My pfsense have ports open on WAN interface

GruensFroeschli

This rule does exactly nothing. (There will never be any inbound traffic on the WAN from the WAN itself)
But you don't need such a rule because there is already an invisible "block everything" rule at the bottom.
If you don't have any rules, than you block everything.

Where did you run your portscan from?
Actually from the outside?
Or from your LAN side to the WAN-IP?

jimp

If you're running a scan from behind another router that has proxies enabled (FTP proxy/helper, Squid, DNS, etc) or NAT reflection on those ports, they will show as open even though they are open locally, not on the public side of the router being tested.

Similarly, if you test the WAN address from the LAN side of a pfSense router, you'll see open ports because you're coming from inside not outside and you are subnet to the LAN rules, not the WAN rules.

Ideally, such scans should be run by a remote system that isn't behind any kind of special firewall/router device, or use some kind of port testing service like SheildsUp (not that I agree with some of the things that Gibson thinks are "threats" but it's still a useful test to see if ports are open…)

giancarlogiesa

ah ok, thanks for the reply

giancarlogiesa

i think that something do not work..
in the screenshot you can see that i did a remote scan on the first scanner that i have found on google
and there some open ports,

if i use your SheildsUp site all ports are sthealted ???

jimp

Do you maybe have UPnP on and something locally is opening those ports temporarily by using UPnP?

I tried that site and it showed mine as closed, as expected.

giancarlogiesa

UPnP is disabled and i have removed squid just for a test, but the problem is still here

Guest

Rather than trusting the scanner (which is entirely possibly wrong) simply try to connect to those ports from the outside world.  Even just using an open http proxy would work to ensure you don't actually have http listening externally.

giancarlogiesa

after removing squid and reboot, the port are closed now…

but how and why squid open that ports on wan?? (53,80,21 and maybe others)
i never configured it for do that...

i will try another time to install squid.. or havp..

jimp

Did you maybe have the 'wan' interface selected for squid to listen on?

giancarlogiesa

no, in the screenshot you can see