# Where does this traffic come from?

## Jimini

Hey there,

my system blocks some outgoing traffic, which I can not assign to a program or process:

```
Nov 25 05:46:47 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=32661 DF PROTO=TCP SPT=845 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:46:47 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36029 DF PROTO=TCP SPT=691 DPT=55679 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:46:57 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5139 DF PROTO=TCP SPT=981 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:46:58 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5140 DF PROTO=TCP SPT=981 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:58:48 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10982 DF PROTO=TCP SPT=1022 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:58:49 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=10983 DF PROTO=TCP SPT=1022 DPT=48913 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:59:04 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59752 DF PROTO=TCP SPT=843 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 05:59:05 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59753 DF PROTO=TCP SPT=843 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 06:05:10 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58623 DF PROTO=TCP SPT=805 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 06:05:11 Apollon kernel: REJECTED_OUTPUT: IN= OUT=enp1s0f1 SRC=10.0.1.1 DST=10.0.1.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58624 DF PROTO=TCP SPT=805 DPT=54083 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 07:24:37 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61388 DF PROTO=TCP SPT=1017 DPT=49510 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 25 07:24:38 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61389 DF PROTO=TCP SPT=1017 DPT=49510 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 27 10:29:02 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4863 DF PROTO=TCP SPT=884 DPT=35335 WINDOW=29200 RES=0x00 SYN URGP=0 

Nov 27 10:29:03 Apollon kernel: REJECTED_OUTPUT: IN= OUT=br0 SRC=10.0.0.1 DST=10.0.0.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4864 DF PROTO=TCP SPT=884 DPT=35335 WINDOW=29200 RES=0x00 SYN URGP=0
```

It seems as if this traffic is somehow NFS related, but until now, I was unable to figure it out exactly. As you may have noticed, the source port and the destination port are dynamic. rpc.statd and rpc.mountd are bound to static ports (4001 and 4002 for rpc.statd and 4000 for rpc.mountd).

Of course, all NFS mounts work without problems.

Any ideas?

Best,

Jimini

----------

## szatox

Try  `lsof -n | grep <remote IP>' on your chatty device

----------

## Jimini

szatox,

thank you for your reply. The problem is, that the system tries to establish the connection only twice at a time, so "lsof -n | grep ip.of.my.workstation" only shows four SSH connections and one HTTPS connection.

Best,

Jimini

----------

## krinn

You should notice source port are bellow 1024, so they aren't as random as you think they are.

Do you have a windows machine on, windows loves to send stupid packets and broadcast anything like UPNP discovery packet or its network announce.

Or your computer is using something that share the same stupid concept like avahi

----------

## Jimini

Although I have one Windows7 client here, these log lines always appear right after mounting some NFS shares or restarting the NFS daemon. Since no incoming traffic is blocked (and logged), my assumption is that the NFS server initiates the connections.

The following source ports were used so far:

846

822

826

848

721

836

765

754

795

682

832

708

900

753

838

999

739

962

997

781

894

725

1008

921

752

879

753

928

969

845

691

981

1022

843

854

835

805

1017

887

1004

667

690

862

845

1015

731

919

991

942

941

970

926

688

942

721

937

842

840

960

787

884

901

709

731

860

859

702

820

...to me, this looks really dynamic :\

Best,

Jimini

----------

