Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Reciving blocks at LAN side towards IP:80\. when using. nmap -sP ?!?!

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    10 Posts 3 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fableman
      last edited by

      Hi I have a clean pfsense 2.latest  on Intel i3. No pakage installed, i keep it clean and simple for max speed.

      Problem:

      One of my liux server doing a nmap -sP at a /21 network.

      Problem is it show up as blocked in my firewall logs ?!?!

      Recreate problem: nmap -sP x.x.x.x

      My rules:

      My firewall log ?!?!?

      I can't figure out why this is happening ?

      to se what rule is blocking its telling me that.

      @1 block drop in log all label "Default deny rule"

      Nothing should be blocked from my LAN towards anything, still that nmap shows up?!

      The nmap -sP is working but just flooding my firewall logs!

      Please help..

      Most speed test sites got problems with 1/1Gbit FTTH

      1 Reply Last reply Reply Quote 0
      • I
        inflamer
        last edited by

        According to the firewall logs, something (presumably nmap) is sending TCP ACK packets to remote hosts on tcp port 80, which wouldn't be correct since no preceding SYN -> SYN ACK has taken place, and no existing state between two hosts therefore exists.

        You might be able to create a firewall rule which allows this traffic if you experiment with the 'State type' and 'TCP flags' advanced rule options.

        1 Reply Last reply Reply Quote 0
        • F
          fableman
          last edited by

          Still pfsense should not block anything when I allow everything ?

          (Why nmap going for port 80 looks strange for me when using the -sP)

          Most speed test sites got problems with 1/1Gbit FTTH

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @fableman:

            Still pfsense should not block anything when I allow everything ?

            Only legit traffic gets passed by (good) stateful firewalls. An ACK out of nowhere is not legit traffic. Allow all means allow all new connections (for TCP, flags S/SA).

            1 Reply Last reply Reply Quote 0
            • F
              fableman
              last edited by

              @cmb:

              @fableman:

              Still pfsense should not block anything when I allow everything ?

              Only legit traffic gets passed by (good) stateful firewalls. An ACK out of nowhere is not legit traffic. Allow all means allow all new connections (for TCP, flags S/SA).

              nmap is not producing legit traffic then ? I thougth they knew what they was doing :)

              Is it possible to filter this stuff out, My logs are useless when I getting tons of blocks, cant see anything important in all the mess ?

              Most speed test sites got problems with 1/1Gbit FTTH

              1 Reply Last reply Reply Quote 0
              • I
                inflamer
                last edited by

                Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

                • Andreas
                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  @fableman:

                  nmap is not producing legit traffic then ? I thougth they knew what they was doing :)

                  No question they know what they're doing, they intentionally create brokenness to test certain things, such as the OS identification relies on what kind of response is generated by various brokenness. Amongst many other things, there's a lot to how it works. You want to use -sS, or go out without any firewall at all if you want to use scans other than SYN. There isn't any easy way to filter that stuff out of your logs. I always run nmap to Internet hosts from a box with a public IP directly assigned and no firewall if anything other than a SYN scan is needed.

                  1 Reply Last reply Reply Quote 0
                  • F
                    fableman
                    last edited by

                    @inflamer:

                    Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

                    • Andreas

                    same results.

                    All I need is a very fast way to check what hoste respond to ping and get them into a list.
                    Guess I have to make my own bash script for this, will be slower but can't have it like this.

                    Most speed test sites got problems with 1/1Gbit FTTH

                    1 Reply Last reply Reply Quote 0
                    • I
                      inflamer
                      last edited by

                      @fableman:

                      @inflamer:

                      Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

                      • Andreas

                      same results.

                      All I need is a very fast way to check what hoste respond to ping and get them into a list.
                      Guess I have to make my own bash script for this, will be slower but can't have it like this.

                      I would be surprised if pfSense blocks an -sS scan from nmap, could you post some screenshots to show the firewall log from such a scan?

                      • Andreas
                      1 Reply Last reply Reply Quote 0
                      • F
                        fableman
                        last edited by

                        After reading this: http://nmap.org/docs/discovery.pdf

                        The solution was to use:  nmap -sP -PS x.x.x.x/yy

                        problem solved.

                        Most speed test sites got problems with 1/1Gbit FTTH

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.