firefox, and osx elcapitan 10.11.4 15E65
It's so weird lately my ARD has been attempting to connect to random domains that i've searched for on the web. Little Snitch is reporting that it's trying to connect to `gist.github` and the other day it tried to goto `krampus`. Like I said it's odd behavior since that's stuff I have entered into google.
Any advice is appreciated.
MacBook Air (13-inch Mid 2012), OS X El Capitan (10.11.4)
I'd be somewhat surprised if Apple Remote Desktop (ARD) were connecting to the specified web sites — can you post what Little Snitch is reporting as the source and destination of the connection? Also please post which version of Apple Remote Desktop (ARD) are you using? 3.8 (380A95) is current, last I checked.
My general recommendation is to remove Little Snitch — it's a great tool, but it also tends to cause problems when network connections are blocked erroneously, and it's certainly excellent fodder for causing paranoia.
Adware and malware can cause this, but — if you're connecting to these sites, and don't have adware or malware, or any sort of anti-virus or anti-malware tools, or other similar sorts of add-on tools loaded — I'd suspect this is OS X itself caching a thumbnail or such.
Here's a previous related discussion — though that's not involving ARD.
That sounds pretty good. I installed an opensource adblocker just now so hopefully this prevent anything malicious but i don't auto permit cookies.
ARD 3.8 380A95
Deny outgoing connections to port 3283 (net-assistant) of krampus until ARDAgent quits
Process Owner:  Me
IP Addresses: 198.105.244.228, 198.105.254.228
looks like my computer tried to communicate to the other computer on my network. those are private network ips. right?
I was working on a rails project so i had the webserver up and was running tests. possibly integration tests and they use a headless browser. but i wasn't running tests in that moment it was like it randomly popped up.
I like little snitch a lot because it's a nice way for a noob like me to track ips and separate my concerns. I tried doing it all natively but couldn't find a good way to track ips and then block them.
198.105.244.228 and 198.105.244.228 are are not private block addresses, those are public IP addresses in an IP block assigned to Search Guide Inc in Colorado.
UDP and TCP 3283 is used for reporting, which usually means there's something configured around the reporting subsystem within ARD.
Is there a network device here providing firewall services (and usually also NAT), between your computer and the rest of the Internet? What's variously called a gateway or firewall or router box? Something other than a local Mac OS X software firewall, that is?
The gateway box is where these firewall blocks are usually implemented too, and particularly if you're running development or test — doing application development on an openly-exposed host isn't something I'd recommend, however. It's typical to have blanket prohibitions against inbound connections with only specific ports forwarded.
I'd not expect to see 198.105.244.228 or 198.105.244.228 used inside of a network box performing NAT.
hmm interesting. Yeah my router is on and so is the firewall.
So are you suggesting the iprange that belongs to Search Guide was being used. Maybe I had a blog or something open in a new tab. The symptoms aren't repeating today. So my network is not open and is not discoverable to the outside internet. neither is my laptop.
Where would I implement blanket prohibitions against inbound connections? I can just use little snitch but i'd like to hear how you would do it. I know linux has a file where you can restrict this stuff but i'm a noob.
i dunno really how much of a noob I really am you can be pretty explicit with me.
A local (private) network should not be using the IP address 198.105.244.228, nor 198.105.244.228. If those are the local addresses, and if network address translation (NAT) is in use, then the local network is misconfigured. Those addresses are assigned to Search Guide in Colorado. Your local hosts should not be assigned those addresses, either manually or from whatever local DHCP server is providing your local network with addresses.
Whether those addresses are the target of the connection or something else, I don't know. (If Little Snitch doesn't make that clear, nor whatever host is "krampus"?)
Your network should have hosts configured within a subnet within one of the three private blocks. The three blocks are 192.168.0.1 to 192.168.255.254, or 172.16.255.1 to 172.31.255.254, or 10.0.0.1 to 10.255.255.254. If you don't understand what these IP address blocks are, or if you don't know what subnets are, I'd suggest either a networking book or some time in Wikipedia or other available resources on IP and routing and related discussions.
Inbound connections are generally blocked at the local network gateway firewall router box; at the box at the edge of your network that is performing the network address translation (NAT) and usually also DHCP services, among other functions. This no-ingress configuration is typically the case with a default-configuration gateway-firewall box, but I don't know what your network looks like. What that box is and how that box is accessed and configured? That depends on the particular box involved.
I'd again encourage removing Little Snitch here, and any add-on anti-virus or anti-malware tools, either confirm that the existing external firewall is configured correctly or reconfigure or replace it, and then spend a little time learning about IP, security and configuring and operating an IP network. Once you have a feel for how IP and routing works, then what Little Snitch and other tools are reporting can become more useful. Or it might just become so much unnecessary distraction.
There's not enough room in this text input box to post a course on IP networking here, but here is an overview of the common network boxes which might help.
That's cool I understand what you're talking about. I have no reason to remove little snitch like I said I use it to separate concerns. Otherwise I was running netstat and was trying to use https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man5/pf.conf.5.html
So little snitch for my use cases is actually brilliant. I have never downloaded malware or anti virus i'm not dumb. lol. I was using firefox, didn't use an adblocker but like I said I found one that was open source so that's terrific.
My network is good too. Thank you so much for the advice it sounds like you cleared things up for me. I'm sure it was my headless browser that I use for integration tests. Or some library I was using for testing in that project. It's just interesting because it made a call to ARDAgent or whatever. So I was wondering if the api for it is available to all apps. If you have an app on someones system you could make a call to it. Which stands it to say that the headless browser tried to make a call with the ARDAgent?
Clearly ARD uses VNC and you can use VNC but that wouldn't use the Agent for ARD. meh. bigger battles to fight! ::swings her broadsword around wildly"
the bugs stopped with ard, the project is done and all is well in the world. thank you.
Apple Remote Desktop is an add-on product sold by Apple, and is not part of the OS X distribution.
List price is US$79.99 in the US Mac App Store.
ARD does use the same server components as Screen Sharing, but is quite different from the integrated Screen Sharing client.
If the port is exposed and if the network is open for remote access due to the configuration or the firewall rules, all ports will be probed.
There's a tool known as icefloor, which some folks use to manage pf.
I have no way to know what you do or do not know, what you do or do not have installed here, nor what your network configuration might be, etc. Assuming what you do know can cause as much confusion as assuming what you don't know, unfortunately.
I checked out the link on your site for basic networking and it's very informative. Gave it a quick read today. I've used a lot of stuff for networking, open-wrt, etc. My modem is mine not the companies and the router has all the bells and whistles. However I am considering an upgrade to a newer Docsis3.0 and there's a nighthawk router thing that may be good. I really wanted to build my own wifi router with old parts using ubuntu router. I gave away an old power supply and regretting it now. all I have is a 250 watt power supply so i may have to wait til I salvage a better one.
https://help.ubuntu.com/community/Router
You can do some great things with this router including write services of your own in any language. Including Ruby, ::cough cough:: Do you think all of this could be done with osx server?
I build web apps for a living and am self taught. I started on irc when i was like 14 lol Some of the attacks you mention on your page I remember from when I was a kid. I looked into ice floor and it looks good. It's for yosemite not for el capitan so they called it a PF Frontend. When I googled that I came across Murus which i think is from my same company but even if it's not it looks pretty good. I like going as close to the metal as I can when doing stuff so I was really dissapointed that apple didn't provide me with a gui that interfaced with PF. `netstat | grep thing` is not that fabulous. I know you can pipe it to a log and have a terminal multiplexer running but that's old school and not that great.
Muru has three different ones to get. I may get the better of the three. It looks good. I like connecting to my mac mini and if I get a job where I won't be working from home using ARD remotely safely is important to me. So the time will come where I will have to learn more about allowing remote connections safely. I bookmarked your home page. Thanks
What do you use at home?
I usually install ZyXEL ZYWALL USG series devices on the edges of the networks I'm configuring — they're not introductory devices and expect some knowledge of IP and routing and VPNs and related topics, but do have consistent user interfaces and a good feature set. The embedded VPN Server can be configured to be compatible with the embedded OS X VPN client, as well. The ISP modem is usually switched to its bridged mode, allowing the firewall to provide all functions including NAT.
I prefer to keep most ports closed and am not fond of having any of the screen-sharing ports open to the 'net in general, and will either use ssh (sometimes on a variant port), or other protocols tunneled into the target network via an L2TP IPsec VPN.
For some cases involving remote access, having the USG configured for dynamic DNS can be useful, as that avoids requiring the target to acquire a public static IP address.
I generally don't depend on the client device local firewall exclusively (preferring to keep folks off the local network), and I generally don't have the client firewall active when doing network-facing development work such as you're doing — that's one less thing to troubleshoot, until I get the basic configuration working — though that development work happens on a protected network, and not on the open Internet. Once I get everything working, then I raise the firewall.
For managing the firewall directly on OS X and OS X Server, I usually use pfctl and related. HT200259, Krypted, ikawnoclast, more ikawnoclast, etc.
MrHoffman wrote:
I usually install ZyXEL ZYWALL USG series devices on the edges of the networks I'm configuring — they're not introductory devices and expect some knowledge of IP and routing and VPNs and related topics, but do have consistent user interfaces and a good feature set. The embedded VPN Server can be configured to be compatible with the embedded OS X VPN client, as well. The ISP modem is usually switched to its bridged mode, allowing the firewall to provide all functions including NAT.
I prefer to keep most ports closed and am not fond of having any of the screen-sharing ports open to the 'net in general, and will either use ssh (sometimes on a variant port), or other protocols tunneled into the target network via an L2TP IPsec VPN.
For some cases involving remote access, having the USG configured for dynamic DNS can be useful, as that avoids requiring the target to acquire a public static IP address.
I generally don't depend on the client device local firewall exclusively (preferring to keep folks off the local network), and I generally don't have the client firewall active when doing network-facing development work such as you're doing — that's one less thing to troubleshoot, until I get the basic configuration working — though that development work happens on a protected network, and not on the open Internet. Once I get everything working, then I raise the firewall.
For managing the firewall directly on OS X and OS X Server, I usually use pfctl and related. HT200259, Krypted, ikawnoclast, more ikawnoclast, etc.
Wow thank you so much for all the advice! This is the first time ANYONE has been able to give me straight solid advice on networking hardware. I'm going to order the ZWUSG50 and it will be nice to use the vpn feature once in a while. So the model I'm buying doesn't have wifi which is fine. I have three different wifi boxes that I can just use. two of which are wrt54gl's and one is a netgear n900 thing. My modem doesn't have a router or switch built in so there is no bridged mode. It's SB6141. So clearly my modem is connected to the interwebs since it uses DOCSIS for transfering data and that would require a DOCSIS firewall to even filter that specific data which doesn't exist. So the only thing to do is what you call "sitting on the edge of the network" so this hardware firewall would sit right after the modem and control all traffic. I love it. I've been looking for a better firewall and this is a nice solution.
Which ports do you keep closed? Is this all done on the firewall box? You mention using dynamic DNS. So I know what a dns is but how can it be dynamic and still connect? the external ip would have to be static, right? Or at least not change for a while lol.
I understand the steps you take to setup your environment and projects. It's good advice thank you.
Thanks for sharing the links and man pages for what you use. No one has ever given me this advice neither. Thank you a million times over! The links are extremely helpful. I can put these commands inside a Ruby class and use the api with a command line interface and just load up my program and use the interface i code. I've been wanting a CLI networking tool, why not build my own? What other commands do you use? =D I'll take any resources you think are relevant for me.
What ports do I keep closed? As many as I can. All of them, if I can manage it. Except for the core ICMP functions, as there's no point in hiding and definite advantages to not hiding from ICMP traffic, and particularly when there are open ports and port forwarding on the firewall. Yes, all that on the gateway/firewall/NAT box.
For the networks I deal with, any Wi-Fi routers are generally configured as access points and not routers, as I prefer to avoid subnet routing — at least at the Wi-Fi device.
As for CLI tools, that depends on what I'm doing. Depending on OS X or OS X Server or such, networksetup, systemsetup, ping, dig, whois, scutil, changeip, /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/air port, etc. I usually use a bash shell script, if I need to roll those together, maybe with the use of the osascript tool if I need to post a dialog box to the GUI or such.
Dynamic DNS is a way to update a DNS server with the local IP address, and it's useful for boxes that are on dynamic IP addresses — good for occasional use and some operations, not good for SMTP mail or HTTPS or other sorts of server-oriented traffic. For this and some other topics, download the ZyXEL manuals and start reading, if you're looking at a USG series.
Apple Remote Desktop is trying to connect to some weird domains
