Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense open ports [SOLVED]

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    47 Posts 4 Posters 65.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      You must be hitting something else along the way that is redirecting ports into itself.

      The most common example of this is pfSense's FTP proxy. If you do an nmap scan from behind a pfSense router for an external IP, it will show FTP open if you have the FTP proxy on, because the proxy is grabbing the FTP traffic.

      If you really want to know for sure, PM me an IP and I'll nmap it from a known good source and tell you what is really open. :-)

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • V Offline
        vorgusa
        last edited by

        @jimp:

        The ports would only be open if you opened them. Everything is blocked by default.

        A lot depends on not only where you run the scan from but from what kind of router you are running the scan from behind.

        If you are running a scan from a system behind a proxy (ftp proxy, web proxy, etc) you may be getting lured into that proxy instead of actually hitting the box you are trying to scan.

        A scan from somewhere else like GRC is likely to be more accurate than an nmap scan from a 3G dongle/tethering setup.

        If you can hit the web port on pfSense, you can login. If you can't login, you are probably hitting something else – not your firewall.

        A packet capture on WAN during the scan could confirm more of this.

        I would be in shock if I somehow got redirected to someone else's pfsense 2.0 box because I was behind a proxy.  Plus I can connect to the SSH port, shouldnt this need to be added manually or was there an option I must have accidentally selected?

        I tried the filter option and I do not see any reference to my webpage connection, but I did see a reference to a blocked ping when I tried to ping it.

        The error message I receive from the web interface after I try to log in is this:
        An HTTP_REFERER was detected other than what is defined in System -> Advanced (https://mywebserver). You can disable this check if needed in System -> Advanced -> Admin.

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Did you enable the SSH service? What packages did you install? If you have a mobile, could you try connecting to the web portal that way, see if you get the same error?

          @vorgusa:

          @jimp:

          The ports would only be open if you opened them. Everything is blocked by default.

          A lot depends on not only where you run the scan from but from what kind of router you are running the scan from behind.

          If you are running a scan from a system behind a proxy (ftp proxy, web proxy, etc) you may be getting lured into that proxy instead of actually hitting the box you are trying to scan.

          A scan from somewhere else like GRC is likely to be more accurate than an nmap scan from a 3G dongle/tethering setup.

          If you can hit the web port on pfSense, you can login. If you can't login, you are probably hitting something else – not your firewall.

          A packet capture on WAN during the scan could confirm more of this.

          I would be in shock if I somehow got redirected to someone else's pfsense 2.0 box because I was behind a proxy.  Plus I can connect to the SSH port, shouldnt this need to be added manually or was there an option I must have accidentally selected?

          I tried the filter option and I do not see any reference to my webpage connection, but I did see a reference to a blocked ping when I tried to ping it.

          The error message I receive from the web interface after I try to log in is this:
          An HTTP_REFERER was detected other than what is defined in System -> Advanced (https://mywebserver). You can disable this check if needed in System -> Advanced -> Admin.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Then you probably aren't getting proxied, you just have the port open for outside access on your WAN rules. It doesn't open itself… :-)  (Or you are scanning from an interface/IP that has access)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              vorgusa:

              Nmap scan report for c-x-x-x-x.hsd1.fl.comcast.net (x.x.x.x)
              Host is up (0.10s latency).
              Not shown: 65529 filtered ports
              PORT      STATE SERVICE  VERSION
              22/tcp    open  ssh      OpenSSH 5.4p1 (FreeBSD 20100308; protocol 2.0)
              53/tcp    open  domain   dnsmasq 2.55
              80/tcp    open  http     lighttpd 1.4.28
              443/tcp   open  ssl/http lighttpd 1.4.28
              2189/tcp  open  sip      FreeBSD/8.1-PRERELEASE UPnP/1.0 MiniUPnPd/1.4 (Status: 501 Not Implemented)
              40122/tcp open  unknown
              

              You really do seem to have overly permissive WAN rules. If you post a screenshot of them were we can advise what might be causing it. (I scanned 1-65535)

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                Something else people seem to forget about too is that if you have UPnP enabled, anything on LAN can open up and forward whatever ports it wants. Even if you aren't hitting the pfSense box with a scan you could be hitting a port forward that opened up via UPnP.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  upnp is disabled by default correct?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Yes, upnp must be enabled by hand.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ Offline
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      heavy1metal - I got nothing open when I scanned your IP. Though I only scanned 1-3000 due to it being slow (presumably since they were filtered)

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • ? This user is from outside of this forum
                        Guest
                        last edited by

                        Excellent :-) That covers all the "normal 1-1023" service ports anyway. I'm a bit worried about the OP's open ports, he mentioned he has a port open for torrent traffic I believe, possible he wild-carded the destination port by accident?

                        Also, did you scan from two IP addresses? Or is that the result of load balancing from a dual WAN setup? Or maybe for once in my life I had an US port scan me :-) So used to the Chinese trying to scan me checking if I'm an open proxy. Thank you for checking :-)

                        @jimp:

                        heavy1metal - I got nothing open when I scanned your IP. Though I only scanned 1-3000 due to it being slow (presumably since they were filtered)

                        1 Reply Last reply Reply Quote 0
                        • V Offline
                          vorgusa
                          last edited by

                          I took screen shots of the dashboard, NAT, Rules, and upnp settings.  UPNP status is empty and I do not see why upnp would end up leaving port 53 open, seems like all my open ports are pfsense services.  I am masking IPs and stuff in the screen shots and they will be up soon.  I forgot to take a screenshot of the general settings for the ssh connection though.

                          1 Reply Last reply Reply Quote 0
                          • V Offline
                            vorgusa
                            last edited by

                            Very frustrating to post attachements!  :)

                            NAT.jpg
                            NAT.jpg_thumb
                            Rules.jpg
                            Rules.jpg_thumb
                            system.txt

                            1 Reply Last reply Reply Quote 0
                            • V Offline
                              vorgusa
                              last edited by

                              Here are the last two

                              dashboard.jpg
                              dashboard.jpg_thumb
                              upnp.jpg
                              upnp.jpg_thumb

                              1 Reply Last reply Reply Quote 0
                              • V Offline
                                vorgusa
                                last edited by

                                As I posted in my other thread, I have reset everything to factory defaults and reconfigured it again.  I noticed that when I originally installed everything I never saw the startup wizard, so I have a feeling its related to that.  I also experienced unusually high CPU usage while nothing was going on and my other unusual problems are gone.  I will scan it tomorrow with nmap and see if the problems are fixed.

                                1 Reply Last reply Reply Quote 0
                                • ? This user is from outside of this forum
                                  Guest
                                  last edited by

                                  You have/had port 443 open to the public/world by not specifying a source address. Also torrents only require TCP, they do not use UDP packets.

                                  As for the upnp, you might want to do a port scan and then watch what ports open up. Or try disabling it, and then do a scan.

                                  As for port 53, would anyone know if the "upnp port mapping (for windows)" would be letting windows services open up ports?

                                  Maybe pfsense is opening port 80 on behalf of itself? Unless you have a web server back there trying to get out?

                                  Also I assume your torrent port is 40122? Sort of the only one open that looks out of place.

                                  Just saw your system.txt, in there I saw
                                  Mar 2 19:19:30 miniupnpd[12590]: HTTP listening on port 2189
                                  Mar 2 19:19:30 miniupnpd[12590]: HTTP listening on port 2189

                                  Is upnp intended to open ports even if it is a service on pfsense that wants them open?

                                  ![Wan Rules.jpg](/public/imported_attachments/1/Wan Rules.jpg)
                                  ![Wan Rules.jpg_thumb](/public/imported_attachments/1/Wan Rules.jpg_thumb)

                                  1 Reply Last reply Reply Quote 0
                                  • V Offline
                                    vorgusa
                                    last edited by

                                    After the factory defaults, I am still getting the ports open.  The previous port 443 was done by the OpenVPN wizard because I designated that as the port for it.  Right now I have OpenVPN at the default port (1194) and upnp enabled, but only for the LAN.  The only port forwarding and Rules I have done are for Torrents and what the automated wizards has done.

                                    PORT      STATE SERVICE
                                    53/tcp    open  domain
                                    80/tcp    open  http
                                    443/tcp  open  https
                                    1194/tcp  open  unknown
                                    2189/tcp  open  unknown
                                    40122/tcp open  unknown

                                    Why would the Upnp even be there if I selected it to only be there for the LAN section.. seems like PFSense services are before the Firewall

                                    1 Reply Last reply Reply Quote 0
                                    • ? This user is from outside of this forum
                                      Guest
                                      last edited by

                                      That is strange, and you're still able to access the web portal from work? If you tried now to log in does it give you that redirect error you were getting before?

                                      1 Reply Last reply Reply Quote 0
                                      • V Offline
                                        vorgusa
                                        last edited by

                                        Yep, same error and for some reason I can not get an IP from OpenVPN, but that might be a problem on my end.  I will look into that tonight, but then again, I will probably go back to 1.2.3 if these ports keep showing up… I could probably try to manually block them using the firewall.

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ Offline
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          How is your network wired up?

                                          Is that public IP directly on WAN, or do you have something else in front doing NAT?

                                          Can you post the contents of /tmp/rules.debug - it might help show what the issue really is.

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • V Offline
                                            vorgusa
                                            last edited by

                                            I never re-enabled ssh, but I will head home for lunch and set it up.  By the way, I have never done anything related to port 53, so I know that should not be showing.  At work, if I do:

                                            host -T internalserver.local MyWAN-IP

                                            I get my internal IP address for the internal server, so that is definitely not being blocked in any way  (-T is for TCP connection)

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.