Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Concerned port scan of pfSense public WAN IP shows all ports open (most likely noob error)

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    13 Posts 5 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dmtdva
      last edited by dmtdva

      Port scan (from 4G device scanning public IP of pfSense WAN interface):

      Host is up (0.039s latency).

      PORT STATE SERVICE
      1/tcp open tcpmux
      3/tcp open compressnet
      4/tcp open unknown
      6/tcp open unknown
      7/tcp open echo
      9/tcp open discard

      ... for every port! :-S

      1 Reply Last reply Reply Quote 0
      • RicoR
        Rico LAYER 8 Rebel Alliance
        last edited by

        Tell us more about your Setup, show Firewall Rules and Logs as Screenshots.
        I just checked with a very basic 2.4.4-p3 setup and it behaves exactly as expected.
        pfSense_Basic_WAN-Rules.png

        nmap -sT xxx.xxx.xxx.141
        
        Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-02 10:35
        Nmap scan report for xxx.xxx.xxx.141
        Host is up (0.0050s latency).
        All 1000 scanned ports on xxx.xxx.xxx.141 are filtered
        
        Nmap done: 1 IP address (1 host up) scanned in 49.80 seconds
        

        pfSense_Firewall2.png

        Make sure the Virgin modem isn't the devices answering to this request.

        -Rico

        1 Reply Last reply Reply Quote 0
        • D
          dmtdva
          last edited by dmtdva

          Hi thanks for reply.

          Wanrules.JPG FirewallLogs.JPG

          Many of the log entries are seemingly denying external IP#s from accessing 23, 8080 etc

          Perhaps it is just my Virgin Media router that is blocking the requests?

          I cannot think how to test this easily.

          NogBadTheBadN 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Lets say the port X was actually open... If you don't have it something listening, it could not show open.. There is nothing sending back a syn,ack to the syn... So whatever you testing methodology is wrong.. Is your phone on IPv6 - many carriers only give their mobile devices IPv6 and send that traffic through a gateway to get to IPv4.. Maybe they run you through a proxy?

            If you want to do an external scan - then go to one of the services that do it for free.. Shields Up is a pop one.. And will give you the so called stealth info <rolleyes>..

            Or validate your external source is not running through some sort of "ISP" shenanigans.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            D 1 Reply Last reply Reply Quote 0
            • NogBadTheBadN
              NogBadTheBad @dmtdva
              last edited by

              @dmtdva

              Why is the automatic block RFC 1918 rule missing?

              Do you actually have two routers or is the Virgin one in modem mode?

              Andy

              1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

              D 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                Use this can test https://www.grc.com/x/ne.dll?rh1dkyd2

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • D
                  dmtdva @johnpoz
                  last edited by

                  @johnpoz This is the result of the third party scan, which as you have mentioned might be a better method than a phone ISP. No open ports at least, which is reassuring! Thanks to all who helpd with your time.

                  Still wandering why they are showing as stealthed and not closed however.

                  Scan.JPG

                  1 Reply Last reply Reply Quote 0
                  • D
                    dmtdva @NogBadTheBad
                    last edited by dmtdva

                    @NogBadTheBad I purposefully removed that as one client used AWS Route 53 entries to point back to local addresses and this prevented it.

                    Just the Virgin one so....

                    Virgin Superhub (Modem mode) --> RJ45 VLAN 0.80 switch untagged through to trunk port on --> ESXi --> ESXi trunk port through to pfSense VM on vmx.080

                    The VLan part is seemingly working fine.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by johnpoz

                      Stealth means there was no answer, closed means that something was returned.. either a RST or icmp redirect, etc.

                      Normally a firewall would just drop and not return anything.. ie "stealth" which is misleading at best. Just because your scan doesn't return anything doesn't actually mean you can not be found, etc..

                      Those are 135, 137-139 that are returning "closed" Could be your isp telling you sorry No Go on those ports.. Many an isp will on purpose block those.

                      Ah and the other is 445, yeah that is smb over tcp.. Also normally blocked by many a isp.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      D 1 Reply Last reply Reply Quote 1
                      • D
                        dmtdva @johnpoz
                        last edited by johnpoz

                        @johnpoz Thanks mate. That makes sense, guessing the root cause was me testing over a 4G/cellular data connection and therefore getting unreliable results.

                        Still have the results here:

                        ost is up (0.039s latency).

                        PORT STATE SERVICE
                        1/tcp open tcpmux
                        3/tcp open compressnet
                        4/tcp open unknown
                        6/tcp open unknown
                        7/tcp open echo
                        9/tcp open discard
                        13/tcp open daytime
                        17/tcp open qotd
                        19/tcp open chargen
                        20/tcp open ftp-data
                        21/tcp open ftp
                        22/tcp open ssh
                        23/tcp open telnet
                        24/tcp open priv-mail
                        <snipped by mod - just make post so long and useless info>
                        Won't let me move into code - says spam ;)

                        Youd think they would set every port to closed if they were trying to stop hackers unless they have something akin to a honeypot.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          Not sure what shenanigans they could be up too.. Could be something to do with a ipv6 to ipv4 gateway, they could be running you through some sort of tcp proxy, etc.

                          But tell you for sure testing such stuff over cell can be misleading info..

                          Could be a form of optimization.. where their handing you back a syn,ack before any sort of connection is actually made, etc. etc..

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.