Hi all, I have been seeing my firewall block traffic from opera. If I am reading correctly, it appears opera is trying to initiate a session with my computer. I noticed this happening after the last upgrade.
I would prefer that opera and google do NOT initiate connections to my computer.
Does anyone know what this traffic is???
Looking up the SRC addresses - the majority are opera and a couple are google. I am fairly certain they are all related.
--there are about 20-50 of these in my logs - which is opera address space.
Jul 15 10:45:03 caballito kernel: [ 510.969452] [UFW BLOCK] IN=enp4s0 OUT= MAC=b8:97:5a:f0:c0:55:a0:04:60:39:0f:6c:08:00 SRC=18.104.22.168 DST=192.168.1.36 LEN=114 TOS=0x00 PREC=0x00 TTL=55 ID=36996 DF PROTO=TCP SPT=5222 DPT=47634 WINDOW=68 RES=0x00 ACK PSH URGP=0
Jul 15 10:45:04 caballito kernel: [ 511.968333] [UFW BLOCK] IN=enp4s0 OUT= MAC=b8:97:5a:f0:c0:55:a0:04:60:39:0f:6c:08:00 SRC=22.214.171.124 DST=192.168.1.36 LEN=41 TOS=0x00 PREC=0x00 TTL=55 ID=7085 DF PROTO=TCP SPT=5222 DPT=47644 WINDOW=29 RES=0x00 ACK PSH URGP=0
Jul 15 10:39:27 caballito kernel: [ 175.778323] [UFW BLOCK] IN=enp4s0 OUT=
--and many addresses from this subnet too which is google.
MAC=b8:97:5a:f0:c0:55:a0:04:60:39:0f:6c:08:00 SRC=126.96.36.199 DST=192.168.1.36 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=41506 PROTO=TCP SPT=443 DPT=59648 WINDOW=357 RES=0x00 ACK FIN URGP=0
Jul 15 10:39:30 caballito kernel: [ 178.206452] [UFW BLOCK] IN=enp4s0 OUT= MAC=b8:97:5a:f0:c0:55:a0:04:60:39:0f:6c:08:00 SRC=188.8.131.52 DST=192.168.1.36 LEN=115 TOS=0x00 PREC=0x00 TTL=57 ID=42778 PROTO=TCP SPT=443 DPT=59648 WINDOW=357 RES=0x00 ACK PSH URGP=0
Jul 15 10:39:50 caballito kernel: [ 198.135999] [UFW BLOCK] IN=enp4s0 OUT= MAC=b8:97:5a:f0:c0:55:a0:04:60:39:0f:6c:08:00 SRC=184.108.40.206 DST=192.168.1.36 LEN=115 TOS=0x00 PREC=0x00 TTL=57 ID=30561 PROTO=TCP SPT=443 DPT=42078 WINDOW=349 RES=0x00 ACK PSH URGP=0
Update - these are the synchronization servers for opera for settings/history/etc. I have not seen them recently attempting to initiate a connection. The synchronization is something new I have signed up for.
What I still don't understand, is why the servers would initiate a connection with me - vs - the browser initiating the connection? I am fairly certain I am reading the logs correctly.
None of your posted log entries feature a TCP SYN flag, so there is no "initiation" of a connection anywhere.
Looks like a filter misconfiguration to me, blocking legit traffic.