = 'permitted', descr = 'Firefox', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2525, rport = 443, direc = 'out', ruleId = 137740288, proc = 'c:\Program Files\Mozilla Firefox\firefox.exe'
    [15:35:25] action = 'permitted', descr = 'Firefox', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2526, rport = 443, direc = 'out', ruleId = 137740288, proc = 'c:\Program Files\Mozilla Firefox\firefox.exe'



    (then)
    [15:37:20] action = 'denied', descr = 'Unopened port', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2525, rport = 443, direc = 'in', ruleId = 0, proc = 'N/A'
    [15:37:20] action = 'denied', descr = 'Unopened port', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2524, rport = 443, direc = 'in', ruleId = 0, proc = 'N/A'
    [15:37:20] action = 'denied', descr = 'Unopened port', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2526, rport = 443, direc = 'in', ruleId = 0, proc = 'N/A'
    [15:37:22] action = 'denied', descr = 'Unopened port', proto = 6, laddr = 192.168.178.20, raddr = 2.18.164.43, lport = 2526, rport = 443, direc = 'in', ruleId = 0, proc = 'N/A'



    So, the inbound traffic, seems to be answers of outbound traffic taken place in prior of this inbound - local and remote ports are the same, remote IP is the same for both outbounds and inbounds.
    I wonder, why the local port is indicated as unopen while the inbounds are coming in.
    Should they not be open, due to the allow permitted outbound which apparently has caused these inbounds?
    Or is this possibly a failure in traffic monitoring of the firewall?
     
  2. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    Check your Firefox addons, plugins, etc. Sometimes ff updates push, without asking you, things that require inbouns - p2p, some filesharing stuff, Godzilla comes to mind. I saw that few months ago. If I find what it was, I'll post back.

    EDIT: The application was Chatzilla, IRC client, installed as a plugin and an addon. Seamonkey does the same thing. Both Sunbelt and Outpost nailed it.
     
    Last edited: Feb 19, 2012
  3. chrizio

    chrizio Guest

    I used the Overview window of my firewall (Sunbelt Firewall). It shows all ports open locally. I also used the Process Explorer by Sysinternals to check
    which soft/service is listening to the port in question.

    Results: No findings. No is listening there.

    Chatzilla is not present on this system. The same for Seamonkey.
    From Mozilla stuff only Thunderbird and Firefox are installed and in use.

    However, as mentioned above I didn't find any item listening on port under
    this discussion. Very strange. Any root kit?
     
  4. chrizio

    chrizio Guest

    any idea? Thanks a lot!
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    1. Firewall is protecting you so don't worry.
    2. I enabled logging of packets addressed to closed ports. Pointless IMO. But I did see that as well, and not just on https, but from the DNS servers and even my own router after it issued IP. These are usually delayed messages no longer needed by the svchost or browser (Opera and Seamonkey here). Application got what it needed, closed the port, handed it over to the system, and so the firewall stops those messages. RST packets come to mind and I saw few in wireshark though correlating it with the firewall isn't simple.
    3. Many firewalls will show you the same thing if you chose to log.
    4. Experiments over for me. I shut off that logging. I don't need it.
     
  6. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i think the reason that you are seeing the incoming packets being blocked is because you have closed the connection.. it is normal..
     
  7. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,736
    Google your IP first next time
    http://whois.domaintools.com/2.18.164.43
    says: Akamai

    Akamai may some kind of update -> plugin, maybe adobe.

    your log does not show time so i dont can relate those events except closed port for too late answer
    from my view nothing special.
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    @chrizio,
    In case still need explanations for your two threads, old, old advice. My money is still on the port got closed, that's it.
    http://www.dslreports.com/forum/r6843833-Kerio-Kerio-Packet-to-unopened-port
     
Loading...
Thread Status:
Not open for further replies.