Is a github port 59249 request valid

Question

I'm on macOS Sierra and keep getting requests to allow port 59249. When I look at the request details, I see that it appears to come from github:

lb-192.30.253.124-iad.github.com

I am using github over ssh for development work. However, when I search for the ports page on github, I see no reference to this port number (this page is for Enterprise; doesn't seem to be a similar page for non-enterprise users).

Github does say that they are currently using IP addresses 192.30.252.0/22 so I'm not sure where this is coming from.

Any insight would be most appreciated.

Answer 1

Most likely, your firewall is just interpreting an outgoing connection backwards.

• All TCP connections have an address and port on both ends. When you connect to GitHub (on port 22 or 443 or such), the connection comes from a randomly selected port number, usually in the range 49152–65535 or 32768–65535 or such.

  For example, a SSH connection might be 192.168.1.x:59249 <--> 192.30.253.124:22.

• The only difference between "incoming" and "outgoing" connections is the initial handshake. Once the connection gets established, everything becomes fully symmetric.

  So if you only start a firewall after the connection has been established, and the first thing it sees is a packet from github:80 to yourpc:59249, it has no way of knowing whether the connection was originally incoming or outgoing.

  Or perhaps in your case it doesn't see outgoing "initiate connection" packets at all, but still sees the incoming responses, and thinks that it's GitHub who is initiating a connection towards you.

  This can certainly happen if you use both Ethernet and Wi-Fi at the same time: the handshake (TCP SYN) might be sent via Ethernet, but the response (SYN-ACK) might arrive via Wi-Fi; although that's quite valid, some firewalls mistakenly think they belong to different connections.