Firewall - stealth mode connection attempts from AEBS to computer

fane_j wrote:

What he is saying is that his network device (Airport, or, en1) is talking to itself through the router instead of through loopback.

What he said was:

Mar 12 03:08:47 laptop Firewall[61]: Stealth Mode connection attempt to UDP 192.168.0.23:63923 from 192.168.0.1:53

Notice that the IP address is the same for both of them.

IP address 192.168.0.23 (presumably that of his Mac) is not the same as IP address 192.168.0.1 (presumably that of his router/access point). Port 53 is the "well known" port for DNS, which must use what he calls the "main network interface" to reach his ISP's (or any other non-local) DNS server through the router/access point.

He also seems to be confusing mDNSResponder (used by Bonjour on UDP port 5353) with DNS. Like DNS, Bonjour would be useless if implemented through loopback -- its function is device discovery on the local area network the device (here, the Mac) is a part of, so it must of necessity 'talk' to the router to see what else is connected to it.

Terry Lambert was correct; you may have misunderstood the technical term in question.

Calling UDP "connectionless protocol" is technically correct, but not in the not-so-technical sense he used it -- UDP clearly requires a network connection & there is nothing wrong with or buggy about logging a connection attempt on a UDP port.

He sort of figures out some of this in his discussion of Windows file sharing (SMB), like that 192.168.0.1 is the IP address of his router rather than the one in use by his en1 interface on his Mac, but he still seems fairly confused about what network traffic is coming from his LAN vs. WAN connection, & which device on his LAN is responsible for which part of the local traffic, & about OS X specific networking in general.

That may not be true but this appears to be his only post to ASC so it is hard to say much about his opinion other than it doesn't make a very convincing argument for any alleged "bad design" issues in the logs.

chriswalsh wrote:

Correct - Airport Extreme Base Station which connects via PPPoE with NAT set to ON. Mac connects to AEBS via ethernet. So why do I see it?

Maybe it would be helpful to explain exactly where you see this, & how your AEBS & Mac Firewalls are set up.

(1)

R C-R wrote:

He also seems to have concluded that UDP's lack of a handshake protocol makes it a "connectionless" protocol, which makes no sense -- any data transferred over a network obviously requires a connection.

(2)

R C-R wrote:

Calling UDP "connectionless protocol" is technically correct […]

My friend, my advice -- and there's no reason why you should take it -- is this: Sometimes, discretion is the better part of valour. A bon entendeur…

chriswalsh wrote:

So why do I see it?

I don't know. The first question is -- where do you see it? In precisely which log? And using which application? This doesn't look like a line from appfirewall.log, and your Mac can't connect to the AEBS with PPP.

chriswalsh wrote:

The entry did appear in the APPFIREWALL.LOG

date 10:05:21 -MacBook-Pro Firewall[71]: 33300 Deny ICMP:8.0 67.149.105.183 in via ppp0

Did you configure AEBS to send its logs to your Mac, as, for instance, described below?

<http://docs.info.apple.com/article.html?path=AirPortUtility/5.1/en/ap2065.html>

Alright, then let's get some facts.

First, find out what's your public IP address. If you use Google, you can just type in Google's search field "what's my ip", and Google will tell you. Note it.

Then, in Terminal, issue the command

$ ifconfig

($ stands for your prompt, whatever it might be, you don't type it)

This should return your network devices. Do you see any designated "ppp0"? One of your devices should have the status "active" (usually it's en0, if you're wired to the router, or en1, if you're w/less). Check the IP listed for "inet". Is it the same as your public IP?

You have not answered fane_j's question about seeing any network devices designated as "ppp0" -- "gif0" is not the same thing.

Also note that two network devices are involved here, your Mac & your AEBS. In general, your AEBS will supply the public IP address to the outside world & that is the one Google (or whatever) should show. You should be able to confirm that using Airport Utility:

Open the utility, select your AEBS (if not already selected) & click the "Manual Setup" button. The last line of the "Summary" tab should show the IP address it presents to the outside world, & should agree with what Google shows.

I don't think the mention of the "<POINTOPOINT,MULTICAST>" flag means anything relevant. I have the same flag for my gif0 device & I do not have any PPP services, devices, etc. enabled or present anywhere on my network.

It might be different if you saw a "RUNNING" flag for the gif0 device but I assume you would have mentioned that by now if you had, right?

Can you explain what it is that you are looking for?

Anything that might have been misunderstood, not clearly explained, or left out of the discussion that might yield a clue about the cause of the log entries or what they mean.

I can't compare anything directly to my network setup because I don't use DSL or PPPoE since my service is via a cable modem. I don't normally have stealth mode enabled on any of my Macs but I've temporarily enabled it. So far, I do not see any log entries like yours. So all I can really do is compare the behavior & settings of my AEBS to yours in a limited way.

chriswalsh wrote:

en0 is active

Other network interfaces are inactive.

gif0: flags<POINTOPOINT,MULTICAST

Everything is as expected. Gif (generic tunnel interface) is not relevant (it's used for VPN), and its flag is down anyway.

So here's my problem.

(1) On one hand, this,

date 10:05:21 -MacBook-Pro Firewall[71]: 33300 Deny ICMP:8.0 67.149.105.183 in via ppp0

date 10:03:57 -MacBook-Pro kernel[0]: PPPoE inputdata: unexpected control packet on unit = 0

says you're getting traffic over the PPP interface.

(2) On the other, everything else you posted -- your set-up, your ifconfig return -- says you don't have a PPP interface.

I can only imagine one way of reconciling (1) and (2) -- the dates are wrong. That is, that the lines above come from an earlier log, when your Mac was connected through PPPoE. Otherwise, I'm completely stumped.

If you're getting now in your logs lines with "via ppp0", and you check in Terminal

$ ifconfig ppp0

and get

ifconfig: interface ppp0 does not exist

and your router is not set to log its status to your Mac, then something is very wrong indeed.