[tor-talk] Curious about some Tor-related firewall messages

[perselev at riseup.net]

Hi all, first post on this list.

I am using TBB 3.0 alpha2 on a linux laptop, with the UFW firewall
installed (settings: "Default: deny (incoming), allow (outgoing)"). I
registered a handful of Tor-related UFW BLOCK messages in the syslog
today, and I am curious about what they mean (probably nothing malicious,
but I'm just checking).

Scenario:

TBB was running when I hibernated the laptop. When I brought it back up
shortly after (~1 min), the OS froze with a black screen for some reason
(I assume some linux hibernation issue) and I had to do a hard reboot.

After rebooting and logging in, I saw a handful of UFW BLOCK messages in
the syslog, starting immediately after reboot time (00:34). Like this:

Jul 15 00:35:18 xxxxxx kernel: [   53.302866] [UFW BLOCK] IN=wlan0 OUT=
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=yy.yyy.yy.yy
DST=10.0.0.24 LEN=626 TOS=0x00 PREC=0x00 TTL=51 ID=54093 DF PROTO=TCP
SPT=443 DPT=38712 WINDOW=42 RES=0x00 ACK PSH URGP=0

(My hostname and MAC address replaced with x's and the blocked IP replaced
with y's).

The blocked IP was from a Tor relay (I checked the Tor Network Map).
During the first ~7 minutes after boot (00:35-00:42) I got four UFW BLOCK
entries from that IP plus eleven from another IP (also a Tor-relay), and
the only difference was DPT=37451 for the 2nd IP.

I haven't seen any Tor-related UFW BLOCK messages before or after this
incident. I did another hibernate/reboot with TBB running shortly after to
see if I could reproduce the messages, but I didn't see anything.

I'm assuming there was an attempt to reconnect with the relay-IP's in
question as my computer came back online (since TBB was running at
hibernate time and it was offline for only a minute or so), but I'm not
sure.

Anything to worry about?