Originally Posted by
Ms. Daisy
What do you mean by "forwarded?" Do you mean sent along? or port forwarded?
This is where it can get confusing quickly, let's take a look at the logs step by step and see what's going on.
This will be even harder because you blocked the dst/src ip but I will do the best with what you have provided. I'm willing to bet they aren't ALL the 224.0.0.251 (which by the way is multicast DNS)
Code:
24 15:44:08 MsDaisy-Computer kernel: [ 1296.544822] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=1088 PROTO=ICMP TYPE=8 CODE=0 ID=2913 SEQ=1
Important things to note about this block are.
- PROTO = ICMP (this is an ICMP echo request, noted by the TYPE = 8) it was blocked by your firewall (this is pretty standard). This request was PROBABLY from your router or modem, the failure of this request LIKELY spawned the spurious requests afterwards.
Code:
Jan 24 15:44:56 MsDaisy-Computer kernel: [ 1344.922839] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=1089 PROTO=UDP SPT=47414 DPT=33434 LEN=40
This is UDP, and isn't very specific, if it's going to mDNS, it's likely just a zeroconf query.
Code:
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553723] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553844] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.553948] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554050] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554153] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554256] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554360] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554464] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554570] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
Jan 24 15:45:21 MsDaisy-Computer kernel: [ 1369.554731] [UFW BLOCK] IN= OUT=wlan0 SRC=my.IP.Add.XX DST=unknown.IP.Add LEN=65535 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=59663 DPT=44444 LEN=65515
These give away their origin without me even knowing the full packet details.
As far as forwarded, with broadcast/multicast traffic it's not so much a forwarding thing as a passing through thing.
My guess here is these are either responses to or replies to an mDNS membership request. If you'd like to verify it, I went ahead and did a quick capture on a packet that I believe to have a similar purpose. There is a screen shot from wireshark below for your comparison, to queue the responses necessary I simple restarted the avahi-daemon service
Code:
sudo service avahi-daemon restart
You should get a sequence of about 14 packets (similar to what you are seeing here) verify that your firewall logs are indicating the same, and that the packet contents is similar to what will be posted.
In any case this really is nothing to worry about. BTW UDP is stateless, so speaking in terms of creating a connection (is rather arbitrary in this case).
Hope this helps.
Note : the destination and source port change can be considered rather trivial in this case due to the nature of mdns multipathing and the layout of a network vastly changing the creating of membership requests. That being said, compare the packet contents, to make sure it is in fact what we are observing.
Bookmarks