2.1 Failing the GRC firewall test
-
2.1-RELEASE (amd64)
built on Wed Sep 11 18:17:48 EDT 2013
FreeBSD 8.3-RELEASE-p11Everything blocked on the WAN interface with the two default rules as well.
Just ran the firewall test at GRC.com https://www.grc.com/x/ne.dll?bh0bkyd2 with an all service port scan and GRC is reporting
Ports 0-63 = Stealth
64-174 = Closed
175-180 = Stealth
181-191 = Closed
192-255 = Stealth
256-391 = Closed
392-393 = Stealth
394-415 = Closed
416-479 = Stealth
480-605 = Closed
606-671 = Stealth
672-794 = Closed
795-863 = Stealth
864-983 = Closed
984-1055 = StealthPrevious versions of pfsense show up as all Stealth, so why is 2.1 failing the GRC scan like this?
Edit: Sorry the Closed ports are actually reported as Open according to GRC.
-
Well I've just reinstalled from CD and still getting the same results on this pc.
Any suggestion or anyone else see this, if not I'll start looking at the UEFI bios on this machine as this is also running slower compared to previous times I've been in the bios?
-
–--------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2013-11-21 at 20:48:58
Results from scan of ports: 0-1055
635 Ports Open
0 Ports Closed
421 Ports Stealth1056 Ports Tested
NO PORTS were found to be CLOSED.
Ports found to be STEALTH were: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23,
24, 25, 26, 27, 28, 29, 30,
31, 32, 33, 34, 35, 36, 37,
38, 39, 40, 41, 42, 43, 44,
45, 46, 47, 48, 49, 50, 51,
52, 53, 54, 55, 56, 57, 58,
59, 60, 61, 62, 63, 192, 193,
194, 195, 196, 197, 198, 199,
200, 201, 202, 203, 204, 205,
206, 207, 208, 209, 210, 211,
212, 213, 214, 215, 224, 225,
226, 227, 228, 229, 230, 231,
232, 233, 234, 235, 236, 237,
238, 239, 240, 241, 242, 243,
244, 245, 246, 247, 248, 249,
250, 251, 252, 253, 254, 255,
256, 257, 258, 259, 260, 261,
262, 263, 264, 265, 266, 267,
268, 269, 270, 271, 331, 332,
335, 343, 352, 353, 354, 355,
356, 357, 358, 359, 360, 361,
362, 363, 364, 365, 366, 367,
368, 369, 370, 371, 372, 373,
374, 375, 376, 377, 378, 379,
380, 381, 382, 383, 384, 385,
386, 387, 388, 389, 390, 391,
392, 393, 394, 395, 396, 397,
398, 399, 400, 401, 402, 403,
404, 405, 406, 407, 408, 409,
410, 411, 412, 413, 414, 415,
519, 520, 521, 522, 523, 524,
544, 545, 546, 547, 548, 549,
550, 551, 552, 553, 554, 555,
556, 557, 558, 559, 560, 561,
562, 563, 564, 565, 566, 567,
568, 569, 570, 571, 572, 573,
574, 575, 576, 577, 578, 579,
580, 581, 582, 583, 584, 585,
586, 587, 588, 589, 590, 591,
592, 593, 594, 595, 596, 597,
598, 599, 600, 601, 602, 603,
604, 605, 606, 607, 736, 738,
761, 762, 763, 764, 765, 766,
767, 768, 769, 770, 771, 772,
773, 774, 775, 776, 777, 778,
779, 780, 781, 782, 783, 784,
785, 786, 787, 788, 789, 790,
791, 792, 793, 794, 795, 796,
797, 798, 799, 800, 801, 802,
803, 804, 805, 806, 807, 808,
809, 810, 811, 812, 813, 814,
815, 816, 817, 818, 819, 820,
821, 822, 823, 824, 825, 826,
827, 828, 829, 830, 831, 950,
951, 952, 953, 954, 955, 956,
957, 958, 959, 960, 961, 962,
963, 964, 965, 966, 967, 968,
969, 970, 971, 972, 973, 974,
975, 976, 977, 978, 979, 980,
981, 982, 983, 984, 985, 986,
987, 988, 989, 990, 991, 992,
993, 994, 995, 996, 997, 998,
999, 1000, 1001, 1002, 1003,
1004, 1005, 1006, 1007, 1008,
1009, 1010, 1011, 1012, 1013,
1014, 1015, 1016, 1017, 1018,
1019, 1020, 1021, 1022, 1023Other than what is listed above, all ports are OPEN.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received. -
Dude I don't know what your scanning but it sure is not pfsense.. I assure you pfsense default rules would be completely stealth… Here is scan of my 2.1 box
GRC Port Authority Report created on UTC: 2013-11-21 at 22:31:00
Results from scan of ports: 0-1055
1 Ports Open
0 Ports Closed
1055 Ports Stealth1056 Ports Tested
NO PORTS were found to be CLOSED.
The port found to be OPEN was: 443
Other than what is listed above, all ports are STEALTH.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.443 is port I have open for openvpn tcp.. So I can get there from where ever, etc. And yes I allow pings - here are my firewall wan rules - see attached
Not sure what your scanning - but lets say pfsense firewall was down.. Look at what pfsense is running, its NOT listing on those ports you say are are open.. Look at what your pfsense is listening on
sockstat -4 -l
See 2nd pick of mine.. If pfsense is not listening on those ports you show open, how would they be open?? What does your sockstat look like?So how would they show open?? You sure you don't have some 1:1 nat setup scanning something inside your network. Or scanning something in front of pfsense?
-
My pfsense only shows the open port 443 TCP for my VPN, too. All other ports are stealth.
And even if I do not allow ping on my pfsense WAN site the website shows it allows pings. This is probably because I have some other routers/modems in front of pfsense which do the dial-up to my ISP.So you should check your upstream routers/modems if the have open ports which could cause that behaviour.
Further I am not sure if these tests are really good because you open a connection from inside your network to start the test. Probably best test would be to run a NMAP port scan from somewhere else outside your LAN on your WAN IP.
-
Just stating a possibility… Does your pfSense box gets assigned an actual public Internet address? Otherwise, it may just be sitting behind another router doing NAT and what you're seeing are actually GRC results acted on that upstream router and not on the pfSense box.
-
The router (British Telecom supplied) is in DMZ mode so I wouldnt have expected that to have been been causing a problem, especially not from a global company like BT, but GRC scanning the router instead of pfsense did cross my mind as suggested above.
I have a couple more routers here I can try, so will try that. The weird thing I noticed is the pattern of open & stealth ports changes which suggests the router might be getting in the way, because looking in the system log I can see all the packets coming through and being blocked yet GRC was reporting otherwise….
Maybe this Router is supposed to have some sort of psuedo smart filtering built into it which we dont know about. Certainly with all the stuff they have built with GCHQ/NSA who knows what "extras" the router comes with.
-
Great question - when you look at pfsense status, what is its wan address - is it rfc1918?? Or actual public
Does it start with 10.x.x.x, 192.168.x.x, 172.16-31.x.x??
You state " in DMZ mode " That sounds like NAT to me.. So your pfsense is behind a NAT, and your scanning your router in front of it, etc.. What is the IP address of your wan on pfsense?
Also look at pfsense via sockstat for your own piece of mind – is anything listening on those ports? If not then how could it show open? Those ports are under 1024 -- so they sure are not being used as ports to listen for return traffic from your nat clients behind pfsense, etc.
-
Which BT router do you have? HomeHub 3? Are you on adsl or fttc?
Steve
-
All 1056 ports turned up stealthed in my case. I don't yet have any services enabled through the firewall. The test reported "FAILED" only because I chose to configure pfSense to respond to ICMP Echo (ping).
-
Hi Everyone,
I know this post is old but i have just installed pfsense for the first time and I am also getting alot of ports open with the default install. I have opened just 3 ports port 80 for our web server 443 for OWA and 25 for SMTP but I am also getting alot of other ports open according to GRC firewall test.
GRC Port Authority Report created on UTC: 2014-10-20 at 11:02:17
Results from scan of ports: 0-1055
627 Ports Open
0 Ports Closed
429 Ports Stealth
–-------------------
1056 Ports TestedNO PORTS were found to be CLOSED.
Ports found to be STEALTH were: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23,
24, 26, 27, 28, 29, 30, 31,
32, 33, 34, 35, 36, 37, 38,
39, 40, 41, 42, 43, 44, 45,
46, 47, 48, 49, 50, 51, 52,
53, 54, 55, 56, 57, 58, 59,
60, 61, 62, 63, 64, 94, 128,
129, 130, 131, 132, 133, 134,
135, 136, 137, 138, 139, 140,
141, 142, 143, 144, 145, 146,
147, 148, 149, 150, 151, 152,
153, 154, 155, 156, 157, 160,
161, 162, 163, 164, 165, 166,
167, 168, 169, 170, 171, 172,
173, 174, 175, 176, 177, 178,
179, 180, 181, 182, 183, 184,
185, 186, 187, 188, 189, 190,
191, 192, 193, 194, 195, 196,
197, 198, 199, 200, 201, 202,
203, 204, 205, 206, 207, 208,
209, 210, 211, 212, 213, 214,
215, 216, 217, 218, 219, 220,
221, 222, 223, 320, 321, 322,
323, 339, 352, 353, 354, 355,
356, 357, 358, 359, 360, 361,
362, 363, 364, 365, 366, 367,
368, 369, 370, 371, 372, 373,
374, 375, 376, 377, 378, 379,
380, 381, 382, 383, 384, 385,
386, 387, 388, 389, 390, 391,
392, 393, 394, 395, 396, 397,
398, 399, 400, 401, 402, 403,
404, 405, 406, 407, 408, 409,
410, 411, 412, 413, 414, 415,
558, 559, 560, 561, 562, 563,
564, 565, 566, 567, 568, 569,
570, 571, 572, 573, 574, 575,
576, 577, 578, 579, 580, 581,
582, 583, 584, 585, 586, 587,
588, 589, 590, 591, 592, 593,
594, 595, 596, 597, 598, 599,
600, 601, 602, 603, 604, 605,
606, 607, 608, 609, 610, 611,
612, 613, 614, 615, 616, 617,
618, 619, 620, 621, 622, 623,
624, 625, 626, 627, 628, 629,
630, 631, 632, 633, 634, 635,
636, 637, 638, 639, 774, 775,
800, 801, 802, 803, 804, 805,
806, 807, 808, 809, 810, 811,
812, 813, 814, 815, 816, 817,
818, 819, 820, 821, 822, 823,
824, 825, 826, 827, 828, 829,
830, 831, 832, 833, 834, 835,
836, 837, 838, 839, 840, 841,
842, 843, 844, 845, 846, 847,
848, 849, 850, 851, 852, 853,
854, 855, 856, 857, 858, 859,
860, 861, 862, 863, 992, 993,
994, 995, 996, 997, 998, 999,
1000, 1001, 1002, 1003, 1004,
1005, 1006, 1007, 1008, 1009,
1010, 1011, 1012, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1031, 1032, 1033, 1034, 1035,
1036, 1037, 1038, 1039, 1040,
1041, 1042, 1043, 1044, 1045,
1046, 1047, 1048, 1049, 1050,
1051, 1052, 1053, 1054, 1055Other than what is listed above, all ports are OPEN.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.I am using a public IP address on pfsense so shouldn't be seeing the router and the router in also not in DMZ mode. Anyone have any ideas?
Thanks
-
Here is the thing.. Are you forwarding to something? How is that pfsense would be listening on all those ports "OPEN"
Lets think about it for 2 seconds.. For a port to show open something had to reply.. Do you think pfsense replied because it has a service running on say 1042? What would that service be?? Do a netstat on pfsense to see what is listening.. Did you create any forwards to another that could be listening on those ports?
Why don't you do a sniff on your wan when you run this scan.. Diag, packet capture - do you see inbound to those odd ball ports. You see a syn ack back? What is in your state table for those ports?
-
Also do you have uPNP enabled? If so that could be a source of your trouble. Check to see which devices are using uPNP and which ports do that have opened.
-
My thoughts exactly. uPNP may be forwarding (opening) ports you have not thought about.
-
Concur its quite possible UPnP could open up stuff - clearly this is what is wrong with UPnP in the first place - what would be requesting those privileged ports??
-
what would be requesting those privileged ports??
A virus? I can't think what else could possibly need 627 ports.
UPnP isn't enabled by default though, at least you have to be vaguely aware of the consequences before enabling it. UPnP seems to cover a lot these days though. Although pfSense only implements the port forwarding parts of it I get the impression a lot of people enable it thinking it will help them with DLNA device discovery. It won't.Steve
-
Even a virus would not need 627 ports ;) While not saying its not UPnP, I would look to something a bit more general in nature like device in front of pfsense.. ISP doing something? Just plain something broke in GRC?. Have you tried another scanner? Seem unlikely even that a virus would open 627 ports if you ask me..
A 10 second sniff on your wan port would tell you if this traffic is even getting to pfsense and if pfsense or something behind it is answering, etc.
-
I've had odd results with the GRC scan. I'm not sure where some of the "closed" responses are coming from, but when I look at my PFSense logs, the ports that show "stealth" on GRC, show a logged event in PFSense, but the ports that show "closed" in GRC, do not show in my PFSense logs. Something else up-stream is responding. The only ports I get as "closed" are related to SMB. I assume my ISP is blocking remote SMB on their firewall.
-
0-1055 all stealth here.
-
Even a virus would not need 627 ports ;)
Yeah, not exactly stealth. Worst. Virus. Ever. ::)
Seems more likely to be not actually scanning pfSense for whatever reason. CG-NAT perhaps?
Steve
