Odd network behaviour caught by firewall - Xperia 10 III

General
1

SS_1
SS_11143×274 63.7 KB

Hello, my firewall caught some strange behaviour that is guaranteed to be related to my SailfishOS installed Xperia 10 III. Just thought I’d ask around to see if anyone here has seen similar behaviour or could explain it to me.

The IP addresses on the right side of the screenshot above are one of my telecom provider’s MMS servers, which I know from the port being used, having manually entered it into the settings on SailfishOS. However, the 2 IP addresses on the left are not anything I recognize. Some whois requests say the IP addresses belong to a range assigned to the UK Ministry of Defense. However, my firewall is listing this as a LAN initiated request, and I’m definitely nowhere near the UK, and my LAN has the standard 192.168.0.0/16 assignments. I know this request is somehow involving my Sailfish device, both from the timing (I was fooling around a lot with re-flashing and setting up my Xperia earlier that day), and because my Android devices never contact MMS servers through my WiFi network.

Again, just wondering if this can be explained by anyone here or if similar behaviour has been seen by others in the community…

2

Is it a fresh install without Android Apps?

3

It has the AppSupport option installed, but the service was not running (also disabled the auto-start on boot) by the time in the screenshot.

4

icann query gives 25.75.249.121 beein ripe database.

what is ripe database:

One of the activities of RIPE is to maintain a database of European IP networks, DNS domains and their contact persons and other infor- mation needed for the technical coordination of IP networks. This database is called the RIPE Network Management Database or sim- ply the "RIPE Database”

looks usefull, not harmfull.

2 Likes
5

Huh, I must have made a pretty big typo. Still confused as to why it’s showing up as a LAN originating IP, and why it would be contacting the MMS server. Perhaps a question partially better suited to pfSense’s forum.

6

screenshot
screenshot1001×854 55.1 KB

Caught the behaviour again, though with IP 25.211.140.233. ICANN is corroborating my initial finding this time. Anyways, I wonder if this behaviour of trying to send/receive MMS via WiFi is a known bug? As far as I can remember they’ve always been forced to go through cellular data. Perhaps it is why MMS refuses to work here in Canada. That or I need to phone my carrier’s tech support to force associate my IMEI with my account, since it doesn’t seem to do it automatically…

7

Handle: 25.0.0.0 - 25.255.255.255

Lol, must be nice owning an ipv4 /8 block.
(I know, it’s RIPE, totally explainable. My whois query lists RegDate: 1985-01-28 btw. Fun.)

Anyhoo, ideas that come to mind: cold be the result some round-robin DNS, maybe DNS-Over-HTTPS? NTP (though that would probably use UDP)?

If you catch the event while it is happening, try (on the phone):

devel-su netstat -anp | grep [source port]

Which should gives you the process that owns the connection.

(Or if you want to be fancy about it, use the ss tool instead of netstat.)

devel-su ss -plants  dst = 25.0.0.0/8
devel-su ss -plants  dport = :47600
devel-su ss -plants  dport = :8799
...
3 Likes
8

… and if you want to be really stupid about it, you could use googerteller:

which is available here:

1 Like
9

I shall try that out next time I’m off work.

On another note, the folks over at the pfSense forum suggested that this behaviour could indicate a problem with network stack configuration. Does anyone know how I could check on and troubleshoot such things?

10

:backhand_index_pointing_up: This is in no way a specific enough description to warrant a question like this. :backhand_index_pointing_down:

You are probably better off asking the people that said that what they mean.