Something talking to Adobe when their software is not installed??
-
Noticed a few weird entries in the fw log,
Jan 10 14:12:59 Direction=OUT WAN Icon Easy Rule: Add to Block List 80.44.233.2:59253
80-44-233-2.dynamic.dsl.as9105.com Icon Easy Rule: Pass this traffic 66.235.148.128:80
Cannot resolve TCP:S
pass/100000101
Jan 10 14:12:59 LAN Icon Reverse Resolve with DNS Icon Easy Rule: Add to Block List 192.168.10.20:55333 Icon Easy Rule: Pass this traffic 66.235.148.128:80
Cannot resolveThe ip address seems to be linked to an address block assigned by Arin to Adobe, inc.
Problem is I dont have any adobe software installed, no pdf no flash and there is no adobe software installed anywhere else, namely a set top tvbox and another windows 7 machine.
So does anyone have any ideas why my machine and pfsense seem to be trying to connect to this ip address & port 80 even though in the browser nothing displays?
Fw is only a few hours old, the win7 machine is a few days old from fresh installs.
TIA. -
Adobe has a bonjour service and thats used by multiple vendors.
Further more a lot of cookies refer to 2o7.net which is also Adobe.
-
What has IP 192.168.10.20?
-
Win7.
Problem is the win7 machine was not being used at the time, so there was no reason for it to be going out online, this was the only ip address which I could resolve to an actual entity as well, there were lots of entries going out to servers I could not identify who they belong too, but the adobe ip address is the only one I could identitfy.
I could understand if say Resolver (now default in 2.2rc) was going out to lookup dns entries but I'd see different traffic headed for a different destination port, but these are packets going to port 80 that when you use a browser to visit the ip address there's nothing displayed so its probably a backup route when whatever cant get out of the lan, as I cant block port 80 traffic for obvious reasons.
-
Problem is the win7 machine was not being used at the time,
Does it mean that the device was switched off?
You can, of course, just create a block rule for the IPs in question and enable logging.
See which devices try to establish a connection. -
Just on the desktop, not being used.
Problem with blocking ip's is dns entries change all the time especially with stuff going over akamami, fastly and other content providing networks, is there anything that keeps track of dns entry changes?
-
I would probably install an outbound firewall on the Win7 box and look at what's opening outbound connections. It's probably nothing to worry about though. Adobe make a lot of software that's used in many places.
Is this a clean install of Win7 or an OEM install complete with bloatware?Steve
-
Why no use the Packet Capture utility in pfSense?
-
I would probably install an outbound firewall on the Win7 box and look at what's opening outbound connections. It's probably nothing to worry about though. Adobe make a lot of software that's used in many places.
Is this a clean install of Win7 or an OEM install complete with bloatware?Steve
Clean install from an iso, just windows no bloatware, apart from Intel Driver managerment tool which installs .net4.5 so that came off again to reduce the number of windows updates, firefox (NoScript & Cookie Controller), Avira, 7-zip, Win32DiskImager (copy pfsense iso to memstick) and thats it. Avira was installed first, then firefox.
Why no use the Packet Capture utility in pfSense?
It times out after a while, so I've been using a raspberrypi hooked upto an external hd to log the data, but each time I've left it for any length of time as its got a 2tb drive, it crashes and trashes the data. Its fine for a few hours when I'm testing it, but anything above that it crashes so I never get a chance to do a really long packet capture to piece things together properly.
Edit.
If I wanted to change the way the packet capture works on pfsense, whats the best way of going about it?
TIA.
-
Change it in what way?
You can use tcpdump directly at the command line if the webgui doesn't have the options you need:
https://doc.pfsense.org/index.php/Sniffers,_Packet_Capture#tcpdumpSteve
-
I'll see what I can do.
Still learning what I can and cant do on pfsense at the moment.