Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Traffic from port 0

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • kiokomanK
      kiokoman LAYER 8
      last edited by

      just out of curiosity but how could this happen?

      i have alot of this on my log
      Aug 18 10:38:38 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
      Aug 18 10:38:36 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP
      Aug 18 10:38:35 WAN Block traffic from port 0 (1000000114) 2.229.0.222 192.168.1.200:123 UDP

      they probably have some misconfiguration. what can it be that make them transmit from port 0 ?

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        @kiokoman said in Traffic from port 0:

        2.229.0.222

        Are Fastweb your ISP, looks like a misconfigured host asking 192.168.1.200 for NTP info.

        AS details for 2.229.0.222 :-
        
        route:          2.224.0.0/13
        descr:          Fastweb Networks block
        origin:         AS12874
        remarks:
        remarks:        In case of improper use originating from our network,
        remarks:        please mail customer or abuse@fastweb.it
        remarks:
        mnt-by:         FASTWEB-MNT
        created:        2011-02-07T10:33:03Z
        last-modified:  2011-02-07T10:33:03Z
        source:         RIPE
        remarks:        ****************************
        remarks:        * THIS OBJECT IS MODIFIED
        remarks:        * Please note that all data that is generally regarded as personal
        remarks:        * data has been removed from this object.
        remarks:        * To view the original object, please query the RIPE Database at:
        remarks:        * http://www.ripe.net/whois
        remarks:        ****************************
        
        
        Sunday, 18 August 2019 at 10:25:56 British Summer Time
        

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          no i'm "192.168.1.200", i have a ntp server that is part of a pool

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • NogBadTheBadN
            NogBadTheBad @kiokoman
            last edited by NogBadTheBad

            @kiokoman said in Traffic from port 0:

            no i'm "192.168.1.200", i have a ntp server that is part of a pool

            Your WAN address is 192.168.1.200 or 192.168.1.200 is on your LAN and there is NAT going on ?

            IIRC firewall rule 1000000114 is the default deny WAN rule.

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8
              last edited by kiokoman

              of course there is nat going on
              what is strange and i never saw before is "WAN Block traffic from port 0"
              so the question was, what kind of misconfiguration can permit traffic to go out of port 0
              personally i have no problem, this is the only host blocked with that kind of error.
              2.229.0.222 must have something misconfigured, what could that be?
              the port are from 1 to 65535, if you set port to 0 on any program you are only telling it to use a random port, i don't see how this is possible in the first place

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Yeah that really should not be possible.. If I had to guess, I would say their client is out of available ports to use for source.. If recall application creates its socket it asks for a port and this could be done via port 0, which the system should then bind it to an open source port to use..

                Are you seeing a lot of that traffic?

                Looks like to be a mail server out of Italy.. are you in that region of the world?
                ;; ANSWER SECTION:
                222.0.229.2.in-addr.arpa. 86400 IN PTR mail.hilex.it.

                Some law firm maybe?

                If your not in that area - they shouldn't be talking to you anyway.. ntp pool makes more sense to query ntp servers in your area.. asking something on the other side of the planet for time is not going to be the best accuracy ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • kiokomanK
                  kiokoman LAYER 8
                  last edited by

                  yes i'm from italy
                  Immagine.jpg

                  ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                  Please do not use chat/PM to ask for help
                  we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                  Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Ah - well then that makes more sense then.. Maybe you could reach out to them and tell them hey their ntp prob not going to be working if they are asking from source port 0 ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • kiokomanK
                      kiokoman LAYER 8
                      last edited by

                      yeah that was my intention, but before that I wanted to understand what it was all about

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Unless their box has been compromised.. Is prob just a issue on the box..

                        That would be very nice of you to let them know.. Cuz yeah nobody really going to be answering their ntp queries.. Not from that source port.

                        The trick will be getting someone to even look at your emails ;) Not all companies monitor abuse email addresses, but since that IP says its mail for a company.. You might be able to reach their IT dept..

                        They should for sure buy you a beer if you help them out like that ;) hehehehe

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • kiokomanK
                          kiokoman LAYER 8
                          last edited by

                          the problem is that his email server is down, his web site is also down (it was working an hour ago now it's telling me "There is no SSL certificate configured for this domain." ) i will wait some hours maybe they are doing something, eventually i can contact his isp

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          1 Reply Last reply Reply Quote 0
                          • NogBadTheBadN
                            NogBadTheBad
                            last edited by

                            @johnpoz said in Traffic from port 0:

                            mail.hilex.it

                            Their cert is hosed, if they don't care about that, I wonder if they'll even care about the offending host.

                            It may be something you have to ignore.

                            Screenshot 2019-08-18 at 11.12.37.png

                            Andy

                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Well their email server being down prob would be yeah issue with the ports if asking for stuff from source 0..

                              I was just on their website though, atleast believe its theirs.. Different IP.

                              http://hilex.it/

                              But yeah https is down on that site - certs got the wrong freaking domain on it ;) My guess is they need some IT help... hehehehehe

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • kiokomanK
                                kiokoman LAYER 8
                                last edited by

                                maybe he can be a new customer 😂

                                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                Please do not use chat/PM to ask for help
                                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  That would be great story for sure!

                                  So found a new customer to support, yeah they were sending out shit traffic that my firewall blocked.. So I contacted them about it - now I provide their IT support... heheeheheh

                                  That for sure should be posted somewhere... How monitoring your firewall logs can find you new customers ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.