Suspected IP Address Leak in Pamac

Copied from here:

Basically I was recording the traffic to see if my Transparent Tor Proxxy was working and discovered that my PC opened a connection to gitlab.[OMITTED].org and although my SYN (connection) request appears to have gone through Tor the server was connecting back with me over the clearnet! It pushed megabytes to me over clearnet and I was ACK’ing (acknowledging the packets) over Tor!! When the file was finished downloading the connection was promptly closed, but I don’t know what the file was. Is there anything in Manjaro that is designed to talk to a host and that provides the clients IP address? I’m quite certain I had Pamac open at the time and was browsing packages. I currently had auto-updates turned off.

I’m just wondering how this happened!

It seems like a massive leak. I’m going to try to work out a way to fix in terms of ignoring such connection requests but if someone can point me/us in the right direction that would be good. And if someone can identify whether Pamac is leaking ones IP Address that would be most helpful.

EDIT: I should mention that a DNS lookup to the gitlab.[OMITTED].org address occurred first.

Well that is not possible.

If you request a packet over TOR, then the Server knows only the TOR IP and send it back over TOR. How would the Server know your REAL IP if you request packet from the TOR IP?

I guess there is a misunderstanding at interpreting the logs.

Or, you are only proxying IPv4 and it’s using IPv6 in Pamac.

Checked again but its IPv4.

Maybe this is it. I was expecting the traffic to look like Tor Browsers / Torsocks traffic. I’m new to this.

NetworkManager connectivity check

$ cat /usr/lib/NetworkManager/conf.d/20-connectivity.conf

You can disable by copying the file to /etc/NetworkManager/conf.d and modifying the url to somthing of your own.

But either way you have an issue with your configuration - don’t ask what - your setup is unsupported.

Pamac has a timer for rebuilding the mirror list. This timer triggers pacman-mirrors which in turn will download mirrors.json and status.json from - this is documented behaviour.

How might the NetworkManager connectivity check be relevant to this? I already know the connection works.


I’ve been running tests. As I expected healthy traffic looks (basically) like tor traffic.

Unless gitlab.[OMITTED].org:443 is running a Tor node over the https port something is seriously wrong and its not with my setup per se. Somehow the data in a packet is leaking to gitlab.[OMITTED].org how to connect with me over the clearnet.

It has not happened since that one time. (EDIT: Approx 4mb was delivered to me in the space of about a minute.)


Thanks. The gitlab.[OMITTED].org site is not in that list. The 4mb could could be pictures from browsed apps? How to clear the pictures, from the cache? I’ll try going through them again to see if I can replicate the issue. Is there a packet sniffer for ssl? I can use to see what is being sent?

No, that’s the whole purpose of TLS.

You are implying that Manjaro is having malicious intent - you couldn’t be more wrong.

You are assuming

  • you are assuming your setup is perfect
  • you are assuming that Manjaro can circumvent your setup
  • you are assuming that Manjaro has a reason for doing so

All assumptions are wrong.

You can use wireshark to monitor your traffic. Or fiddler - which can create a MitM like scenario to create a proxy with a selfsigned certificate - thus decrypting traffic.

Either way you will only discover flaws in your setup - you will not find any evidence of Manjaro being malicious - which is what you are implying…

Not quite. Thinking their might be a vulnerability that might be exploited. I cannot understand why all traffic is basically fine except, that one event.

Thanks for the tips!

EDIT: I also came across a thing called ssldump but it doesn’t appear to be around anymore.

EDIT 2: The Transparent Proxy solution wasn’t perfect, but not in a way that I can see would leak access to a socket in that way, but again, new to this.

I’m sorry, but I have to say this. If this is true:

Do you not suppose you shouldn’t be worries about something that is used by millions of people? All of them without issues, most of them not, in fact, as new as the rest (Or you?)