Port 25 in open state even with a block all rule ?
-
Please post your WAN rules.
-
Thanx for your answer. These are the rules :
And the nmap (partial) result with this config :
-
Where are you running nmap from?
It's very unlikely you're seeing what you think you're seeing.
-
From another public IP. The WAN IP is static and the nmap request comes from a dynamic IP (85.4.244.xxx > 84.253.45.xxx). But actually I should try from another place. With another nmap config as well, I'm running it on Windows… It would be a good occasion to re-use my rusty Kali Linux install :)
-
Are you sure those are the WAN rules? If your IP is a public IP those 10.0.1.2 have no place there. Either you didn't apply the rules to the interface you think you applied them, or you aren't scanning what you think you are scanning, or you have a portforwarding to an internal server set up. Either of those 3.
-
@jflsakfja:
Are you sure those are the WAN rules? If your IP is a public IP those 10.0.1.2 have no place there. Either you didn't apply the rules to the interface you think you applied them, or you aren't scanning what you think you are scanning, or you have a portforwarding to an internal server set up. Either of those 3.
Yeah it's the WAN rules for sure. The rules pointing to the private IP (10.0.1.2) have been generated by pfsense when I created some port forwarding rules, so I guessed they where useful… Why don't they have place there ?
Anyway, the anomaly is most probably coming from the modem in bridge mode, I have to test it in standard mode to see if the port 25 is open.Thanks for your help.
-
@jflsakfja:
Are you sure those are the WAN rules? If your IP is a public IP those 10.0.1.2 have no place there. Either you didn't apply the rules to the interface you think you applied them, or you aren't scanning what you think you are scanning, or you have a portforwarding to an internal server set up. Either of those 3.
Yeah it's the WAN rules for sure. The rules pointing to the private IP (10.0.1.2) have been generated by pfsense when I created some port forwarding rules, so I guessed they where useful… Why don't they have place there ?
Anyway, the anomaly is most probably coming from the modem in bridge mode, I have to test it in standard mode to see if the port 25 is open.Thanks for your help.
If it was port forwarding then yes, the rules do make sense. Do you have any floating rule that would allow port 25?
-
@jflsakfja:
If it was port forwarding then yes, the rules do make sense. Do you have any floating rule that would allow port 25?
I'm totally sure that there isn't any SMTP server in my network and no floating rule concerning port 25. The only explanation is my Zyxel P870H-51a v2 in bridge mode ; apparently this sucker doesn't forward port 25 as it should and has an active SMTP service (don't ask me what for…).
-
Run a packet capture for the WAN interface and port 25 while running a scan. Out of the box, unless you change/create a rule, port 25 is blocked on pfsense. Either something else (I can almost guarantee it's NOT the modem) answers that port between you and the scanner, or someone (your ISP) is sending traffic for port 25 to their servers. I trust that what you have said applies, and no rules exist for port 25 nor a server is listening anywhere on your network.
If a bridged modem has an active SMTP service I would first try if it breaks into pieces by throwing it at the wall, and alternatively, I would set it on fire. Trust me on that one. Setting aside the fact that running an email server on a modem is considered a criminal offence if it's bridged it's bridged, it shouldn't be seen on the network. Stupidity is NOT an excuse, sue your modem manufacturer for everything they have if they are stupid enough to run an email server on a modem.
But like I said, I can almost guarantee it's not the modem that's answering, something else is going on. Where are you scanning it from?
-
I get "Connection refused" on that IP address:25. Also inconsistent with the WAN rules posted.
-
Are you on a residential connection? If yes, then that's your ISP actively blocking the port, instead of pfsense ignoring the traffic.
-
No. Running from an open server at a colo. (My ISP just drops outbound TCP/25, without the courtesy of any feedback.)
-
Something fishy is going on between the scanner and the server then. As I said, default is to drop (block) the packets to anywhere, unless expressly told not to. If you are seeing refused, that means something else actively rejects it. Either it's a bug, the colo facility rejects the port (shouldn't happen, but…) or you got on a VIP list ;)
-
No. I think the problem is that OP isn't properly describing what's going on at his end. Colo works fine, bro.
Actually, I'm probably connecting to the wrong IP address. I wish people asking for help wouldn't obfuscate so much. Nobody cares what your IP address is.
-
that surely is not pfsense.. if you google that host name zhbdzmsp-nwas13 you find lots of stuff about bluewin.ch
http://www.bluewin.ch/de/index.html
And there is a dns entry for that hostname with that domain.
;; QUESTION SECTION:
;zhbdzmsp-nwas13.bluewin.ch. IN A;; ANSWER SECTION:
zhbdzmsp-nwas13.bluewin.ch. 101 IN A 195.186.100.231Is that your IP? It doesn't answer to 25..
-
that surely is not pfsense.. if you google that host name zhbdzmsp-nwas13 you find lots of stuff about bluewin.ch
http://www.bluewin.ch/de/index.html
And there is a dns entry for that hostname with that domain.
;; QUESTION SECTION:
;zhbdzmsp-nwas13.bluewin.ch. IN A;; ANSWER SECTION:
zhbdzmsp-nwas13.bluewin.ch. 101 IN A 195.186.100.231Is that your IP? It doesn't answer to 25..
Bluewin (Swisscom) is my ISP… What's the purpose of redirecting the trafic to a fake SMTP server ? Anti-SPAM service I guess ?
Sorry for being paranoid guys... My IP is 84.253.45.24, nothing changed in my local config since my last message.
See you around.
dEX