Unknown unaccounted est. cnx from firewall to GoogleAddress:4070
-
Hey all, :)
Just now I logged in quickly to one of the edge firewalls to check out something, preparing for a service and somehow landed on the pfTop diagpage; it had —still does— a ton of connections from the downstream (the main firewall) to a Google IP address on TCP port 4070.
The Google IP address has the same port always while my addresses are shown in various high port numbers: the client is on my side. Which is why I don't get these connections.
Hosts in the client subnets can only use outbound ports TCP 80 and 443, no QUIC--so no UDP. Everything else is on the intranet either proxied and multiplexed where possible with specific routes, like DNS, or served locally, like webapps and mail, and the server subnets can't even connect to the Internet, they have tighter control and are allowed by host, port, and destination. Everything, even the built-in presets, e.g; "
DNS (53)
" is aliased, this is because it allows to change the meaning of something likeDNS (53)
on bulk but also works great to check out what might be allowed (and forgotten) in a single page.This port is not anywhere in there, not alone or ranged. There is no traffic shown in the firewall whose exit is the innermost place where traffic is detected—by another firewall.
There are no virtual interfaces; tunnels were moved one layer up from the firewall so they're longer treated & filtered like DMZs but rather like public interfaces, currently there are no remote client tunnels. The only firewall service there is, Unbound, uses IPv6 or an internal interface only, plus it's not even the right port.
Except for two rules that apply from only after traffic has passed all processing from the address to each WAN-type interface towards its gateway (bufferbloat rules) and some reject/block-type rules every single rules pass rule is logged.
Can the bufferbloat rules pass traffic on their own without an inbound rule on some other interface? I created them following the official guide.
The traffic rDNSes to something like google-user-content, or something YouTube-ish like that. but I might be wrong, IDK.
Any ideas?