2.1 Failing the GRC firewall test
-
Which BT router do you have? HomeHub 3? Are you on adsl or fttc?
Steve
-
All 1056 ports turned up stealthed in my case. I don't yet have any services enabled through the firewall. The test reported "FAILED" only because I chose to configure pfSense to respond to ICMP Echo (ping).
-
Hi Everyone,
I know this post is old but i have just installed pfsense for the first time and I am also getting alot of ports open with the default install. I have opened just 3 ports port 80 for our web server 443 for OWA and 25 for SMTP but I am also getting alot of other ports open according to GRC firewall test.
GRC Port Authority Report created on UTC: 2014-10-20 at 11:02:17
Results from scan of ports: 0-1055
627 Ports Open
0 Ports Closed
429 Ports Stealth
–-------------------
1056 Ports TestedNO PORTS were found to be CLOSED.
Ports found to be STEALTH were: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,
10, 11, 12, 13, 14, 15, 16,
17, 18, 19, 20, 21, 22, 23,
24, 26, 27, 28, 29, 30, 31,
32, 33, 34, 35, 36, 37, 38,
39, 40, 41, 42, 43, 44, 45,
46, 47, 48, 49, 50, 51, 52,
53, 54, 55, 56, 57, 58, 59,
60, 61, 62, 63, 64, 94, 128,
129, 130, 131, 132, 133, 134,
135, 136, 137, 138, 139, 140,
141, 142, 143, 144, 145, 146,
147, 148, 149, 150, 151, 152,
153, 154, 155, 156, 157, 160,
161, 162, 163, 164, 165, 166,
167, 168, 169, 170, 171, 172,
173, 174, 175, 176, 177, 178,
179, 180, 181, 182, 183, 184,
185, 186, 187, 188, 189, 190,
191, 192, 193, 194, 195, 196,
197, 198, 199, 200, 201, 202,
203, 204, 205, 206, 207, 208,
209, 210, 211, 212, 213, 214,
215, 216, 217, 218, 219, 220,
221, 222, 223, 320, 321, 322,
323, 339, 352, 353, 354, 355,
356, 357, 358, 359, 360, 361,
362, 363, 364, 365, 366, 367,
368, 369, 370, 371, 372, 373,
374, 375, 376, 377, 378, 379,
380, 381, 382, 383, 384, 385,
386, 387, 388, 389, 390, 391,
392, 393, 394, 395, 396, 397,
398, 399, 400, 401, 402, 403,
404, 405, 406, 407, 408, 409,
410, 411, 412, 413, 414, 415,
558, 559, 560, 561, 562, 563,
564, 565, 566, 567, 568, 569,
570, 571, 572, 573, 574, 575,
576, 577, 578, 579, 580, 581,
582, 583, 584, 585, 586, 587,
588, 589, 590, 591, 592, 593,
594, 595, 596, 597, 598, 599,
600, 601, 602, 603, 604, 605,
606, 607, 608, 609, 610, 611,
612, 613, 614, 615, 616, 617,
618, 619, 620, 621, 622, 623,
624, 625, 626, 627, 628, 629,
630, 631, 632, 633, 634, 635,
636, 637, 638, 639, 774, 775,
800, 801, 802, 803, 804, 805,
806, 807, 808, 809, 810, 811,
812, 813, 814, 815, 816, 817,
818, 819, 820, 821, 822, 823,
824, 825, 826, 827, 828, 829,
830, 831, 832, 833, 834, 835,
836, 837, 838, 839, 840, 841,
842, 843, 844, 845, 846, 847,
848, 849, 850, 851, 852, 853,
854, 855, 856, 857, 858, 859,
860, 861, 862, 863, 992, 993,
994, 995, 996, 997, 998, 999,
1000, 1001, 1002, 1003, 1004,
1005, 1006, 1007, 1008, 1009,
1010, 1011, 1012, 1024, 1025,
1026, 1027, 1028, 1029, 1030,
1031, 1032, 1033, 1034, 1035,
1036, 1037, 1038, 1039, 1040,
1041, 1042, 1043, 1044, 1045,
1046, 1047, 1048, 1049, 1050,
1051, 1052, 1053, 1054, 1055Other than what is listed above, all ports are OPEN.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.I am using a public IP address on pfsense so shouldn't be seeing the router and the router in also not in DMZ mode. Anyone have any ideas?
Thanks
-
Here is the thing.. Are you forwarding to something? How is that pfsense would be listening on all those ports "OPEN"
Lets think about it for 2 seconds.. For a port to show open something had to reply.. Do you think pfsense replied because it has a service running on say 1042? What would that service be?? Do a netstat on pfsense to see what is listening.. Did you create any forwards to another that could be listening on those ports?
Why don't you do a sniff on your wan when you run this scan.. Diag, packet capture - do you see inbound to those odd ball ports. You see a syn ack back? What is in your state table for those ports?
-
Also do you have uPNP enabled? If so that could be a source of your trouble. Check to see which devices are using uPNP and which ports do that have opened.
-
My thoughts exactly. uPNP may be forwarding (opening) ports you have not thought about.
-
Concur its quite possible UPnP could open up stuff - clearly this is what is wrong with UPnP in the first place - what would be requesting those privileged ports??
-
what would be requesting those privileged ports??
A virus? I can't think what else could possibly need 627 ports.
UPnP isn't enabled by default though, at least you have to be vaguely aware of the consequences before enabling it. UPnP seems to cover a lot these days though. Although pfSense only implements the port forwarding parts of it I get the impression a lot of people enable it thinking it will help them with DLNA device discovery. It won't.Steve
-
Even a virus would not need 627 ports ;) While not saying its not UPnP, I would look to something a bit more general in nature like device in front of pfsense.. ISP doing something? Just plain something broke in GRC?. Have you tried another scanner? Seem unlikely even that a virus would open 627 ports if you ask me..
A 10 second sniff on your wan port would tell you if this traffic is even getting to pfsense and if pfsense or something behind it is answering, etc.
-
I've had odd results with the GRC scan. I'm not sure where some of the "closed" responses are coming from, but when I look at my PFSense logs, the ports that show "stealth" on GRC, show a logged event in PFSense, but the ports that show "closed" in GRC, do not show in my PFSense logs. Something else up-stream is responding. The only ports I get as "closed" are related to SMB. I assume my ISP is blocking remote SMB on their firewall.
-
0-1055 all stealth here.
-
Even a virus would not need 627 ports ;)
Yeah, not exactly stealth. Worst. Virus. Ever. ::)
Seems more likely to be not actually scanning pfSense for whatever reason. CG-NAT perhaps?
Steve
-
I actually believe those results could be true.
Post an IP. I can scan it from here. I'm sure a few of us could confirm if the results are good or not.
-
My thoughts exactly. uPNP may be forwarding (opening) ports you have not thought about.
This is why I put int an explicit block on ports 1-1023. I don't want any pesky uPNP trying to do strange things.
The biggest issue isn't uPNP, it's that I need to use NAT in the first place. Many games need to listen on ports, but because you can't have multiple clients all using the same ports, you can't know which ports will be used ahead of time. If port opening needs to be dynamically controlled by the client, how else does one handle this?
My main concern isn't what my clients are trying to do, it's what the public Internet is trying to do to my clients. As long as standard service ports are not opened, I'm content. Home install, I'm not a network admin.
-
No the issue is how UPnP is implemented without any security/auth that allows something to be opened, and ease of control of what that device can open, etc. Most home routers give you no control at all.
Not sure what your blocking - but inbound from the wan has all ports block out of the gate. Where are you creating this 1-1023 block?
While its true many ports need to listen on port - they sure shouldn't be < than 1023.. Where in the list of ports are there any games that have these ports registered?
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
I don't see any games? No game that I could think of should be listening on a PRIVILEGED port that is for sure..
There is a SHIT load of ports to be used - how many games are you running that it should ever overlap, and people that design a game that is played over the internet and don't take into account the ability to control which ports are used are just not thinking if you ask me!!
I have never ran into such a game. All the issues go away soon with NAT you can hope as IPv6 is here - With lots of IPs to play with that removes the need of nat completely. These games still do not need to listen on ports < 1023.. So from his listing 416 to 557 are OPEN.. Why would something open such a big range privileged.. If we look up those ports.
example
nnsp 433 tcp NNSPThis is port used for bulk transfers of NNTP between servers.. Why would some GAME use that port? And since its under 1023 should require elveated permissions to even listen on that port, etc.
If I ran across a scan showing such results - the first thing I would do is run the scan again while sniffing on wan and validate for starters that scan is actually hitting my IP and that responses are leaving my interface because its so out there it is highly unlikely there is anything actually listening on all those ports to have it show "OPEN"
-
When you put in your block rules, are you rejecting with some message or dropping packets silently?
-
When you put in your block rules, are you rejecting with some message or dropping packets silently?
Always drop, not reject.
-
Yep - Thats why I'm asking.
-
80.197.155.13
I actually believe those results could be true.
Post an IP. I can scan it from here. I'm sure a few of us could confirm if the results are good or not.
-
No the issue is how UPnP is implemented without any security/auth that allows something to be opened, and ease of control of what that device can open, etc. Most home routers give you no control at all.
Not sure what your blocking - but inbound from the wan has all ports block out of the gate. Where are you creating this 1-1023 block?
While its true many ports need to listen on port - they sure shouldn't be < than 1023.. Where in the list of ports are there any games that have these ports registered?
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
I don't see any games? No game that I could think of should be listening on a PRIVILEGED port that is for sure..
There is a SHIT load of ports to be used - how many games are you running that it should ever overlap, and people that design a game that is played over the internet and don't take into account the ability to control which ports are used are just not thinking if you ask me!!
I have never ran into such a game. All the issues go away soon with NAT you can hope as IPv6 is here - With lots of IPs to play with that removes the need of nat completely. These games still do not need to listen on ports < 1023.. So from his listing 416 to 557 are OPEN.. Why would something open such a big range privileged.. If we look up those ports.
example
nnsp 433 tcp NNSPThis is port used for bulk transfers of NNTP between servers.. Why would some GAME use that port? And since its under 1023 should require elveated permissions to even listen on that port, etc.
If I ran across a scan showing such results - the first thing I would do is run the scan again while sniffing on wan and validate for starters that scan is actually hitting my IP and that responses are leaving my interface because its so out there it is highly unlikely there is anything actually listening on all those ports to have it show "OPEN"
"Where are you creating this 1-1023 block?"
On the WAN interface. I assume the firewall rules take precedence over the uPNP, but I could be wrong. If I am wrong, then uPNP could effectively bypass the firewall in an uncontrollable way."I don't see any games?"
I never said any games use those ports. Me blocking service ports only has to do with being paranoid about uPNP, assuming the block actually works against uPNP."There is a SHIT load of ports to be used - how many games are you running that it should ever overlap"
Running the same game on two different computers will run you into trouble if the game requires a specific port to be forwarded. How can you forward the same port to two different computers, especially if the same two computers are trying to communicate with the same servers? You can't. Many of these games require uPNP in order to use non-standard ports. Not to mention micromanaging port forwarding and messing with game configurations when you friends come over is a huge headache. Assuming the games even give you the option to manually change your ports. Most dynamically choose a port at run time, and if that port isn't being forwarded, you can't play.
