PfSense keeps Port 21 open??

IonutZ

No extra packages, and no FTP. Although I'm considering snort or suricata now.

I'm not running a router in front of the firewall.

Comcast -> Modem -> Firewall -> Server (router) -> Switch -> LAN

Lol, this is really weird - running NMap off of pentest-tools.com doesn't show ftp as being open. Running NMap off of my laptop tethered to my cellphone (not on the same network) still displays 21 open.

With the mac ftp client, I can open a connection to my ip address:

ftp> o
(to) xxx
Connected to xxx.

421 Service not available, remote server timed out. Connection closed. 

With filezilla it says:

Status:      	Connecting to xxx:21...
Status:      	Connection established, waiting for welcome message...
Error:        	Connection timed out after 20 seconds of inactivity
Error:        	Could not connect to server
Status:      	Waiting to retry...

Any ideas?

muswellhillbilly

If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

IonutZ

@muswellhillbilly:

If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

muswellhillbilly

@IonutZ:

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

There you are then!

IonutZ

Alright sir, I won't worry about it then. Thanks for the help everyone.

JonathanLee

I see the same thing, I think the ONT modem has FTP open because it’s closed on the WAN on the firewall.

JonathanLee

@muswellhillbilly said in PfSense keeps Port 21 open??:

www.grc.com

---

GRC Port Authority Report created on UTC: 2024-07-11 at 06:47:55

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 
                            119, 135, 139, 143, 389, 443, 445, 
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
   22 Ports Closed
    4 Ports Stealth
---------------------
   26 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 0, 135, 139, 445

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

JonathanLee

I show this on wan side

blocked everything nothing is open

JonathanLee

But mine said failed

Gertjan

@JonathanLee

That's your "ISP device", the one with the ONT. Ports should be stealth ... dono why is activily says 'closed' which means : it was listening. For what ?
So 'they' can keep an eye on you ^^

But you don't care, your pfSense WAN is locked. Normally, only something like an OpenVPN port 1194 UDP should be open.
True, it's now possible to stuff a major doss app into your own local ONT device, and fully focus on your (pfSense) WAN IP without disturbing everybody else.

It's probably not useful to ditch this ISP, as other ISP devices don't have ports open, but apps in the device will 'call home' for their updates and other 'control'.

The best way out : get an Netgate router with a 'FTP' ONT slot, slide in the FTP adapter that is compatible with the Netgate device and your fiber link.

And if possible, open only IPv6 ports. grc.com won't see any fire neither smoke, and you feel safe now ^^

Mine went all green decades ago :

JonathanLee

@Gertjan I know I pay for a static IP and I set OpenVPN port to a timer like a door it closes at night on a schedule. I like Consolidated never had issues beyond the one off weird bill items when transferring services but they even fixed that with my tantrum, I am sure they have the fiber modem accessible for their team, I am just confused as to why on my zen map it shows wide open and not stealth mode. Anyone that doesn’t use schedules for vpn ports should think about doing that, if your not using your vpn at 3am turn it off right?

JonathanLee

It is the modem I disconnected everything and ran the test again same ports same issue. That is ISP stuff not my concern my stuff is protected. I got the 2100 it has the stp ports, again consolidated wants that modem, I am just gonna leave it how they have it.

JonathanLee

@muswellhillbilly said in PfSense keeps Port 21 open??:

If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

Reply

Does shields up work with ipv6 also?

Gertjan

@JonathanLee said in PfSense keeps Port 21 open??:

Does shields up work with ipv6 also?

You've motivated me to find that video again that I ones saw, many years ago, an interview, where he said "Not needed, IPv6 won't make it to the public ...". (Gibson is special ^^)

johnpoz

@Gertjan said in PfSense keeps Port 21 open??:

Gibson is special ^^)

hahah - yeah remember when he said the sky was falling when XP had raw sockets. it was going to crash the internet ;)

He term stealth for not answering ping is just more nonsense. Not sure he is playing with all 52 cards if you know what I mean ;)

JonathanLee

You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment.