Hi folks,

setting up an iptables based firewall I just noticed some unusual outgoing traffic originating from port 8767 on my linux machine running TS to port 45647 on a remote machine. It took me quite some time to find any forum threads on this topic, like:
http://forum.goteamspeak.com/showthread.php?t=15016
http://forum.goteamspeak.com/showthread.php?t=4708

I admit I didn't follow those threads in detail. But since the Server-FAQ still says that opening port 8767 UDP suffices to make TS work, the FAQ-writers might want to add that *new outgoing connections* are meant as well. It would sure be nice if it was also explained what exactly happens when the TS server opens a UDP connection from port 8767 to port 45647 on a remote machine.

My first instinct was to assume that TS did something it was not supposed to do, probably by having been hacked. I mean, if there was a connection to port 80 and it mapped to some TS-page like www.goteamspeak.com, it would be easy to figure out what goes on. Instead, a connection originating from port 8767 looks like an attempt of deception/hiding something. In my case, the destination IP 62.146.63.82 maps to a host name which is not even registered (as of the writing of this post). If whois'ing that IP hadn't revealed some reference to TS, I would have been really concerned about the well being of my linux machine.

I really think this issue should be addressed in the FAQ, even if only few people may ever take note of this kind of traffic.

This connection is part of the public server list and of Triton CIA, LLCs automated usage tracking system for commercial servers.

This connection is part of the public server list and of Triton CIA, LLCs automated usage tracking system for commercial servers.
Ah, okay, thanks for the info!

I don't feel completely comfortable, though. I sure don't want my server to appear on a public list, since it is strictly private. So is there any chance server admins will get a config switch or an installation command to disable this feature in one of the next releases?

I mean, if somebody tried to cloak a commercial server which is not licensed, they will find out how to do it easy enough, since from time to time people ask about those outgoing connections right here or on other forums over which you may have no control.
On the other hand, there is a privacy concern because at least I was not aware of this feature. Just think about the recent touble Apple got into when iTunes started connecting to the music store without asking the user, or the tons of discussion when Firefox included an undocumented ping-attribute (Article on heise.de (http://www.heise.de/newsticker/meldung/68508)).

I would sure feel much more comfortable if this feature was openly documented and if there was an easy way to turn it off.

Actually you can choose whether all the servers of your server instance should appear on this public list or not by changing the according setting in the servers web administration interface.

It's called "List public" and can be found in the "Global Settings" section.

It's called "List public" and can be found in the "Global Settings" section.

Note though that this option does *NOT* prevent this packet of being sent. It only tells the weblist server to not list you publicly. In the second link you sent, the packet structure and contents are layed out, so you can easily verify what is being sent ( http://forum.goteamspeak.com/showpost.php?p=23327&postcount=6 ).

Thanks for the replies, Bastian and Peter. I'm now convinced that these connections are not evil. :)

I still think that they should be mentioned in the FAQ, though, because from time to time people will probably notice them - and the FAQ seems to be the logical place to look for this.

Another aspect is: does a particular installation of the TS-Server always connect to the same IP, or does the IP change from time to time? This would be important information when setting up a rather tight firewall where outgoing traffic is strictly controlled, especially for admins who want their server to appear on the public list.

The packet is sent to weblist.teamspeak.org - the IP may change (if we move the weblist to a different server).

The packet is sent to weblist.teamspeak.org - the IP may change (if we move the weblist to a different server).
Got it!

But check the current IP's reverse-mapping - if someone has a few spare minutes to adjust that, confusion might be avoided. In fact, I probably wouldn't have started this thread if I hadn't been so confused about that. :)