(2.0.3) Shouldn't my ports be 'stealth'?
-
G'day ;D
Just upgraded to 2.0.3 yesterday. I did a test using Shieldsup on grc.com (I tried other testing sites, but they time out). It shows a number of closed but not 'stealth' ports. Shouldn't all ports be invisible to the outside world?
I have no port forwarding rules, no servers serving anything to the outside world, nothing. I have created a screenshot:
http://imgur.com/7UGbVG8
The blue (= closed) ports are:
23, 25, 80, 135, 137, 138, 139, 443, 445, 992I also did nmap external ip-address but I don't really now if it is valid to do this from within the LAN. Because the ports nmap shows appear to make sense to me given I would use this when accessing Pfsense from within my LAN:
Host is up (0.00013s latency). Not shown: 996 filtered ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 80/tcp open http 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 5.18 secondsI had the same problem on 2.0.2, in which I couldn't have PFsense do the PPPoE (due to a bug which has been fixed in 2.0.3); so in that setup my ISP's modem/router did the dial up, and DHCP'd a 192.168.1.x address to PFsense WAN. From there on, PFsense took over with a different subnet on the LAN side. So in this setup I had non-hidden ports also, but I blamed the ISP's modem/router for it. I would have expected all ports to be stealth right now that PFsense upgraded to 2.0.3 and is doing the PPPoE (external IP is on WAN now, this is not the 192.168.1.x address anymore).
Would anybody be willing to tell me what I might be doing wrong?
Thank you in advance very much ;D
Bye,
-
Well I would say that test is not valid - sure your testing your IP? Or you are forwarding traffic inbound to what looks like a windows box with those 135 to 139 ports, 445.. Or whatever it is you have from your ISP is open to those ports. Pfsense is clearly not listening on those ports.. Do a simple netstat on your pfsense to see what its listening on.
example - here is my pfsense box
netstat -an | egrep 'Proto|LISTEN'
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 24.13.xx.xx.443 . LISTEN
tcp6 0 0 *.53 . LISTEN
tcp4 0 0 *.53 . LISTEN
tcp4 0 0 *.2189 . LISTEN
tcp6 0 0 *.80 . LISTEN
tcp4 0 0 *.80 . LISTEN
tcp4 0 0 *.22 . LISTEN
tcp6 0 0 *.22 . LISTENAnd from that test I show this for mine
Results from scan of ports: 0-1055 2 Ports Open 0 Ports Closed 1054 Ports Stealth --------------------- 1056 Ports Tested NO PORTS were found to be CLOSED. Ports found to be OPEN were: 22, 443Which yeah I am listing on 22 and 443 on the WAN.. I would highly suggest you post your firewall rules for your wan and or PPPoE interfaces. And validate what IP you were actually testing or if something in between.
Clearly pfsense, especially default setup is not going to be listening on those ports you show, telnet and smtp and windows ports and 992 I show as Secure Telnet (over TLS/SSL) - yeah pfsense does not listen on those ports ;) look yourself via the netstat command I posted
-
Thank you very much for your reply, John ;D
I am rather quite sure that I was testing the right external IP (that is, grc.com automatically takes my IP I take it).
I do agree with you that this site might have an error or so. I did your nstat-command, which returns this:
[2.0.3-RELEASE][admin@pfsense.localdomain]/root(1): netstat -an |egrep 'Proto|LISTEN' Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 127.0.0.1.3128 *.* LISTEN tcp4 0 0 192.168.1.1.3128 *.* LISTEN tcp4 0 0 *.3000 *.* LISTEN tcp6 0 0 *.53 *.* LISTEN tcp4 0 0 *.53 *.* LISTEN tcp4 0 0 *.80 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTENHowever, what does surprise me is that your post at the top shows your external IP, yet mine shows the adress of Pfsense (?)
I will post my firewall rules (per screenshot), but I have to walk the guardians of my wife ( ;D) first, they are grumbling downstairs that I am already too late doing that.
Thank you again for your help :P
Bye,
EDIT: while walking my dogs, I was thinking: could this for some reason be caused because Pfsense is doing 'pass through' PPPoE?
:
-
My ISP has a horrible modem/router. On 2.0.2, I couldn't get PPPoE to work in Pfsense (PFS).
-
So in 2.0.2 I had this setup:
–- ISP modem/router does PPPoE and DHCP's 192.168.1.2 to PFS-WAN.
--- PFS does DHCP in different subnet to LAN-clients.
--- "It just worked" (noob expression ;D). -
Yesterday I upgraded to 2.0.3:
--- I simply let all cables in place the way they were (so PFS WAN-cable in ISP modem/router)
--- I changed PFS-WAN settings from 'DHCP' to 'PPPoE' and entered log in information.
--- "It just worked" (surprised noob expression ;D). -
On trying to understand why this happened, I learned:
--- There are now two PPPoE connections at the same time;
------- One from the modem/router
------- One from PFS, which is called 'PPPoE pass through' -
So while walking the dogs, I said to myself: 'self':
--- Two PPPoE's might mean 2 external IP's
--- It could be that grc.com is testing IP1 (the modem/router, which has all these closed but not stealth ports)
--- While PFS is actually using a different IP2. -
Back home, I checked, but no: the external IP grc.com reports as testing is the very same PFS reports as the WAN-IP in the Dashboard.
So, would disabling the PPPoE connection the ISP modem/router makes solve this vague problem? Normally, I would simply test this, but the last time I disabled the PPPoE and DHCP in the modem/router I wasted a full afternoon trying to get that thing to do anything at all again (hard resetting it to factory settings a couple of times, calling the help desk, and so on and so forth). So I'd rather not 'simply try it', I was hoping somebody would know if this is, for known technical reasons, most likely the cause of this problem.
-
-
I also had to add the firewall rules, I created screen shots:
-
A small update: when I run nmap from the Wireless LAN of my neighbour against my own external IP, nmap says 'all ports are filtered'. Which suggests it is working fine. Which leaves me with why it does show all these open ports when I use internet test sites.
I do suspect it has to do with the ISP's modem/router doing the 'original' PPPoE, and PFS doing a 'pass through' PPPoE next to that.
-
I do suspect it has to do with the ISP's modem/router doing the 'original' PPPoE, and PFS doing a 'pass through' PPPoE next to that.
X2
-
-
@Hollander:
Which leaves me with why it does show all these open ports when I use internet test sites.
-
@Hollander:
X2
???
( ;D)
Means me also. I tend to agree with your theory. When I check against GRC (which I tend to believe spreads a little FUD around) I get everything except the one port I have open as invisible.
-
@Hollander:
Which leaves me with why it does show all these open ports when I use internet test sites.
What open ports? Your earlier screen shot shows everything either as "stealth" or "closed" (i.e., "drop" or "reject" in terms of pf rules). Neither of these are harmful or dangerous.
The closed ports that you're seeing are most likely ports that are filtered by your ISP; i.e., they get rejected upstream from you, and requests for them never even get to your box.
-
I am having the same problem but. With some of the ports not stealthed. When I am connected through pfsense on the WAN with dhcp all is stealthed. Which is what I want. But I use a vpn service, to share anonymous internet with the whole house and have pfsense connect as a client on openvpn. When it is connected as a client I get about 10 ports that are closed but not stealthed and am wondering what I can do to get them to stealth. I can also vpn directly from my computer not the pfsense box and all is stealthed with comodo firewall so not sure where these closed ports are coming from. But I do have a Wireless linksys router in between the pfsense box and my computer. I haven't tested it for a while but I believe all ports on it should be stealthed it is running ddwrt. Any help I would appreciate as well.
-
as long as you haven't added any reject rules, you're either open or "stealth" or something other than the firewall is responding. When it's a small number of ports, it's almost certainly because the ISP (or VPN provider in that case) is doing blocking.
-
@cmb:
as long as you haven't added any reject rules, you're either open or "stealth" or something other than the firewall is responding. When it's a small number of ports, it's almost certainly because the ISP (or VPN provider in that case) is doing blocking.
It is vpn checked with openvpn connection and it is them. If I connect sstp,pptp or l2tp they are stealthed but their openvpn is not fully stealthed? For my vpn provider. All this time pulling out my hair unless it is a openvpn problem not sure yet.
-
Hmmm, sorry if I may come back at this again :-X
I ran the test at grc.com again, but the funny thing is: the ports that grc.com shows as 'closed' but not 'stealth' (I take it this is 'reject' versus 'drop') are the ports that also do not show in Status/System logs/Firewall. For example, you see 'port 992' is 'closed' but not 'stealth' in the first screenshot, and in the firewall log you see no port 992 blocked (second screenshot).
So this would then mean that PFS isn't blocking that since it never reaches PFS since my ISP is already blocking that?
-
Still only one screenshot at a time to be posted :P Here is number 2:
-
@Hollander:
Which leaves me with why it does show all these open ports when I use internet test sites.
Thank you very much for this link ;D
That links shows the first 5000 ports all filtered. So this might confirm what I wrote right before this reply, I think.
-
Good bedtime reading-
http://cable-dsl.navasgroup.com/#CheckSecurity
http://web.archive.org/web/20060215171504/http://blog.netwarriors.org/articles/2003/11/11/shieldsup-analyzed
and all this if you really have allot of time on your hands-
http://web.archive.org/web/20060204120906/http://www.grcsucks.com/
Im not posting this to flame but to educate on some past "disagreements" in the online security field.
Take it all with a grain of salt!
-
Good bedtime reading-
http://cable-dsl.navasgroup.com/#CheckSecurity
http://web.archive.org/web/20060215171504/http://blog.netwarriors.org/articles/2003/11/11/shieldsup-analyzed
and all this if you really have allot of time on your hands-
http://web.archive.org/web/20060204120906/http://www.grcsucks.com/
Im not posting this to flame but to educate on some past "disagreements" in the online security field.
Take it all with a grain of salt!
:o
???
:-X
:P
;D
You sir, thank you very much for these links; that is a lot of reading to do, but I skimmed through some of them and it was like: :o
Thank you ;D
-
How could anyone take GRCsucks as a flame job? haha.
That said, a simple scan from their site comes up for me all ports stealth except the ports I opened purposefully.
All is well on my pfsense (except perhaps the holes I punched in the firewall myself)
Then again, I may be riddled with backdoor trojans… Apparently hard to know from their results.
