Nmap scan on WAN reveals captive portal

Sifter

My captive portal is running on OPT1, which has a wireless router plugged into it.  The interface is not bridged with any other interface.  When I perform an nmap scan of my WAN, port 8000 shows up.  Is this right?

Running a full HD ver. RELENG_1_SNAPSHOT_03-19-2006 built on Sat Mar 18 01:47:08 UTC 2006

sullrich

It should not be happening.

PF rules take priority over ipfw which the captive portal uses.

I would double check your wan rules.

Sifter

Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-03-23 22:43 Pacific
Standard Time
Warning:  OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
Insufficient responses for TCP sequencing (0), OS detection may be less accurate

Insufficient responses for TCP sequencing (0), OS detection may be less accurate

Interesting ports on noip.or.comcast.net (67.171.1X.X):
(The 1663 ports scanned but not shown below are in state: filtered)
PORT    STATE SERVICE
21/tcp  open  ftp
53/tcp  open  domain
80/tcp  open  http
81/tcp  open  hosts2-ns
443/tcp  open  https
444/tcp  open  snpp
1723/tcp open  pptp
3000/tcp open  ppp
8000/tcp open  http-alt
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 3.X (93%), FreeBSD 5.X|4.x (92%), Linux 2.6.X
(87%), Microsoft Windows NT/2K/XP|2003/.NET (86%), IBM AIX 4.X (85%)
Aggressive OS guesses: OpenBSD 3.6 (93%), OpenBSD 3.7 (93%), FreeBSD 5.3 (92%),
DragonFly 1.1-Stable (FreeBSD-4 fork) (87%), Linux 2.6.10 (87%), Linux 2.6.7 (87
%), OpenBSD 3.3 x86 with pf "scrub in all" (87%), OpenBSD 3.5 or 3.6 (87%), Free
BSD 5.2 - 5.4 (86%), FreeBSD 5.4 (86%)
No exact OS matches for host (test conditions non-ideal).

Nmap finished: 1 IP address (1 host up) scanned in 29.142 seconds

I have ports 21, 80, 81, 443, and 444 forwarded on the WAN.  Interesting that the others show up.

sullrich

Well it appears that either your filter is not loaded at all or you have a pass any rule on wan.

Sifter

sullrich

Never heard of a source of 12.18:

Is this something new that I should be aware of?

Sifter

I photoshopped half that IP address out.  12.18.X.X

sullrich

Run a pfctl -f /tmp/rules.debug and see if you get an error.

Sifter

pfctl -f /tmp/rules.debug

returns no errors.

sullrich

Just nmapped our captive portal here… And its not doing this.

nmap -P0 10.0.0.80

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-03-24 12:49 EST
All 1668 scanned ports on 10.0.0.80 are: filtered
MAC Address: 00:00:24:C1:F7:71 (Connect AS)

Nmap finished: 1 IP address (1 host up) scanned in 36.169 seconds