Which pf rule is triggered by nmap ?
-
I've just tried a nmap scan of pfsense's WAN IP (aaa.bbb.1.201) from a LAN IP (192.168.100.66) :
nmap -p 1-1024 aaa.bbb.1.201
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-04-16 20:34 EEST
Interesting ports on <pfsense-wan-fqdn>(aaa.bbb.1.201):
Not shown: 1022 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domainNmap finished: 1 IP address (1 host up) scanned in 14.988 seconds
However I've noticed the following one entry in pflog, blocking traffic to port 80
tcpdump -n -tttt -e -i pflog0
2013-04-16 20:34:04.296704 rule 3/0(match): block in on em1: 192.168.100.66.46984 > aaa.bbb.1.201.80: tcp 20 [bad hdr length 0 - too short, < 20]Note that this is the only pflog entry.
Which pf "drop log" rule is triggered in this case ?</pfsense-wan-fqdn> -
You can see the rule numbers by looking at "pfctl -vvsr"
-
I looked it up and it seemed to be the default "drop" rule, but I don't understand why it only gets triggered for port 80, out of all the ports 1-1024 …
-
Impossible to say without seeing your full ruleset. It wouldn't log unless it didn't match any other rule.
-
I could upload my /tmp/rules.debug or my pfctl -sa if necessary, but there don't seem to be any references to port 80 in them (other than a port-fwd that from a specific src ip, which differs from the one doing the nmap anyway).
Could someone else please try this simple nmap scan e.g.
nmap -p22,53,80 <your_pfsense_wan_ip>from a LAN IP, and let me know if you see any blocked traffic for port 80 in Status -> System logs -> Firewall …
Edit: I just looked at nmap man-page and it seems that it may be due to an idiosyncrasy of nmap, treating port 80 differently by default (sending a TCP ACK packet). If I use nmap -sA -p22,53,80 <your_pfsense_wan_ip>I get the same behavior on all tested ports.</your_pfsense_wan_ip></your_pfsense_wan_ip>
-
Could someone else please try this simple nmap scan e.g.
nmap -p22,53,80 <your_pfsense_wan_ip>from a LAN IP, and let me know if you see any blocked traffic for port 80 in Status -> System logs -> Firewall …</your_pfsense_wan_ip>
nmap -p22,53,80 Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-17 00:19 CDT sendto in send_ip_packet_sd: sendto(8, packet, 40, 0, xxx.xxx.xxx.xxx:, 16) => Operation not permitted Offending packet: TCP 192.168.10.101:53467 > xxx.xxx.xxx.xxx:80 A ttl=48 id=57407 iplen=10240 seq=0 win=1024 Nmap scan report for ... Host is up (0.00042s latency). PORT STATE SERVICE 22/tcp filtered ssh 53/tcp open domain 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
I didn't see anything in my firewall logs that indicated I had even scanned my box from the LAN. Plenty of noise from the WAN side to show it's working, but nothing from the LAN whatsoever.
Why are you using an old version of nmap, if you don't mind me asking?