WAN port question

guardian

Hi All

I'm on the Rogers system in Canada and I periodically use GRC/ShieldsUP to make sure nothing is open to the outside world.
(pfSense 2.4 to the Rogers Hitron CGN3ACSMR Modem in Bridged Mode)

For some reason Port 445 is showing as CLOSED instead of stealth.

I don't think I did anything to cause that.  I have a floating rule "quick match/block/any direction" on the WAN Interface for Port 445 and a whole list of other ports that should never leave the local network.  Is this likely to cause the problem?

Is there a way to safely (for brief testing) make Port 445 appear to be open to the internet? 
(I'm assuming that GRC/ShieldsUp is doing a SYN scan, but that's just a guess).

My thinking is, if I open port 445, and it still shows a closed, then I would think it is safe to assume that Rogers is filtering port 445 (to protect the hordes of clueless subscribers that might be inadvertently sharing their hard drives with the world) and it isn't my issue.

Any advice/suggestions/or insight from someone who may have investigated this would be appreciated.

johnpoz

Many ISPs would block 445 yeah - there would be zero reason to use smb over tcp on the public internet.  If you want to smb over the public internet then it should be in a tunnel.

I see little reason for your floating rule to be honest..  The default deny is fine.. To you see any hits on your rule?

If you want to test open to 445, you would have to get pfsense to listen on it for something - you could change your webgui to listen on 445 for example.  Or you would have to forward inbound to something listening on 445.. So say any windows machine.

guardian

@johnpoz:

Many ISPs would block 445 yeah - there would be zero reason to use smb over tcp on the public internet.  If you want to smb over the public internet then it should be in a tunnel.

I see little reason for your floating rule to be honest..  The default deny is fine.. To you see any hits on your rule?

If you want to test open to 445, you would have to get pfsense to listen on it for something - you could change your webgui to listen on 445 for example.  Or you would have to forward inbound to something listening on 445.. So say any windows machine.

Thanks johnpoz, your post gave me an idea, I set up an OpenVPN server with TCP-Not likely to be casually hacked!

I agree… blocking 445 is a great idea - although I would far prefer "block" to "reject" so things stay stealthy.

I started the server on Port 443, and GRC returned "Open Port" as expected.

I then moved the server to Port 445 - and everything showed up as stealth-very weird!

I repeated the tests several times and here are the results:

When port 445 doesn't exist - the scanner return Closed (but occasionally Stealth)
When port 445 is Open - the scanner returns Stealth (I think I got one closed, but never an Open)
When port 443 is Open - the scanner always returns Open

I guess I am to assume either a fault in the scanner or some form of "Rogers Weirdness".  If anyone with Large Network experience/pentesting has any idea what is going on I'd appreciate an educated guess.

I am going forward on the assumption that the issue is outside my firewall, so it's out of my control and not a serious problem.

I hope I'm correct on that.  If anyone has any thougths, I'd love to hear them.

Derelict

All you have to do is Diagnostics > Packet Capture on WAN for port TCP 445 then run a scan.

If you get a connection refused (CLOSED) but do not see the traffic on WAN, then something upstream is responding.

If they are responding AND forwarding the traffic to you (which wouldn't make much sense) then you will see the SYN to port 445 on your WAN but no SYN/ACK response because you are blocking the port.