InformAction Forums

Hi!

I have a home server (Debian) in my LAN, and have set a port-forwarding from my VDSL-modem so that the www-part could be reached from WAN. I've been browsing the access-log, and editing fail2ban jail-filter to block out bots (and gosh they're plenty). But I find this rather odd: X'ed out IP originates to modem.

I've separately tested it, and it looks like those loggings appear whenever I start Firefox on my laptop. I've also read the post where the URL in user-agent string points to, thus I have some idea about what's going on.

My question is, why does NoScript reach to my server at all?

Probably this:
https://hackademix.net/2010/07/28/abe-p ... r-routers/
https://hackademix.net/2010/08/01/al_9x ... r-is-safe/

Rollo wrote:Probably this:
https://hackademix.net/2010/07/28/abe-p ... r-routers/

F-3000 wrote:I've also read the post where the URL in user-agent string points to, thus I have some idea about what's going on.

Rollo wrote:https://hackademix.net/2010/08/01/al_9x ... r-is-safe/

As I expected when I first saw the link, that doesn't either answer to my questions.

Although, it answers to question whether NoScript should be used even if "Allow scripts globally" is enabled (in other words, I should install NoScript to my mom's browser when I next time visit her). But that's another subject.

NoScript checks your WAN IP so that it can treat it as local (forbidding requests to it from inside external pages).

I edited my questions to a single question, to prevent any further answers telling me what I already know.

Dont' get me wrong, Rollo and Thrawn, I do appreciate the effort, but your answers aint helping.

I'm fully aware (after reading related documentation even before my first post) that NoScript visits a specific server during(/right after) launch, using HTTPS. I understand that, fine. That's cool. But, nothing has so far explained me, why NoScript visits my server in LAN. Even more confusing (and worrying*) is, that it does so in a fashion that it looks like my modem would have done it. It fetches the root-page with ordinary GET, through HTTP. I'm fully certain that it's NoScript, due to the user-agent string, combined with timestamps in the logs which match my browser startups.

*: Worrying in a sense that if NoScript can do that, then basically any program can do it. Is it my misconfiguration, or VDSL-modem "feature"?

I think NoScript is fingerprinting the device on your WAN IP so that it can protect it better - notably, as said in one the already linked articles, it checks every 5 minutes or so to see if the fingerprint changed, and if it has, it re-obtains the WAN IP. It's maybe also checking to see if you're on a proxy?
I don't really know more about the WAN IP fingerprinting feature than that, sorry.

If you are deliberately port-forwarding from your modem to this server, why are you worried by & surprised at the results of NoScript fingerprinting your WAN IP?

Well, the fact that the originating IP is your modem is not surprising. The IP address being used to connect to the server is on a different network, so your traffic goes through the gateway (the modem), and the modem hides what is behind it and provides its own IP address as the source.

As for why something is connecting to that server...hard to say, really. It would depend on what is running, and how your modem works. What do you use that server for?

barbaz wrote:I think NoScript is fingerprinting the device on your WAN IP so that it can protect it better - notably, as said in one the already linked articles, it checks every 5 minutes or so to see if the fingerprint changed, and if it has, it re-obtains the WAN IP. It's maybe also checking to see if you're on a proxy?
I don't really know more about the WAN IP fingerprinting feature than that, sorry.

If you are deliberately port-forwarding from your modem to this server, why are you worried by & surprised at the results of NoScript fingerprinting your WAN IP?

I don't see how it has anything to do with obtaining my WAN IP that NoScript contacts to my LAN server. As I've said previously, problem is not that NoScript "fingerprints" my WAN IP. Problem is that A) NoScript does something it's not supposed to (visits a server in LAN) and B) somehow makes it look like my modem would've been the one that visited, instead of the originating PC.

Also, if we assume that this is some sort of misbehavior for NoScript combined with my equipment and their settings, I'd consider this something serious, since I haven't done anything really fancy with my modem. Unless you consider it as "really fancy" when a person customizes LAN IP range and does port-forwarding for port 80.

If it is by purpose that NoScript visits my LAN server, then I can only ask: why?

Thrawn wrote:Well, the fact that the originating IP is your modem is not surprising. The IP address being used to connect to the server is on a different network, so your traffic goes through the gateway (the modem), and the modem hides what is behind it and provides its own IP address as the source.

It makes no sense that modem would hide source IP, when a LAN device contacts LAN device, especially since I have not (knowingly) enabled/setup anything to make so. I actually just ensured that when I connect the server with Firefox, apache records my laptop's IP as supposed to.

Thrawn wrote:As for why something is connecting to that server...hard to say, really. It would depend on what is running, and how your modem works. What do you use that server for?

I use the server for backups and samba. I'm planning on expanding it's purpose, which is why I've been doing stuff with apache.

It looks like it has no matter is it Linux/Firefox/NoScript (on laptop) or Windows/Firefox/NoScript (on desktop) combo, both visit my LAN server when Firefox is started. I even went as far as to disable all other extensions except NoScript on (desktop) Firefox and restarted it, my server was yet again visited with IP matching my modem, with timestamp being equal to the time when Firefox (re)started up. Only if I disable NoScript, is when this does not happen.

F-3000 wrote:I don't see how it has anything to do with obtaining my WAN IP that NoScript contacts to my LAN server.

NoScript fingerprints your WAN IP - meaning, your modem. As part of it, it checks a certain port. The modem detects a request on said port, and forwards it to your local server, because you have set it up that way.
Your local server has thus received a request from your modem with the user-agent of NoScript's ABE, at a time just after you start Firefox.

Does that clarify it for you?

F-3000 wrote:It makes no sense that modem would hide source IP, when a LAN device contacts LAN device,

Because that's not what's happening here. In your case a LAN device (computer w/ NS) is contacting a WAN device (modem's WAN IP / WAN interface), which is then contacting a different LAN device (server) because as you said in the OP you deliberately set it up to do that.

barbaz wrote:

F-3000 wrote:I don't see how it has anything to do with obtaining my WAN IP that NoScript contacts to my LAN server.

NoScript fingerprints your WAN IP - meaning, your modem. As part of it, it checks a certain port. The modem detects a request on said port, and forwards it to your local server, because you have set it up that way.
Your local server has thus received a request from your modem with the user-agent of NoScript's ABE, at a time just after you start Firefox.

Does that clarify it for you?

F-3000 wrote:It makes no sense that modem would hide source IP, when a LAN device contacts LAN device,

Because that's not what's happening here. In your case a LAN device (computer w/ NS) is contacting a WAN device (modem's WAN IP / WAN interface), which is then contacting a different LAN device (server) because as you said in the OP you deliberately set it up to do that.

So, you're saying that if I turn off port-forwarding, NoScript stops tickling my server?

[Edit] That's exactly what would happen. Going to my WAN IP with my browser directs me to my server, while IP logged belongs to modem. Now I think I understand what's going on here. Darn it took long.

I believe so, yes.

barbaz wrote:Does that clarify it for you?

If you simply would have said earlier that NoScript simply visits WANIP:80, I would have understood so much quicker. That's rather odd behavior for the modem.

Darn I feel silly.