Why so many established connection on booting dispVM? Hacked?

I open disposable and then I checked “ss -atpu”. What I got is more than 10 established connections, without even having visited a website or did anything.

For the past few years I have been constantly harassed and have no privacy at all. Meaning my devices were compromised.

Can somebody help me, telling me is there anything I should be concerned about?

Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0*
udp ESTAB 0 0
udp UNCONN 0 0*
udp UNCONN 0 0 [::]:hostmon [::]:*
tcp LISTEN 0 4096*
tcp LISTEN 0 4096*
tcp LISTEN 0 128*
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=94))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=114))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=122))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=84))
tcp TIME-WAIT 0 0
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=123))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=83))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=103))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=127))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=61))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=119))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=118))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=77))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=99))
tcp ESTAB 0 0 users:((“firefox”,pid=854,fd=82))
tcp LISTEN 0 4096 [::]:hostmon [::]:*
tcp LISTEN 0 128 [::1]:ipp [::]:*

it is just firefox phone home…

Even IP like that one, which pops on many places as not good?

See also: Which IPs does Qubes 4.0.4 connect to on boot?

Indeed and other IPs that have bad reputation originate from Firefox. You need to launch a Disposable without Firefox and monitor it. Firefox generates too much noise.

Run it in your disp template (dom0$ qvm-run fedora-34-dvm xterm) and change a few settings in firefox. First run brings up its privacy page, so if you really want to be carefull, you can run the terminal, set netvm to none, then start firefox and make your settings. set new window and tab to blank, disable pocket, search suggestions, etc. After shutting down the template, new dispvms shouldn’t make all those connections.

Not a recommended strategy, as it can lead to profile fingerprinting (all profiles will have the same name for example).

Check out this guide instead: [Guide] Automatically install extensions and configure new (dispvm) Firefox profiles with arkenfox user.js and policies