My pfsense have ports open on WAN interface
-
This rule does exactly nothing. (There will never be any inbound traffic on the WAN from the WAN itself)
But you don't need such a rule because there is already an invisible "block everything" rule at the bottom.
If you don't have any rules, than you block everything.Where did you run your portscan from?
Actually from the outside?
Or from your LAN side to the WAN-IP? -
If you're running a scan from behind another router that has proxies enabled (FTP proxy/helper, Squid, DNS, etc) or NAT reflection on those ports, they will show as open even though they are open locally, not on the public side of the router being tested.
Similarly, if you test the WAN address from the LAN side of a pfSense router, you'll see open ports because you're coming from inside not outside and you are subnet to the LAN rules, not the WAN rules.
Ideally, such scans should be run by a remote system that isn't behind any kind of special firewall/router device, or use some kind of port testing service like SheildsUp (not that I agree with some of the things that Gibson thinks are "threats" but it's still a useful test to see if ports are openโฆ)
-
ah ok, thanks for the reply
-
-
Do you maybe have UPnP on and something locally is opening those ports temporarily by using UPnP?
I tried that site and it showed mine as closed, as expected.
-
-
Rather than trusting the scanner (which is entirely possibly wrong) simply try to connect to those ports from the outside world. Even just using an open http proxy would work to ensure you don't actually have http listening externally.
-
after removing squid and reboot, the port are closed nowโฆ
but how and why squid open that ports on wan?? (53,80,21 and maybe others)
i never configured it for do that...i will try another time to install squid.. or havp..
-
Did you maybe have the 'wan' interface selected for squid to listen on?
- 16 days later
-