Strange network traffic

[gharris999]

I just noticed this in my ubuntu box's dmesg:

Code:

[ 3783.689658] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8486 PROTO=TCP SPT=7435 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3803.692332] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8514 PROTO=TCP SPT=7437 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3823.702774] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8542 PROTO=TCP SPT=7439 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3843.712546] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8570 PROTO=TCP SPT=7441 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3863.721763] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8598 PROTO=TCP SPT=7443 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3883.730390] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8626 PROTO=TCP SPT=7445 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3903.738515] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8654 PROTO=TCP SPT=7447 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3923.746171] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8682 PROTO=TCP SPT=7449 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3943.753794] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8710 PROTO=TCP SPT=7451 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3963.760144] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8738 PROTO=TCP SPT=7453 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 3983.766560] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8766 PROTO=TCP SPT=7455 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 4003.772615] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8794 PROTO=TCP SPT=7457 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 4023.778361] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8822 PROTO=TCP SPT=7459 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 4043.783789] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8850 PROTO=TCP SPT=7461 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 4063.789521] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8878 PROTO=TCP SPT=7463 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0
[ 4083.797773] [UFW BLOCK] IN=eth0 OUT= MAC=00:21:85:97:b6:c5:00:04:20:06:29:30:08:00 SRC=192.168.0.7 DST=192.168.0.222 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=8906 PROTO=TCP SPT=7465 DPT=3483 WINDOW=3000 RES=0x00 RST URGP=0

So, those are firewall block messages and it appears to be blocks related to TCP traffic directed at port 3483 (slim discovery) coming from my SB3 (a.k.a. SBClassic).

I thought everything on 3483 was UDP only. Should we be opening our firewalls on 3483 to TCP too?

[bluegaspode]

3483 UDP is the discovery protocol.
3483 TCP is SlimProto, the protocol which has all the low level playback and synchronization commands.

Without 3483 TCP playback won't work.

[gharris999]

3483 UDP is the discovery protocol.
3483 TCP is SlimProto, the protocol which has all the low level playback and synchronization commands.

Without 3483 TCP playback won't work.

Eh. You're right, of course. And my firewall IS already configured to allow TCP on 3483:

Code:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
...
3483/udp                   ALLOW       192.168.0.0/24
3483/tcp                   ALLOW       192.168.0.0/24
9000/tcp                   ALLOW       192.168.0.0/24
9090/tcp                   ALLOW       192.168.0.0/24
...

So why was I getting those messages, I wonder?

[MrC]

Eh. You're right, of course. And my firewall IS already configured to allow TCP on 3483:
So why was I getting those messages, I wonder?

These are TCP Reset packets, and are likely due to the connection already being closed, but the remote is late in closing its side. Since the connection is closed, the linux firewall blocks the now invalid connection. I used to see these in my Smoothwall firewall. See:

http://community.smoothwall.org/foru...ic.php?t=24576

for an explanation on how to drop the messages.

[gharris999]

Ok, that makes total sense. I suppose that if one were to stop squeezeboxserver, the squeezebox may very well continue to send tcp traffic on 3483...and the firewall would complain. Thanks.

[MrC]

They should cease. These would only be related to recently closed (no longer established) connections. They are not unsolicited - just one side finished the close handshake early. Typically, both sides ack the close.