Gufw

GUFW listening notifications

Asked by Louis Ferranti

When running GUFW 12.04.1 in Xubuntu 12.04 I notice occasional listening notifications which are puzzling and would appreciate if anyone could explain why these are happening.

Normally the only listening notifications and reports generated by GUFW are for dhclient and host when networking is enabled then wired network activated using Network Manager. A temporary listening report connection for host and a permanent dhclient listening connection to the router DHCP gateway is I believe normal. Presumably the host process closes within a few seconds because DNS lookup is performed via the ADSL router gateway DHCP server.

Normally when a connection is then made to the internet there are no further listening notifications for a several minutes then one or more notifications appear often in quick succession. The notification usually also specify the listening process, though recently it may display just the IP address assigned to the local machine where the calling process normally appears. The listening processes I have noted previously have been Firefox, Thunderbird and also tcpdump, which is often also running. There are no other machines connected at the same time.

There is a recurring characteristic of these listening connections. By noting the port shown in the notification then searching for the port number in the output from tcpdump I have found they are always the result of in-addr.arpa or standard domain requests to the the DHCP server domain port, for example

19:12:01.067469 IP 192.168.1.1.43423 > 192.168.1.254.domain: 23817+ PTR? 4.86.0.37.in-addr.arpa. (40)
19:12:01.095014 IP 192.168.1.254.domain > 192.168.1.1.43423: 23817 1/0/0 PTR rt86bb0-37-4.routit.net. (77)

12:05:19.209961 IP 192.168.1.1.56714 > 192.168.1.254.domain: 18696+ A? s1.yimg.com. (29)
12:05:19.407471 IP 192.168.1.254.domain > 192.168.1.1.56714: 18696 3/0/0 CNAME s.gycs.b.yahoodns.net., A 217.12.1.36, A 217.12.1.35 (96)

Though an internet session can include dozens if not hundreds of TCP domain requests distributed across many different ports on the local machine only a few are flagged as listening and then appear in a GUFW notification. The ADSL gateway DHCP server uses OpenDNS for IP to domain mappings.

Could anyone explain why these connections are being identified as listening only occasionally rather than whenever a domain request is made to the ADSL gateway DHCP server port 53 and also why the notifications sometimes only displays the IP assigned to the local machine rather than describing the actual listening process.

Any help will be much appreciated.

Question information

Language:
English Edit question
Status:
Expired
For:
Gufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.