Firewall - stealth mode connection attempts from AEBS to computer

chriswalsh wrote:

Console log is packed with Info messages realted to connection attempts from AEBS router. Is that normal?

Yes, if you've enabled stealth mode. If you are behind a router which does NAT (and I believe all of them do it nowadays), you don't need stealth mode.

chriswalsh wrote:

Are you able to explain why it does that?

Why it does what? Make pointless log entries? Bad design.

Why if the AEBS has NAT turned on...

Because, if you're behind a device which does NAT, your ports can't be scanned anyway.

Do I still see connection attemPts from undesirable external IP addresses?

Did you see any?

also, system profiler states

It's a known bug. See

<http://support.apple.com/kb/TS3052>

chriswalsh wrote:

I've seen connection attempts from multiple IP addresses.

Read carefully Terry Lambert's comments in this thread

<https://discussions.apple.com/thread/2762219?answerId=13205934022#13205934022>

They show you not just that it's a question of bad design, but, if you understand them, also how to analyse your own traffic. If you do, indeed, find any 'undesirable' connection attempts (I should be surprised if you did), pls post them here. It means that your router is not doing its job.

chriswalsh wrote:

How can I find out which processes are associated with which ports?

Try Well known TCP and UDP ports used by Apple software products.

EDIT: You might also want to check out Mac OS X v10.5, 10.6: About the Application Firewall, especially when trying to evaluate comments about claimed "bugs" in the built-in firewall.

fane_j wrote:

Read carefully Terry Lambert's comments in this thread

<https://discussions.apple.com/thread/2762219?answerId=13205934022#13205934022>

They show you not just that it's a question of bad design ...

I suggest not taking Mr. Lambert's "bad design" commnets too seriously. For instance, he seems to have confused the IP addresses of two different network devices (his Mac & his Airport router) & suggested loopback (which is a virtual connection that never leaves the device) could be used as a less "expensive" way to communicate between them.

He also seems to have concluded that UDP's lack of a handshake protocol makes it a "connectionless" protocol, which makes no sense -- any data transferred over a network obviously requires a connection.

His main "bogosity" complaint seems to be that the logs are too "lazy" to provide the info he wants in the form he wants it. That may be true, but that is the nature of system logs -- traditionally, they are written to provide info for programmers who are expected to know how to interpret them, not for casual users who usually do not.

This can lead to confusion, for example for log entries that appear to be serious errors when they may just be normal behavior indicating a program has fallen back on a planned for contingency routinely encountered in normal use.

R C-R wrote:

I suggest not taking Mr. Lambert's "bad design" commnets too seriously.

AFAICT, the string "bad design" does not appear in the post I referred to. Please do not chastise Terry Lambert (whoever he or she may be) for someone else's sins. If anyone said 'bad design', it was I.

he seems to have confused the IP addresses of two different network devices (his Mac & his Airport router) & suggested loopback

No, he didn't; you misunderstood. What he is saying is that his network device (Airport, or, en1) is talking to itself through the router instead of through loopback.

He also seems to have concluded that UDP's lack of a handshake protocol makes it a "connectionless" protocol, which makes no sense

Terry Lambert was correct; you may have misunderstood the technical term in question. For instance, a quick look in Wikipedia reveals that,

"In telecommunications, connectionless describes communication between two network end points in which a message can be sent from one end point to another without prior arrangement. […] Internet Protocol (IP) and User Datagram Protocol (UDP) are connectionless protocols." (The stress is mine.)

But Wikipedia is not always to be trusted. We are not a bunch of techies here, so I'll turn to an easy, plain-language reference:

"A connectionless protocol doesn’t go to the trouble of establishing a connection before sending a packet. Instead, it simply sends the packet. TCP is a connection-oriented Transport layer protocol. The connectionless protocol that works alongside TCP is called UDP."(The stress is mine.)

Lowe, D. (2008). Networking all-in-one desk reference for dummies, 3rd edition. Indianapolis, IN: Wiley Publishing, Inc. ISBN 0470179155, p. 31.

Using a Whois query in Snow Leopard's Network Utility for the IP address 67.149.105.183, I get:

WideOpenWest Finance LLC WIDEOPENWEST (NET-67-149-0-0-1) 67.149.0.0 - 67.149.255.255

WIDEOPENWEST MICHIGAN WOW-TR17-1-104-149-67 (NET-67-149-104-0-1) 67.149.104.0 - 67.149.107.255

Wikipedia shows this for a Google search on "WideOpenWest Finance LLC."

A similar process for IP address 84.254.20.220 leads to what may be Tellas S. A.

Both appear to provide broadband services of one kind or another.

chriswalsh wrote:

I'm not quite sure I fully understand why I get to see certain things if the FW on the AEBS is doing it's stuff.

There are a few entries which I'd like to understand, e.g.:

33300 Deny ICMP:8.0 67.149.105.183 xxx.xxx.xx.xxx in via ppp0

33300 Deny ICMP:8.0 84.254.20.220 xxx.xxx.xx.xxx in via ppp0

Hold on.

First, what exactly to you mean by AEBS? I assumed it was Airport Extreme Base Station.

Second, where is this coming from? It looks like you're connecting PPPoE, but, if you're behind a router, your Mac shouldn't (couldn't) be using it. That's exactly the kind of stuff your router, not your Mac, should be doing -- if you're behind a router.