Kudos0

Interpreting blocked connection attempts

Posted: 25-Nov-2009 | 3:26AM · 6 Replies ·

Hi,

Apologies if I've misunderstood some thing basic but I'd appreciate some help interpreting blocked connection attempts (OS X 10.6 and Norton Firewall 4.1.0 for Mac).

My logs show dozens of blocked incoming connection attempts. Many of the 'attacker' IP addresses resolve to the websites I've visited (including Norton's!). However the connection attempts keep coming even when I'm not surfing (I guess another application such as iTunes might be connecting though).

They are all TCP to remote port 80 and to multiple local ports.

I am behind a hardware firewall and running NAT (properly configured I think), and this is happening on 2 macs.

Any insights are welcome - obvioulsy I only want to see a (shorter) list of real attacks to worry about when I check the logs.

Many thanks.

Replies

Kudos0

Re: Interpreting blocked connection attempts

Posted: 25-Nov-2009 | 3:26AM · Permalink

Hi,

Apologies if I've misunderstood some thing basic but I'd appreciate some help interpreting blocked connection attempts (OS X 10.6 and Norton Firewall 4.1.0 for Mac).

My logs show dozens of blocked incoming connection attempts. Many of the 'attacker' IP addresses resolve to the websites I've visited (including Norton's!). However the connection attempts keep coming even when I'm not surfing (I guess another application such as iTunes might be connecting though).

They are all TCP to remote port 80 and to multiple local ports.

I am behind a hardware firewall and running NAT (properly configured I think), and this is happening on 2 macs.

Any insights are welcome - obvioulsy I only want to see a (shorter) list of real attacks to worry about when I check the logs.

Many thanks.

Kudos0

Re: Interpreting blocked connection attempts

Posted: 29-Nov-2009 | 8:55PM · Permalink

What is the "Kind" for the connection attempt? If it's not listed in the list, you can double click on one of the connection attempts and Inspector window it should list the kind.

You can post a picture of the Inspector window here if you're not sure.

Ryan 

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: Interpreting blocked connection attempts

Posted: 30-Nov-2009 | 12:42AM · Permalink

Hi Ryan,

Thanks for replying.  'Kind' is not listed as far as I can see but there is a 'Type'.  The Inspector for each one says:

Direction: Incoming

Action: DENINED

Type: User-defined setting

Protocal: TCP

ICMP info:  <none>

Many thanks.

Andrew

[edit: Removed broken image.]

Message Edited by shannons on 11-30-2009 02:05 PM
Kudos0

Re: Interpreting blocked connection attempts

Posted: 01-Dec-2009 | 7:34PM · Permalink

I posted this in another thread, but I'll repost it here.

This is a bug/feature of the firewall that's somewhat difficult to explain. The firewall in Norton Firewall is "stateful". Bear with me as I attempt to explain.

When the firewall sees incoming and outgoing traffic that should be allowed it creates an invisible rule, called a stateful rule. This stateful rule allows connections that have already been approved by the firewall. When the connection closes, or if the other computer doesn't talk to your Mac for a while, the firewall stops allowing traffic on that connection by deleting the invisible rule it created. This is called stateful packet filtering.

The "problem" here is that when your computer gets woken up from sleep, the invisible rule gets deleted. Your Mac was probably asleep for more than 2 minutes, and that means the invisible rules all timed out and were removed. But as soon as your Mac woke up from sleep, the other computer tried to re-establish communications with your Mac. The firewall blocked that communications, because the connection timed out while your Mac was asleep. This is a common problem with stateful firewalls.

Basically, these connection attempts are harmless. As soon as the ohter computer realizes it can't connect it will create a new connection, which will be allowed by the firewall.  

Hope that explains it.

Ryan  

Ryan McGann Technical Director Norton Business Unit, Symantec
Kudos0

Re: Interpreting blocked connection attempts

Posted: 01-Dec-2009 | 9:00PM · Permalink

Quote from snowleopardmacs first post:

  "port 80 and to multiple local ports"

So why do these sites, that I have terminated contact with, probe on multiple ports including those in the bittorrent range (49000+).

If this is legit, how so? Sure looks like nefarious activity to me and apparently snowleopardmac as well. 

Kudos0

Re: Interpreting blocked connection attempts

Posted: 02-Dec-2009 | 12:51AM · Permalink

Hi Ryan,

Many thanks for the explanation - I can see that stateful package filtering is likely to relevant here.

However if it helps to know, I certainly get these attempted connections from sites after connecting with them but not having put my Mac to sleep. For example, the firewall log already shows several connections from norton.lithium.com after I first viewed the forum a few minutes ago.

Obviously that attempted connection doesn't worry me but it's hard to know if I should be concerned about any others.

Perhaps the firewall is  deleting the invisible SPF rules earlier than the websites are stopping their attempted connections, for some reason?

Kind regards.

Andrew

This thread is closed from further comment. Please visit the forum to start a new thread.