[Solved] Port 53, 80, 443 always open on all interfaces

johnpoz

Send me this wanIP and port your using… I want to see this... Since your rules do not show anything open. And they are intercepting it clearly since you say you show it open when pfsense is off..

dean2028

@Grimson:

Did you try to log into the WebUI, maybe your provider is using pfSense too.

I tried to call http://VPN_US_IP again from the mobile browser and I still see this nginx forbidden page. So there is no magic here, that page comes from the box of the provider. In the meantime I got a very different public IP when reconnected to VPN_US, so it's not my pfSense box for sure. Apologise to everyone, this completely confused me as I thought the error page comes from the pfSense box.

johnpoz

Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

dean2028

@dean2028:

3. pfsense box on - open https://WANIP from a mobile provider IP from the browser of the phone - result: pfSense login page

I simply cannot reproduce this anymore since I put the webconfigurator to high port then back to 443. I'm just wondering, maybe I was distrait and my mobile connected back to the local network when tested… don't have a better idea.

Ok, let me summarize what's figured out so far:

Symptom1:
Portscan shows ports 80, 443 open when WAN IP scanned from the internet
Portscan shows ports 53, 80, 443 open when VPN_US_IP scanned from the internet

Cause1 (probably): this comes from the boxes of the ISP and VPN provider as portscan gives the same result with powered off pfSense box.

Symptom2:
when http://VPN_US_IP called from a browser from the internet, nginx 403 forbidden error page appears

Cause2 (at least that's my understanding): the error page comes from the box of the VPN provider

Symptom3: when https://WAN_IP called from an external browser, pfSense login page visible
Cause3: the test was not accurate, the client probably connected back to the access point while testing, then pfSense catched that (even if the WAN IP used).

dean2028

@johnpoz:

Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

but why I see this then from the app when scanning? Should I throw this app away then? How did you scan me?
I use the iOS version of Net Analyzer, and it shows these ports open, even if I turn off pfSense.

Anyway, thanks a lot for your effort to check that.

IMG_0396.PNG_thumb

dean2028

@Grimson:

Did you try to log into the WebUI, maybe your provider is using pfSense too.

This did not came to my mind at all at that point as I became upset. Now, I think that page came from internal as I'm not able to reproduce it anymore. No idea at all. As usually there is no magic, I think maybe I was not careful enough to make sure my mobile is completely on external IP and doesn't connected back to the AP.

dean2028

I tried to check again ports 80 and 443 on the WAN IP with telnet. So I disconnected my notebook from the access point, then connected to the phone. The phone was a hotspot. I'm sure it was not connected to the AP this time.

result:

telnet WANIP 443
Trying WANIP…
Connected to WANIP.
Escape character is '^]'.
Connection closed by foreign host.

telnet WANIP 80
Trying WANIP...
Connected to WANIP.
Escape character is '^]'.
Connection closed by foreign host.

Why does telnet able to connect?

If I open http://WANIP from the browser, I get an empty white page after 5-10 seconds.
https://WANIP doesn't give me anything back, it times out.

ptt

Try with one "external" (online) Tool/Scanner

https://mxtoolbox.com/PortScan.aspx

http://nmap.online-domain-tools.com/

https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

https://www.yougetsignal.com/

https://www.grc.com/x/ne.dll?bh0bkyd2

And while you're scanning, check the " WAN Firewall Logs"

dean2028

@ptt:

Try with one "external" (online) Tool/Scanner
….
And while you're scanning, check the " WAN Firewall Logs"

Thanks a lot, ptt!

johnpoz

Many cell phone providers proxy data.. Look in your cell phone where you set your APN.

Scanning from cell phone for open ports is just a Waste of time - you can never be sure of the response.. Its a valid method to check if you can get to something you port forwarded on… But to use to see if something is blocked not so much.. Especially on common ports like http/https which they very well could be running through a proxy. Which yea going to send back a syn,ack to your syn.

Here is simple test - if you did not open the port on your wan. Then its not open! ;)

You scanning and showing that is is, when your firewall is set to not - SCREAMS your Doing it WRONG!! If I had a nickel every time some user thought their ports were open on their wan and had bought bitcoin I would be floating on my yacht having a cold one.. Deciding where I should have my helicopter take me that evening vs here reading the same ole same ole my wan ports are open nonsense ;)

If you actually want to validate.. Then sniff on your wan.. Send a SYN from outside, do you see a syn,ack back? If not then its not freaking open!! Testing from some unknown connection with some tool you don't really understand from a network you do not understand how it even works not going to provide good info.

The whole my vpn is open in this thread is more example of not understanding how any of this actually works in the first place.

conor

Johnpoz is correct its a carrier proxy, i had a customer just see the same thing late last week. They were testing from a smart phone on 4G.