Launching chrome adds port forwards

2

I've installed Google Chrome using the google-chrome brew cask, a while ago.

This morning I noticed that I have various ports forwarded on my mack to random places, as show by the lsof command…

$ sudo lsof -i :80
COMMAND    PID   USER   FD   TYPE             DEVICE SIZE/OFF NODE NAME
Google    4820 skylab  109u  IPv4 0x4409242e9a43494f      0t0  TCP 192.168.20.157:52376->104.16.33.193:http (ESTABLISHED)
Google    4820 skylab  172u  IPv4 0x4409242e9a5ac55f      0t0  TCP 192.168.20.157:52308->104.16.33.193:http (ESTABLISHED)
Google    4820 skylab  173u  IPv4 0x4409242e9a931edf      0t0  TCP 192.168.20.157:52182->a23-63-99-40.deploy.static.akamaitechnologies.com:http (ESTABLISHED)
Google    4820 skylab  200u  IPv4 0x4409242e9a39fc8f      0t0  TCP 192.168.20.157:52226->lhr25s02-in-f98.1e100.net:http (ESTABLISHED)

I've tried disabling all my extensions & also deleted all the Chrome Apps from the only user I am currently logged in as, but the port forwards are still appearing. I've also removed & re-installed the Chrome cask.

Can anyone advice why theses are here (if legitimate), or how to remove them (if not)?

TobyG

Posted 2016-05-24T09:23:08.077

Reputation: 143

Answers

3

That's… not a "port forward". That's a regular connection to a website.

  • First of all, lsof doesn't show "port forwards" – that's something only your router's configuration could show. (True, there are tools to retrieve it via UPnP, but lsof is not that.)

    What it shows is just live connections, similar to netstat except sorted by process. (Technically it shows information of sockets and other kinds of file descriptors that processes can hold; the -i :80 filters it down to the specific port.)

  • Also notice that all four connections use the standard port http (80) on the remote end, so they're almost guaranteed to be outgoing connections to destination port 80.

    (Not just because it's much more likely than a mysterious incoming connection, but also because an incoming connection would practically never use such a low source port either).

    (Though, as a side note, the arrow in lsof doesn't mean "client→server", it just means "local→remote". TCP doesn't actually remember which side was the client, so lsof does not know it either.)

  • Finally, all the listed remote endpoints are well-known web servers:

    • 104.16.33.193 is CloudFlare, a CDN provider used by many websites;
    • a23-63-99-40.deploy.static.akamaitechnologies.com is Akamai, likewise;
    • lhr25s02-in-f98.1e100.net is Google.

user1686

Posted 2016-05-24T09:23:08.077

Reputation: 283 655

Thanks for the prompt replay, and lovely, thorough response. Very helpful – TobyG – 2016-05-24T14:07:34.827

Asked: 2016-05-24T09:23:08.077

Viewed: 86 times

Active: 2016-05-24T10:23:58.280