cancel
Showing results for 
Search instead for 
Did you mean: 

Connection attempts from PN community servers

Superuser
Superuser
Posts: 10,023
Thanks: 1,562
Fixes: 19
Registered: 22-08-2007

Connection attempts from PN community servers

Hi,
Whilst reviewing my AV / Firewall logs this morning I noticed blocked attempted connections to my PC from PN community servers.  Whilst I can understand responses therefrom, unsolicited requests seem inappropriate.  Further what is the consequence of these requests being blocked?  Does this "shine any light" onto any of the operational issues being investigated?
Quote
Incoming network connection blocked - community.plus.net [212.159.9.110] to TCP port 61794 and another to port 61793.

I cannot find any recognised uses for these ports.

Kevin
adie:green fixed quote
4 REPLIES
Community Veteran
Posts: 4,921
Thanks: 343
Fixes: 16
Registered: 10-06-2010

Re: Connection attempts from PN community servers

Not a particularly detailed log message. Doesn't give the source port or TCP flags such as SYN, ACK, FIN etc. Was it really a new incoming TCP SYN packet to start a new connection?
You probably made an outgoing connection from port 61794 to community.plus.net to port 80 or 443. If community.plus.net doesn't reply in time (longer than maybe 30 seconds or 2 minutes, the exact time depends on the state of the connection and it can be configured), then the firewall will forget about the outgoing connection. If the reply eventually arrives, the firewall won't have the outgoing connection to match it to, and also probably the NAT table won't know which LAN IP to translate it to.
If you could configure your, firewall, operating system, NAT etc. to wait longer, then packets might reach their destination, rather than the webpage timing out. But longer timeouts would be impractical and require more memory, keeping entries around for longer would mean more stay in memory.
Superuser
Superuser
Posts: 10,023
Thanks: 1,562
Fixes: 19
Registered: 22-08-2007

Re: Connection attempts from PN community servers

Hi ejs,
Thank you for the prompt reply.  Yes the details in the McAfee UI are sparse and I cannot find the raw firewall logs.  At least with ZoneAlarm one used to get really useful detailed information - but that is what happens when products are made simpler for a wider audience!
At the time of the logged incidents, I was no where near my PC, but I had left two browser windows connected to the community - given I have "stay permanently logged in set" I wonder if this is related to a session refresh?
Will keep a watchful eye on this.  There are other unsolicited fish to fry too, including one for McAfee itself.
Only looking here as I'm poking around with IPv6 and trying to get a TBB monitor running - can see blocked IPv6 connections from TBB too... I guess this is advert serving.

Kevin
Community Gaffer
Community Gaffer
Posts: 4,917
Thanks: 190
Fixes: 4
Registered: 04-04-2007

Re: Connection attempts from PN community servers

Quite possible the same issue Purleigh (and others) highlighted with the misconfigured load balancer which we've been trying to resolve.
Community Veteran
Posts: 4,921
Thanks: 343
Fixes: 16
Registered: 10-06-2010

Re: Connection attempts from PN community servers

My previous post is not entirely relevant because I didn't really notice that this was the firewall log on your computer, not router. So your router must have had a NAT entry (or port forwarding rule, or DMZ) matching the packet otherwise the packet wouldn't have reached your computer, instead it would have been dropped by your router. Perhaps your router keeps firewall state and NAT entries for longer than your computer firewall does.
I think these forums are so old fashioned and simple that they don't do anything if you leave a browser window open, and always stay logged in just sets a login cookie to never expire.