[Solved] Port 53, 80, 443 always open on all interfaces

dean2028

Post screenshots of your WAN and floating rules.

Added screenshots about Outbound NAT and Port Frowards as well.
1:1 and NPt are empty.

FW_Rules_Floating_Rules.PNG_thumb

FW_Rules_WAN_interface.PNG_thumb

FW_Rules_VPN_US_interface.png_thumb

FW_PortForwards.PNG_thumb

FW_NAT_Outbound.PNG_thumb

conor

I got caught with this once before where there was a pre existing state entry in the state table for my test before i changed the firewall rules. Can you check your state table and delete any states to those ports and test again?

dean2028

@conor:

Can you check your state table and delete any states to those ports and test again?

Tried a state reset, but did not help. Anyway, thanks for the hint.

Did a fresh portscan on WAN, VPN_US and VPN_HU public IPs, seems the WAN and VPN_HU IPs did not have 53 open anymore.

Current status:

WAN, Open ports: 80, 443
VPN_US, Open ports: 53, 80, 443
VPN_HU, Open ports: 80, 443

Opening the public IPs from external browser:

WAN, http/80: timeout
WAN, https/443: pfSense login page
VPN_US, http/80: 403 Forbidden, error page from nginx, see screenshot
VPN_US, https/443: browser error: ERR_CONNECTION_CLOSED
VPN_HU, http/80: 403 Forbidden, error page from nginx, see screenshot
VPN_HU, https/443: browser error: ERR_CONNECTION_CLOSED

Portscan_WAN_IP.png_thumb

Portscan_VPN_US_IP.png_thumb

Portscan_VPN_HU_IP.png_thumb

KOM

By default, nothing is open on WAN unless you open it up yourself. You don't need to add specific block rules since all traffic is blocked unless there is an explicit allow rule. If a scan of your IP always shows open ports for 80,443 then I would tend to believe that it's hitting your ISP's equipment somehow. Easy enough to do a packet capture on WAN while scanning it and look at the traffic in Wireshark. Running nmap to fingerprint it might also be helpful if it exposes what kind of device is responding.

Derelict

If you are getting a response into WAN from the outside on 443 then you have a rule passing the same. Period.

You're not getting any weird "Can't load rules" errors or anything are you?

Here's what I would do:

Figure out whatever address you are hitting pfSense from, packet capture on WAN filtered on that address and test again. While you're testing also look at the states filtered on that address. See what it's really doing.

Grimson

You can check the full pf ruleset: https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

Did you enable UPnP & NAT-PMP?

dean2028

@KOM:

By Running nmap to fingerprint it might also be helpful if it exposes what kind of device is responding.

Understand, but it's not a question what's responding as I see the pfSense login screen if I open https://WANIP from a foreign browser.

Capture might be helpful to see what's the situation on the VPN_US IP, as this is the only one which respond to port 53.

dean2028

@Grimson:

Did you enable UPnP & NAT-PMP?

No, never touched that. Just checked it under Status - UPnP & NAT-PMP, it's disabled.

dean2028

@Derelict:

If you are getting a response into WAN from the outside on 443 then you have a rule passing the same. Period.
You're not getting any weird "Can't load rules" errors or anything are you?

I did a week ago, but it's disappeared by setting this value to 400 000:
System -> Advanced -> Firewall & NAT -> Maximum Table Entries

Read on the forum somewhere, that's the solution. I have no error since then.

dean2028

@Derelict:

Figure out whatever address you are hitting pfSense from, packet capture on WAN filtered on that address and test again. While you're testing also look at the states filtered on that address. See what it's really doing.

Switched to the GSM network again from my phone and checked my public IP
Started a packet capture on WAN with filling the IP above to Host Address.
Ran a portscan from the phone on 443 only

Result:

16:55:59.218056 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0
16:56:00.219797 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0
16:56:02.226128 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0

KOM

I see the pfSense login screen if I open https://WANIP from a foreign browser.

While on LAN or WAN? If you are on LAN and access your public address in a browser, pfSense will give you the GUI even though it isn't accessible from WAN.

dean2028

@KOM:

While on LAN or WAN?

While I'm on WAN on a very different network. So Webconfigurator is exposed to WAN attacks at the moment which really concerns me. I will put WebConfigurator to another port to decrease the risk as 80 and 443 are open from WAN.

Derelict

That packet capture shows nothing but SYNs.

Again, if you can get to the WebGUI you have a rule passing the traffic.

Look at the states. See what's really happening.

johnpoz

If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

KOM

I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

Derelict

I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

Already covered.

dean2028

@johnpoz:

If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

That test with the capture was just a port scan from the mobile phone to WAN IP. There was no Webconfig access from the browser on https://WANIP. I'm going to do additional tests now.

johnpoz

Dude if you send a syn, you would get back a syn,ack if anything was listening o that port. That is how it works.

dean2028

@KOM:

If a scan of your IP always shows open ports for 80,443 then I would tend to believe that it's hitting your ISP's equipment somehow.

You made me curious about that scenario, so simply switched off the pfSense box, then did another port scan… well... I would say portscan is not so useful as I saw the same result, 80 and 443 were open. When scanned the VPN_US public IP, I got the same result 53, 80, 443 seemed to be open. You're right, this is some equipment of the provider.

However this still doesn't change the fact, I'm able to reach pfSense Webconfigurator on 443 from the WAN. Now, I put WebConfigurator to a high port, therefore at least the login page cannot be called fron the WAN, even if 443 is open.

johnpoz

Dude how would that be? If pfsense is off and something is answer 443 which is NOT pfsense… How exactly are you then access 443 with pfsense webgui?

This scenario comes up ever couple of weeks or so where some users says my wan is open.. Either something in front of it, or they are checking from the lan side. Or they actually opened it on their wan rules.

Here is the thing about your VPN as well - there are a few vpns that will port forward down the tunnel. But it will NEVER be the standard ports.. Its always some high port that you have to configure on their site for your account, etc.

Send me your IP and port your listening on in a PM and will check if can get to your web gui..