• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Default Install Open ports w/ pppoe

Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
11 Posts 3 Posters 2.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mrguitar
    last edited by Dec 20, 2010, 3:10 AM

    Hardware: Alix 2d13
    Snapshot: pfSense-2.0-BETA4-1g-20101219-0636-nanobsd.img.gz

    Problem: Default install leaves services running on pfsense open on the WAN (pppoe) interface. Specifically 22,80, & 443. I'm port scanning using https://www.grc.com.

    Steps to recreate:
    1. dd embedded image to CF
    2. configure LAN & WAN interfaces.
    3. enable SSH
    4. enable HTTPS for web GUI
    5. scan yourself and 22,80, & 443 are open to the outside world. YIKES!

    **disabling SSH will close the port, enabling re-opens 22. This the behavior regardless of what is set in under firewall rules.

    My guess tells me this has something to do w/ pppoe. I can't test a static WAN IP right now, but I suspect these issues won't show up there, or we would have heard about this issue on the forums by now. I'm going to have to go back to 12.3 for my home firewall for now. :(  but I will start testing regularly using KVM.

    I believe this issue is related to some of the strangeness I experienced here: http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_HEAD/nanobsd/pfSense-2.0-BETA4-1g-20101219-0636-nanobsd.img.gz

    1 Reply Last reply Reply Quote 0
    • C
      cmb
      last edited by Dec 20, 2010, 3:48 AM

      post your /tmp/rules.debug

      1 Reply Last reply Reply Quote 0
      • J
        jlepthien
        last edited by Dec 20, 2010, 4:28 PM

        Actually that can't be. pfSense is pretty closed down when you installed it. Had my snap tested and all is closed…
        Same snap here...

        | apple fanboy | music lover | network and security specialist | in love with cisco systems |

        1 Reply Last reply Reply Quote 0
        • M
          mrguitar
          last edited by Dec 20, 2010, 10:25 PM

          cmb, unfortunately I'm low on WAF points these days and I had to get something up and running. I reverted back to 1.2.3. It should be really easy to recreate my environment, I just don't have an extra alix to test w/. I'm kind-of hoping someone w/ an alix and a PPPoE dls line can try to recreate the problem. The WAN rules function perfectly on 1.2.3.

          jlepthien, Trust me I know this sounds crazy. I've setup maybe 30 pfsense firewalls, been using it for years, I even read the book. It's bizarre. Hopefully this is user error, but honestly I can't figure out what I'm doing wrong. You're using the same snapshot, that's good, but is your wan setup static or pppoe? Also, what hardware are you running?

          I'll see if I can recreate this in KVM tonight or tomorrow. I really hope it user error.

          Thanks guys.

          1 Reply Last reply Reply Quote 0
          • J
            jlepthien
            last edited by Dec 20, 2010, 10:35 PM

            I am running an alix2d13 with a regular PPPoE VDSL connection…

            | apple fanboy | music lover | network and security specialist | in love with cisco systems |

            1 Reply Last reply Reply Quote 0
            • M
              mrguitar
              last edited by Dec 20, 2010, 10:44 PM

              hmmmmm.

              Another variable I left out was I changed the https port for the web gui to 445 (like the old ipcop). …but that shouldn't have any affect on WAN rules not functioning properly. Also, changing it back to 443 changed the exposed port from 445 to 443.

              would you mind deleting any/all sensitive info in your config.xml file and shooting me a copy so I can compare? I know that might be asking a lot.

              1 Reply Last reply Reply Quote 0
              • J
                jlepthien
                last edited by Dec 20, 2010, 10:47 PM

                I also changed the port on the GUI to 8443…

                I am currently struggeling with importing my original config back into pfSense so now I am running a quite standard config. Just added PPPoE, DynDNS, OpenDNS and interface data. Nothing special, so if you give me an email address I can send you my config with my passwords deleted of course...

                | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                1 Reply Last reply Reply Quote 0
                • M
                  mrguitar
                  last edited by Dec 20, 2010, 10:51 PM

                  I sent you a PM.

                  Thanks for sending that along, I'll you know what I find. I'm glad you're not seeing the same thing. It's a pretty scary thing to see!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mrguitar
                    last edited by Dec 20, 2010, 11:09 PM

                    Dang. Nothing jumps out. The only thing I can see is you don't have the glxsb module loaded. I can't imagine that doing much.

                    Just for consistency, can you try scanning w/ grc common ports? https://www.grc.com/x/ne.dll?bh0bkyd2

                    1 Reply Last reply Reply Quote 0
                    • J
                      jlepthien
                      last edited by Dec 20, 2010, 11:13 PM

                      Yeah, did that test once again with glxsb enabled and disabled. Still everything works fine and everything is stealthed…

                      | apple fanboy | music lover | network and security specialist | in love with cisco systems |

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by Dec 21, 2010, 12:56 AM

                        @mrguitar:

                        I'm kind-of hoping someone w/ an alix and a PPPoE dls line can try to recreate the problem.

                        Many, many others including myself would have seen it if it were that simple.

                        1 Reply Last reply Reply Quote 0
                        1 out of 11
                        • First post
                          1/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received