I can not block WAN port?

mucip

Hi,
When I check WAN addrees with nmap than below list comes up.

I know 554 and 1935 for Camera. But I don't know about 1024. I want to block it from WAN than I don't want to see it with nmap check list.
I created block in firewall WAN section like below picture:

But I can see still 1024 port open in nmap list?!

Regards,
Mucip:)

johnpoz

@mucip your scanning from the inside - do scan from outside - like grc.com or something.

Also even if you wanted to block - your blocking it wrong, the port is destination port, not a source port. You understand that all interfaces have a default deny, if you did not specific allow it, it would be denied..

What are you scanning exactly - there is no way that pfsense would be listening on some rtsp port of 554 out of the box??

80 and 443 ok get those pfsense would be listening on those out of the box.. but those other 3?

On pfsense do a netstat -anl, your pfsense is actually listening on 554, 1024 and 1935??

mucip

Dear @johnpoz
I use nmap command like below;
nmap xxx.com

And I am out of the network.

Well, 554 and 1935 is camera port. These have also NAT and normal. But I did not understand 1024?

I remember that all ports shoud be default closed. But what is this 1024 port than?

Regards,
Mucip:)

Gertjan

@mucip said in I can not block WAN port?:

I remember that all ports shoud be default closed.

Easy to validate that: Re-activate default settings, by using :

and you'll see an empty :

which means : nothing can come in.

From then on, the admin takes over, starts adding stuff and all kind off things happens ....

Even with all my WAN rules (NAT and others) :

Btw : this test is very incomplete as it is only IPv4 based and probably only TCP.

mucip

Dear @Gertjan ,
Unfortunatelly I can not back to defaults. Because I have many things in config yes.
But this is really very interesting.
Where this 1024 port come from?...

Regards,
Mucip:)

johnpoz

@mucip device in front of pfsense.. Your wan rules shown would not allow for any port forwards you have - even if you have cameras behind pfsense.

Do you have rules in floating? So you have port forwards that send to your cameras, but for those to work your wan would have to allow for that.. Which you show there are not any - unless you have something floating.

nor would your rules even allow for the default 80/443 that pfsense could be listening on.

mucip

@johnpoz,
No, I don't have any floating rules.

By the way I have NAT for camera and web server behind the pfsense. Everything normal. Except 1024?!

Regards,
Mucip:)

johnpoz

@mucip said in I can not block WAN port?:

By the way I have NAT

No you don't there is no way your port forward in pfsense would work without a firewall rule to allow it.f And you have no rules in floating and no rules on your wan that would allow it..

So you could have whatever you want in port forwards, and they wouldn't work.

I would suggest you look at your full ruleset, maybe your gui is not showing you the rules or something - but from what you posted you could have 100 different port forwards and none of them would work, because you have no firewall rules on the wan to allow them.

https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html

mucip

@johnpoz ,
Maybe I misexplained sory.
I have NAT rules and also releated Firewall rules. No problem. Cameras are working. 80/443 are working and other NAT ports are working correctly.
Maybe there is 1024 port opne in rules but GUI don't show it I don't know?

Can I see the firewall rules in console viewer to check?

Regards,
Mucip:)

johnpoz

@mucip said in I can not block WAN port?:

Maybe I misexplained sory.

The wan rules you posted would not allow anything.. Did you not post up your firewall rules?

These rules show nothing would be allowed

And again - with what you posted there is zero reason to put in any blocks because every interface has a default deny.. And that rule you put in for 1024 would never trigger anyway because you have the source port set to 1024, not the destination port.. The traffic you show as open is TO 1024, not from a source port of 1024

If you want people to help you - post up your full port forwarders and your full wan rule set.. But what you posted, no port forwards would be allowed.

mucip

@johnpoz ,
Sure I have many more rules after than last 1024 line above picture. I don't want to send them all rows because of security reasons.

Yes I changed it to destination port. But still looking open unfortunatelly?!

Regards,
Mucip:)

Bob.Dig

@mucip NAT rules can be set to "pass", so that is a possibility. But if you don't know the difference between source and destination port, you have bigger problems to begin with.

mucip

@Bob-Dig,
No. There isn't any line ported 1024 in NAT page either.

Regards,
Mucip:)

johnpoz

@mucip because its not pfsense - do you have a port forward sending 1024 somewhere? If not then pfsense should not be listening on that port that is for sure.. But you can easy check with a netstat.. And again the rules you posted wouldn't allow anything.. can not help you figure out what you have that is allowing answer from some port if can not see your rules.

1024 can be used for modem admin, etc. it is quite possible your isp device in front of pfsense is answering on that..

Here is what I would do, do a simple sniff on pfsense wan - go to can you see me . org send some traffic to tcp 1024.. Do you see an answer.. If you do then pfsense or something behind it answered.. If you do not even see the 1024 hit you, then something upstream answered, or even if you do see it hit pfsense wan - if you don't see an answer then its not showing up because pfsense answered - but something in front of your pfsense did.

Here is example of sending traffic to my wan on 1024.

So clearly my pfsense or nothing behind it answered - so it shows closed. Do the same test - do you see it hitting your pfsense, do you see pfsense answer it?

edit: here is an example of seeing either pfsense or something you port forwarded to answering... See how I see a response sent back with my packet capture on pfsense wan

Because I port forward that port to something behind pfsense.

mucip

@johnpoz said in I can not block WAN port?:

1024 can be used for modem admin, etc. it is quite possible your isp device in front of pfsense is answering on that..

This might be the answer.
There is modem in front of the PfSense. I need to check it too...

Regards,
Mucip:)

johnpoz

@mucip so - for your own sanity, do the packet capture on pfsense wan when you do that test, do you see that 1024 hit pfsense wan, do you see a response.

If you don't then clearly you have a smoking gun that something in front of pfsense answered it.

mucip

@johnpoz said in I can not block WAN port?:

so - for your own sanity, do the packet capture on pfsense wan when you do that test, do you see that 1024 hit pfsense wan, do you see a response.

You're right. :)
I did not try Packet Capure until now. I will googling and inform you.

But it'looks modem answerign it?

Regards,
Mucip:)