unknown outbound traffic on TCP/2096

Started by matt_bianco, October 03, 2025, 03:48:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 03, 2025, 03:48:42 PM
Hi,

I'm seeing traffic generated from my Opnsense/Zenarmour host. Attempted outbound connections to various public IP's (104.26.12.173) in Cloudflare on TCP/2096. I block these with another firewall vendor appliance in front of the Opnsense host as I need to identify the process causing these connections.

Please could someone advise what is causing this? It looks like Cloudflare Proxy.

Many Thanks,

Matt
October 05, 2025, 02:45:23 AM #1
Best to just block it if you dont want to be a security analyst IP hunter, If you have nothing to do with cloudflare
If you have no sub from them, if you were not on a browser page with their ad or products
Do you use their dns service
It could also be spoofed, there are ways to know
A connection through a browser, is where 95 percent of hacking comes from, no password required
What causes it? If its not legit.
Connections can be made by beacons, anchors, embedded software, etc in anything like videos, pictures, websites, etc
You should have no unauthorised connections, the internet has changed recently, really changed
Just block it if you know you dont need it, their are programs that track them in your system
Wazuh, apparmor, zenarmor, suricata, etc
and blockers for ads and such suricata, pihole, crowdstrike, etc
Block them is what the other programs will do
Unless you find out its needed, then unblock it
October 05, 2025, 02:52:24 AM #2 Last Edit: October 05, 2025, 02:58:22 AM by someone
Note: The firewall will not block a connected IP
they can put something, a file in your computer  to always make the connection again
Like a beacon, it sends your IP to them to let them know your online and they already have a permanent connection
I dont know if thats your case, keep watching your connections
And some IPs make a connection for seems like a hundred years
Suricata will, I think block a connection, Ill have to try that
A connection through your browser is different
Some things to get rid of it
clear browser history
nmcli command to clear all connections
If it persists
did you go to the same browser page
thats where some of these other programs are good to tell you if they planted a file in your system
did you save a picture, best to take screenshots, etc
did you download something
October 08, 2025, 01:34:32 PM #3
Hi,

This connection is used for web category queries to Zenarmor Web Reputation servers. Blocking it will disrupt the functionality of the web reputation feature.
Print
Go Up Pages1
User actions