Is a simple method of blocking a particular domain name or IP address set available
On Thu, May 17, 2018 at 10:48:25PM +0800, Bret Busby wrote:
> Continuous Internet traffic is shown to be occurring.
You generally want to establish and be clear about whether it's inbound
or outbound. In my answer below I've covered both, but I expect only
one direction is actually relevant.
> Etherape shows it to involve a single domain name (llnw.net) and its
> IP address set (117.121.253.xxx).
> I have tried to add a rule to deny it, using the Ubuntu firewall
> software available through the Control Centre, but it requires, and,
> limits each rule to, a single port number (which I do not know how to
> find, for the traffic).
Do you mean ufw? It accepts a port number, yes, but it's optional.
sudo ufw deny in from 188.8.131.52/24
sudo ufw deny out to 184.108.40.206/24
sudo ufw enable
(I know that a graphical interface to this exists, gufw, but I'm not
familiar with it.)
There are many ways to find the port number; big hammers such as
wireshark or tcpdump would show it straight away, or you could use the
-P option to iftop (and -N if you don't want to resolve the port number
to a service name, though ufw can take service names too).
> It seems to me, to be spyware.
Of course, if you actually have spyware installed on your computer (hard
to tell with any degree of confidence from what you've said), then
simply denying its ability to talk to its controller on the internet is
only papering over the problem at best.
Colin Watson [cjwatson at ubuntu.com]