Default Install Open ports w/ pppoe

mrguitar · Dec 20, 2010, 3:10 AM

Hardware: Alix 2d13
Snapshot: pfSense-2.0-BETA4-1g-20101219-0636-nanobsd.img.gz

Problem: Default install leaves services running on pfsense open on the WAN (pppoe) interface. Specifically 22,80, & 443. I'm port scanning using https://www.grc.com.

Steps to recreate:
1. dd embedded image to CF
2. configure LAN & WAN interfaces.
3. enable SSH
4. enable HTTPS for web GUI
5. scan yourself and 22,80, & 443 are open to the outside world. YIKES!

**disabling SSH will close the port, enabling re-opens 22. This the behavior regardless of what is set in under firewall rules.

My guess tells me this has something to do w/ pppoe. I can't test a static WAN IP right now, but I suspect these issues won't show up there, or we would have heard about this issue on the forums by now. I'm going to have to go back to 12.3 for my home firewall for now. :( but I will start testing regularly using KVM.

I believe this issue is related to some of the strangeness I experienced here: http://snapshots.pfsense.org/FreeBSD_RELENG_8_1/i386/pfSense_HEAD/nanobsd/pfSense-2.0-BETA4-1g-20101219-0636-nanobsd.img.gz

cmb · Dec 20, 2010, 3:48 AM

post your /tmp/rules.debug

jlepthien · Dec 20, 2010, 4:28 PM

Actually that can't be. pfSense is pretty closed down when you installed it. Had my snap tested and all is closed…
Same snap here...

mrguitar · Dec 20, 2010, 10:25 PM

cmb, unfortunately I'm low on WAF points these days and I had to get something up and running. I reverted back to 1.2.3. It should be really easy to recreate my environment, I just don't have an extra alix to test w/. I'm kind-of hoping someone w/ an alix and a PPPoE dls line can try to recreate the problem. The WAN rules function perfectly on 1.2.3.

jlepthien, Trust me I know this sounds crazy. I've setup maybe 30 pfsense firewalls, been using it for years, I even read the book. It's bizarre. Hopefully this is user error, but honestly I can't figure out what I'm doing wrong. You're using the same snapshot, that's good, but is your wan setup static or pppoe? Also, what hardware are you running?

I'll see if I can recreate this in KVM tonight or tomorrow. I really hope it user error.

Thanks guys.

jlepthien · Dec 20, 2010, 10:35 PM

I am running an alix2d13 with a regular PPPoE VDSL connection…

mrguitar · Dec 20, 2010, 10:44 PM

hmmmmm.

Another variable I left out was I changed the https port for the web gui to 445 (like the old ipcop). …but that shouldn't have any affect on WAN rules not functioning properly. Also, changing it back to 443 changed the exposed port from 445 to 443.

would you mind deleting any/all sensitive info in your config.xml file and shooting me a copy so I can compare? I know that might be asking a lot.

jlepthien · Dec 20, 2010, 10:47 PM

I also changed the port on the GUI to 8443…

I am currently struggeling with importing my original config back into pfSense so now I am running a quite standard config. Just added PPPoE, DynDNS, OpenDNS and interface data. Nothing special, so if you give me an email address I can send you my config with my passwords deleted of course...

mrguitar · Dec 20, 2010, 10:51 PM

I sent you a PM.

Thanks for sending that along, I'll you know what I find. I'm glad you're not seeing the same thing. It's a pretty scary thing to see!

mrguitar · Dec 20, 2010, 11:09 PM

Dang. Nothing jumps out. The only thing I can see is you don't have the glxsb module loaded. I can't imagine that doing much.

Just for consistency, can you try scanning w/ grc common ports? https://www.grc.com/x/ne.dll?bh0bkyd2

jlepthien · Dec 20, 2010, 11:13 PM

Yeah, did that test once again with glxsb enabled and disabled. Still everything works fine and everything is stealthed…

cmb · Dec 21, 2010, 12:56 AM

@mrguitar:

I'm kind-of hoping someone w/ an alix and a PPPoE dls line can try to recreate the problem.

Many, many others including myself would have seen it if it were that simple.