Do I have open ports being scanned? -No
Once a browser is opened, regardless of the activity/inactivity/website visited I noticed there was a large volume of data transferred constantly to one of 4 CIDR servers. Upon searching these, they show up in some known ads block lists. They primarily pull encrypted packets across HTTP. Even with HTTP disabled in UFW, it was still transfering hundreds of megabytes every few seconds. I finally blocked all of the TCP connections with an IPTable filter that blocks all the ranges, including incoming, outgoing, forwarding, and established. I can still see the dropped UDP packets in my log. They have random IP addresses in the CIDR range and they do odd things like lots of invalid addresses. At least as it is logged the IPV4 address is transposed into a IPV6 in random ways, and otherwise incomplete addresses are used. I thought perhaps the entire issue was some addon, but it happens even when these are removed. Blocking all of these addresses has no effect on the websites I visit. Using Whois on the IP ranges shows nothing about my ISP. I know their IP and servers from browsing shodan. The servers in question are all in the US but none are even in my region. The most common block of addresses sometimes resolves as Amazon aws in logs and the server is registered at MIT. The logs show a udp packet dropped around every 3 seconds. I had rather block this traffic from the network completely if possible. I have Firefox containerized, so the traffic is killed as soon as I close the browser. I just made the switch to Fedora Silverblue as well, so I KNOW I’m in control.
This is all a curiosity more than anything. I’m interested in a career in hardware development and looking at how to lock down a system as much as possible. My interests have been in embedded hardware/firmware/RTOS systems, not networking or security. This subject is a tangential distraction, turned curiosity. It’s possible I misunderstand some aspect of this and am chasing a non issue. It is odd that blocking this information causes no issues with the sites requested, and just the act of opening a browser to any web page results in the near constant flow of hundreds of megabytes of data. I’ve done the TCPdumps and checked them with Wireshark. It’s all just a garbled encrypted mess.
So no, I don’t have open ports,.. until I open a browser.