Hi I set a rule in my IPFW configuration to deal with this traffic
I noticed a pattern of denied packets being logged by the system firewall such as this sample. ipfw: 5400 Deny UDP 192.168.1.101:49216 255.255.255.255:2222 out via en1 ipfw: 5400 Deny UDP 192.168.1.101:49217 255.255.255.255:2222 out via en1 ipfw: 5400 Deny UDP 192.168.1.101:49218 255.255.255.255:2222 out via en1 whenever I started one of the Office programs. The pattern consists of packets transmitted from the system on a incrementing high-numbered port with a broadcast destination of 255.255.255.255:2222. Port 2222 is listed by IANA as being assigned to "rockwell-csp2". A quick Internet search provided little information on the intended usage of this port. More interesting was the discovery that the appearance of this particular pattern apparently coincides with the launching of any of the programs included in the Microsoft Office X suite of applications. Excel, Word, Power Point, and Entourage all seem to attempt to broadcast a few packets at startup, and again at random intervals while the program(s) are running. MS Virtual PC also attempts a broadcast, but to the same destination port as the source port rather than to port 2222. I captured a sampling of this behavior with the network traffic analyzer "ethereal" but I was unable to decode the contents of the transmitted packets. On program exit Word issues a message "Word is attempting to connect to the printer". The timing of this message coincides with a log entry as described earlier. This phenomenon turns out to be an anti-piracy scheme that checks for duplicate registration numbers on the local subnet. If there is, both copies will shut down and send a nastygram to the respective screens. http://www.ciac.org/ciac/techbull/CIACTech02-003.shtml further explains this activity I block all outbound broadcast traffic to that port without any ill effect on the operation of Office. I've done this with both "X" and "2004" without impairing the function of Office that I can see. No printing problems are noted on my system as a result of dropping this traffic. Claude On 6/23/05 1:42 PM, "Todd McKerchar" <[EMAIL PROTECTED]> wrote: > Hey Folks: > > Ever since upgrading to Tiger, I've noticed that every time I close a > Microsoft Office application I get "The application "Microsoft Word > [or excel or powerpoint]" wants to connect to ..." warning from > LittleSnitch. I have even told LS to deny "any network connection" > forever. No matter what setting I apply in the LS window, Microsoft > Office still tries to connect whenever the program is closed. > > Forgive me if this has been discussed before. I did a quick search > and came up with nothing. Any ideas on how I can get this to stop? > > Thanks, > > Todd > _______________________________________________ > Littlesnitch-talk mailing list > [email protected] > http://at.obdev.at/mailman/listinfo/littlesnitch-talk > _______________________________________________ Littlesnitch-talk mailing list [email protected] http://at.obdev.at/mailman/listinfo/littlesnitch-talk
