On Thu, May 02, 2024 at 05:25:11PM +0200, Petter Reinholdtsen wrote: > [A. F. Cano] > > I have long noticed that there is usually some data going out of the > > external interface. I have always assumed it was housekeeping stuff, > > such as dns. However, Cockpit is now showing data going out at 1 Mbps > > and receiving at 300-400 Mpbs. Something is going on that looks very > > suspicious. > > It seem very different from mine, which is behind NAT-ing and only
I'm not behind NAT. > available via pagekite. As far as I can tell, only Tor and pagekite > traffic is present when I run 'iftop'. Did you try to press 'p' to get > the port number displayed? Any idea if it is TCP or UDP? My 'sudo lsof Aha! All that traffic is from/to port 3478, which, according to this: https://www.speedguide.net/port.php?port=3478 is what the STUN server uses. This page says this means "Session Traversal Utilities for NAT", but since I'm not behind NAT, do I really need this running? It was my impression that it was required to use the matrix synapse server, which I use all the time. Furthermore, why is it sending all that data when it's not in use? No one is connected to the matrix server. Interesting... After turning off the Coturn app, the transmitting has gone to 0 but the receiving is still going strong: fbx:3478 => hosted-by.atakehosting.:22 0b 0b 0b <= 51.8Kb 58.0Kb 83.5Kb fbx:3478 => 20.198.76.220:16501 0b 0b 0b <= 11.6Kb 17.6Kb 21.0Kb fbx:3478 => 20.204.191.192:10065 0b 0b 0b <= 10.3Kb 14.1Kb 16.5Kb fbx:3478 => 20.235.10.172:11218 0b 0b 0b <= 10.9Kb 11.1Kb 10.3Kb fbx:3478 => 20.219.76.250:22798 0b 0b 0b <= 10.9Kb 10.8Kb 10.6Kb fbx:3478 => 20.235.52.217:16842 0b 0b 0b <= 10.7Kb 10.6Kb 10.5Kb fbx:3478 => 20.204.88.179:22948 0b 0b 0b <= 9.94Kb 10.5Kb 10.3Kb fbx:3478 => 20.235.88.156:18662 0b 0b 0b <= 10.3Kb 10.4Kb 9.68Kb fbx:3478 => 20.198.75.192:16897 0b 0b 0b <= 10.7Kb 10.3Kb 10.8Kb fbx:3478 => 20.198.105.102:29339 0b 0b 0b <= 10.5Kb 10.2Kb 10.5Kb fbx:3478 => 20.219.6.192:15243 0b 0b 0b <= 10.5Kb 10.1Kb 9.42Kb fbx:3478 => 20.235.53.133:28456 0b 0b 0b <= 10.3Kb 10.1Kb 2.95Kb fbx:3478 => 20.235.51.83:25582 0b 0b 0b <= 9.56Kb 9.49Kb 9.33Kb fbx:3478 => 20.235.147.234:11290 0b 0b 0b <= 10.1Kb 9.45Kb 9.33Kb fbx:3478 => 20.204.179.88:26048 0b 0b 0b <= 9.38Kb 9.30Kb 8.56Kb fbx:3478 => 4.213.68.43:10686 0b 0b 0b <= 0b 8.36Kb 9.98Kb fbx:3478 => 4.213.64.122:24385 0b 0b 0b <= 9.00Kb 7.12Kb 1.78Kb fbx:3478 => 20.235.54.175:27404 0b 0b 0b <= 7.88Kb 1.95Kb 499b I can connect to the matrix server from my usual internal machine I use for the video conferencing but of course there is no one slse at the moment to conference with, so I don't know if the lack of the STUN/Coturn server might or might not affect them. > -i|grep EST|grep -v localhost' only show pagekite after I stopped tor. Ok, after stopping the Coturn app, this command only shows privoxy, sshd, apache2 and syncthing entries. Very useful command. The sshd entries all reflect the connections from internal machines, so no problem here. One privoxy entry is pointing to the mastodon server. Since I have a tab open for that, ok. Others point to internal machines, so also ok. One though points to privoxy 566165 privoxy 5u IPv4 11129305 0t0 TCP fbx:45490->104.26.2.82:https (ESTABLISHED) Per ipinfo.io this is in San Franciso, California. As it is an https connection, probably one of my open tabs. One apache2 connection points to an internal machine, the other to: pool-108-50-237-254.nwrknj.fios.verizon.net Not sure what this is. It's an https connection. This web page doesn't give much information beyond apparently not being dangerous https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/108.53.237.254 Finally there are 2 syncthing connections: syncthing 1005851 syncthing 19u IPv4 10899136 0t0 TCP fbx:48456->162.212.157.128:22067 (ESTABLISHED) This one is in Glenview, Illinois. Not sure why syncthing is connecting to the outside since all I wanted was to sychronize internal machines and the phone when on internal wifi. The other one is internal. So, after stopping the Coturn app, connections seem much more reaaonable. I would still like to know what the coturn app was sending where and why I keep receiving 300-400 Kbps on port 3478 and what all those bits are. In any case, thank you very much for replying. You pointed me to the culprit. Now the FreedomBox is transmitting 10-15 Kbps and still receiving about 300 Kbps on port 3478. > -- > Happy hacking > Petter Reinholdtsen Augustine _______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
