I had observed odd firewall log entries from my cell phone and now I finally found some time to look into it. So here are my findings – maybe they help someone out there 😉
Traces in firewall logs
So what did I observe: First of all my firewall complained about certain connections from my cell phone to the following IP/port:
139.7.117.168:500 udpThe IP does not give a reverse lookup, so I started searching the web. I soon found some pointers to my cell provider Vodafone requiring connections to UDP ports 500 and 4500 in order to make wifi calling work. (If you want to know more about the protocols involved have a look at IPsec and IKE).
There was also some mentioning about certain host names, something like (wher <MNC> and <MCC> are 3-digit numbers):
epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.orgSo I checked my DNS query logs and really found the following entries matching that pattern:
epdg.epc.mnc001.mcc262.pub.3gppnetwork.org
epdg.epc.mnc002.mcc262.pub.3gppnetwork.orgLet’s look up the IPs behind the host names:
linux > dig +short epdg.epc.mnc002.mcc262.pub.3gppnetwork.org
epdg.epc.drz1.vodafone-ip.de.
139.7.117.168
139.7.117.169
linux > dig +short epdg.epc.mnc001.mcc262.pub.3gppnetwork.org
109.237.187.146
109.237.187.147
109.237.187.149
109.237.187.150
109.237.187.151
109.237.187.153
109.237.187.157
109.237.187.158
109.237.187.159
109.237.187.154
109.237.187.155
109.237.187.145
According to Mobile Country Codes (MCC) and Mobile Network Codes (MNC) the <MCC>=262 stands for “Germany”, while MNC=002/004/009 means “Vodafone”, while <MNC>=001/006/078 means “T-Mobile”.
Firewall config (opnsense)
Ok, once I got that information I added some aliases and rules to my opnsense firewall:
First of all two hosts aliases containing the above DNS names (or better all possible ones, replacing MCC and MNC with the possible values). For example for Vodafone I got the alias for the following hostnames:
epdg.epc.mnc002.mcc262.pub.3gppnetwork.org
epdg.epc.mnc004.mcc262.pub.3gppnetwork.org
epdg.epc.mnc009.mcc262.pub.3gppnetwork.org
I added another port alias for 500 and 4500 and then added a rule to allow my cell phone’s IP to access this port alias (UDP) on all host aliases.
Turned Wifi off and on and there’s no trace of blocked traffic in the firewall logs anymore.