Automatic connections to proxy-nue.opensuse.org?

Hi,

I just noticed in tcpdump that as soon as network connection is established a few http packets are sent to proxy-nue.opensuse.org

Why is that and how can I stop this?

On Tue, 03 Apr 2018 16:06:01 +0000, heyjoe wrote:

> Hi,
>
> I just noticed in tcpdump that as soon as network connection is
> established a few http packets are sent to proxy-nue.opensuse.org
>
> Why is that and how can I stop this?

ISTR this was talked about before, and it’s just a check to see if
there’s a proxy server in place. If you browse to the site itself, it
appears to be a mirror of the build service download servers.

You could look at the contents of the payload to see what is being sent.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Why should connecting to the network result in automatic check for proxy sever? There is no browser open, not even X started. Just plain console. Even ntpd is stopped.

Here is what tcpdump outputs after ‘rcnetwork restart’:


tcpdump: listening on enp6s7, link-type EN10MB (Ethernet), capture size 262144 bytes
IP (tos 0x0, ttl 64, id 3915, offset 0, flags [DF], proto TCP (6), length 60)
    ████.37210 > proxy-nue.opensuse.org.http: tcp 0
IP (tos 0x0, ttl 64, id 3916, offset 0, flags [DF], proto TCP (6), length 40)
    ████.37210 > proxy-nue.opensuse.org.http: tcp 0
IP (tos 0x0, ttl 64, id 3917, offset 0, flags [DF], proto TCP (6), length 120)
    ████.37210 > proxy-nue.opensuse.org.http: tcp 80
IP (tos 0x0, ttl 64, id 3918, offset 0, flags [DF], proto TCP (6), length 40)
    ████.37210 > proxy-nue.opensuse.org.http: tcp 0

On Tue, 03 Apr 2018 17:36:02 +0000, heyjoe wrote:

> Why should connecting to the network result in automatic check for proxy
> sever? There is no browser open, not even X started. Just plain console.
> Even ntpd is stopped.

There are other network-based apps that run - like pulling the list of
the most recent updates.

tcpdump is not showing you the payload - you’ll want to write it to a
file and open in Wireshark to see what traffic is actually going out.

From what I recall, though, it’s just a ping to see if it can establish a
connection.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

You said it was checking for proxy, now you say something different?

I have not run ‘zypper ref’ or ‘zypper up’ and I have not installed PackageKit. IOW: I have in no way instructed thy system explicitly to connect to any host. Why is it doing things I have not told it to do? I.e. - why is it reporting my IP address to some host? (I consider this a privacy issue)

tcpdump is not showing you the payload - you’ll want to write it to a
file and open in Wireshark to see what traffic is actually going out.

I understand what you are saying but my concern is about not having such self-initiated connections at all, rather than seeing the content of the packages.

From what I recall, though, it’s just a ping to see if it can establish a
connection.

It is not ICMP, it is HTTP.

Sorry to put it this bluntly: And you’re stepping up to help all the people having trouble configuring the stock repos? If so, the devs might consider putting it off. Just have a search through these forums for issues re. connecting to repos ( indirectly to SUSE’s infra since they provide our own infrastructure ). I could understand the issue if Google or Apple were used, but this is merely for your ( well apparently not yours, but lots and lots of other people’s ) benefit. AFAIK uninstalling SUSEconnect should stop the attempts. But, like said, it would be nice if you’d step up to support those who disable the service. To add, no sarcasm, cynisism or such intended.

I am not sure if we are discussing the same thing.

  1. My bad: I see I have wrongly set this thread for Leap 42.3. I have actually observed the issue on a 32-bit Tumbleweed system (so please update the thread tag if possible)

  2. Testing the same thing on Leap 42.3 (which has SUSEConnect installed) does not result in automatic outgoing connections. This logically makes one think that this particular package is unrelated. Also logically the following questions arise:

  • Why is TW behaving differently?
  • Is that auto-connection some new feature which is planned to be implemented in Leap 15 and going forward?
  1. What have repos to do with all that? This is simply a restart of rcnetwork - not a request for software update or anything along these lines.

  2. What is the benefit you are talking about?

  3. A little off-topic perhaps but still related to your reply: Before your post I have never heard of SUSEConnect. I went to YaST and read:

SUSEConnect - Utility to register a system with the SUSE Customer Center

This package provides a command line tool and rubygem library for connecting a client system to the SUSE Customer Center. It will connect the system to your product subscriptions and enable the product repositories/services locally.

I can’t recall ever installing this package explicitly, yet it is installed on my Leap system. Considering one who uses openSUSE is not a customer but just a user, why should his system need this package + have it installed by default?

I hope you can shed some light on these matters.

FWIW: Uninstalling SUSEConnect and rebooting changed nothing. Upon ‘rcnetwork restart’ the Tumbleweed system still connects to proxy-nue.opensuse.org.

After a ‘zypper up’ SUSEConnect installed itself again, so I had to add a lock to the package.

Still the issue remains.

@heyjoe: Due to being misinformed, I was wrong in my previous post. Should have checked before posting. Can you see at which moment / by which program/script the attempt is invoked?

The STR is very simple. The system is set to run at runlevel 3 (right from the boot). Then after booting completes I login as root and run (host name hidden):


# rcnetwork restart;tcpdump -i enp6s7 ip src host ████ and dst host not <myrouter> and dst host not ████ -tq
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                       
listening on enp6s7, link-type EN10MB (Ethernet), capture size 262144 bytes                                      
IP ████.60096 > proxy-nue.opensuse.org.http: tcp 0                                                               
IP ████.60096 > proxy-nue.opensuse.org.http: tcp 0                                                               
IP ████.60096 > proxy-nue.opensuse.org.http: tcp 80                                                              
IP ████.60096 > proxy-nue.opensuse.org.http: tcp 0                                                               
^C                                                                                                               
4 packets captured                                                                                               
4 packets received by filter
0 packets dropped by kernel

by which program/script the attempt is invoked?

That is what I am trying to find out.

Here is the (sanitized) output of ‘systemctl status’

https://susepaste.org/ebe76bce

On Tue, 03 Apr 2018 20:56:01 +0000, heyjoe wrote:

> hendersj;2861518 Wrote:
>>
>> There are other network-based apps that run - like pulling the list of
>> the most recent updates.
>>
> You said it was checking for proxy, now you say something different?

I’m saying that because there are apps that use the connection, checking
for a proxy is useful. I’m not saying definitively that’s what’s
happening - you’re seeing it, and without seeing the exact traffic you’re
seeing, those are guesses.

> I have not run ‘zypper ref’ or ‘zypper up’ and I have not installed
> PackageKit. IOW: I have in no way instructed thy system explicitly to
> connect to any host. Why is it doing things I have not told it to do?
> I.e. - why is it reporting my IP address to some host? (I consider this
> a privacy issue)
>
>
>> tcpdump is not showing you the payload - you’ll want to write it to a
>> file and open in Wireshark to see what traffic is actually going out.
>>
> I understand what you are saying but my concern is about not having such
> self-initiated connections at all, rather than seeing the content of the
> packages.

You want to know what it is that’s happening and why the request is being
made? We look at the contents of the payload, and that’ll tell us what’s
being sent or requested.

>> From what I recall, though, it’s just a ping to see if it can establish
>> a
>> connection.
>>
> It is not ICMP, it is HTTP.

You can test for connectivity in ways other than using a ping. Sometimes
ping responds when a proxy is configured, but an HTTP connection can’t be
established.

Only looking at the payload will tell us exactly what’s going on.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 04 Apr 2018 11:56:01 +0000, heyjoe wrote:

>> by which program/script the attempt is invoked?
> That is what I am trying to find out.

Looking at the contents of the packets will help determine that. You’re
showing that a connection is being made but not what’s in the payload.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Using wireshark I observed 2 HTTP packets and I don’t see any indication about which software is the culprit. I suspect it may be NetworkManager but I have no proof, so it is just a speculation based on the fact that on the TW system I run NM and on the Leap system (where no such connections appear) I use wicked.


Frame 17: 134 bytes on wire (1072 bits), 134 bytes captured (1072 bits) on interface 0
Ethernet II, Src: ████, Dst: Tp-LinkT_05:01:0d (f8:1a:67:05:01:0d)
Internet Protocol Version 4, Src: ████, Dst: 195.135.221.140
Transmission Control Protocol, Src Port: 50722, Dst Port: 80, Seq: 1, Ack: 1, Len: 80
Hypertext Transfer Protocol
GET / HTTP/1.1

    [Expert Info (Chat/Sequence): GET / HTTP/1.1
]
    Request Method: GET
    Request URI: /
    Request Version: HTTP/1.1
Host: conncheck.opensuse.org

Accept: */*

Connection: close



[Full request URI: http://conncheck.opensuse.org/]
[HTTP request 1/1]
[Response in frame: 18]


Frame 18: 184 bytes on wire (1472 bits), 184 bytes captured (1472 bits) on interface 0
Ethernet II, Src: Tp-LinkT_05:01:0d (f8:1a:67:05:01:0d), Dst: ████
Internet Protocol Version 4, Src: 195.135.221.140, Dst: ████
Transmission Control Protocol, Src Port: 80, Dst Port: 50722, Seq: 1, Ack: 81, Len: 130
Hypertext Transfer Protocol
HTTP/1.0 204 No Content

    [Expert Info (Chat/Sequence): HTTP/1.0 204 No Content
]
    Request Version: HTTP/1.0
    Status Code: 204
    [Status Code Description: No Content]
    Response Phrase: No Content
Cache-Control: no-cache

X-NetworkManager-Status: online

Connection: close

Content-Type: text/plain



[HTTP response 1/1]
[Time since request: 0.045528998 seconds]
[Request in frame: 17]


FWIW even without doing anything periodically tcpdump keeps showing these connections.

So yes, that’s the connection check URL.

Here’s the thread where this was discussed on Factory recently:

https://lists.opensuse.org/opensuse-factory/2016-11/msg00273.html

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks for the link. I see it is a discussion from 2016 and obviously still relevant. Obviously it is NetworkManager which does that. I read the conf file and the man page. Do I understand correctly that to disable this I should add this to [connectivity] section of /etc/NetworkManager/NetworkManager.conf


interval=0

and what can be the cons of doing that?

Yes, or you could remove it… or comment it out perhaps

Refer ‘man NetworkManager.conf’…

CONNECTIVITY SECTION
This section controls NetworkManager’s optional connectivity checking functionality. This allows NetworkManager to detect whether
or not the system can actually access the internet or whether it is behind a captive portal.

   uri
       The URI of a web page to periodically request when connectivity is being checked. This page should return the header
       "X-NetworkManager-Status" with a value of "online". Alternatively, it's body content should be set to "NetworkManager is
       online". The body content check can be controlled by the response option. If this option is blank or missing, connectivity
       checking is disabled.
   interval
       Specified in seconds; controls how often connectivity is checked when a network connection exists. If set to 0 connectivity
       checking is disabled. If missing, the default is 300 seconds.
   response
       If set controls what body content NetworkManager checks for when requesting the URI for connectivity checking. If missing,
       defaults to "NetworkManager is online"

On Thu, 05 Apr 2018 07:46:01 +0000, heyjoe wrote:

> hendersj;2861690 Wrote:
>> So yes, that’s the connection check URL.
>>
>> Here’s the thread where this was discussed on Factory recently:
>>
>> https://lists.opensuse.org/opensuse-factory/2016-11/msg00273.html
>>
>>
> Thanks for the link. I see it is a discussion from 2016 and obviously
> still relevant. Obviously it is NetworkManager which does that. I read
> the conf file and the man page. Do I understand correctly that to
> disable this I should add this to [connectivity] section of
> /etc/NetworkManager/NetworkManager.conf
>
>
> Code:
> --------------------
>
> interval=0
>
> --------------------
>
>
> and what can be the cons of doing that?

I’ve not felt the need to do this myself, but yes, that’s my read of the
information as well.

As for the cons - well, if you connect to a network that uses a captive
portal, you’re not going to be prompted to authenticate before trying to
access the network - you’ll have to do that manually. There may be other
things, but you’ll probably end up discovering them, as I’m sure nobody’s
enumerated all of the possible things that might change as a result of
disabling this setting.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks everyone.