How to close Port 23, 53 and 80 on WAN?

johnpoz · Nov 5, 2019, 11:07 PM

I don't even think you could enable telnet (23) on pfsense if you wanted too - without installing some 3rd party package? your output shows its not even listening on 23.. So how could it be pfsense answering?

Its a well know fact that many an isp device answers to some of these ports..

You want a for sure test... Go to can you see me . org.. Do a test for 23.. Sniff on pfsense.. Do you see it hit? Do you see an answer?

Here..

🔒 Log in to view

Can you see me shows not open... But I see the traffic hit pfsense wan - but NO response.. So it is closed/dropped/not answered.. So no its not open. If something was answering from pfsense, or from behind pfsense you would see it with this test an answer.

Bernd6560 · Nov 6, 2019, 2:48 AM

🔒 Log in to view

Traffic does not (?) hit the pfSense, but that probably would not make sense ... what is the issue here?
Same with port 23.

johnpoz · Nov 6, 2019, 3:01 AM

You have something in front of pfsense that is sending back syn,ack.. What is in front of pfsense? ISP modem/router/gateway?

What is that 81.x IP? Its not any IPs that you have talked to the forum from.. You routing traffic through a vpn - and testing to your VPN IP?

Bernd6560 · Nov 6, 2019, 3:11 AM

@johnpoz In front of pfSense is a Router.
Yes, 81.x is VPN IP, all tests were done on this IP

I have tested the router in front of pfSense for open ports, no open Ports found.
The only thing I did on that router before pfSense was port forwarding for udp 1149 to pfSense, in case that matters.

johnpoz · Nov 6, 2019, 3:14 AM

So your testing to some public IP from a vpn connection.. How would you think that is forwarded down the tunnel to you? Does your vpn support port forwarding? Did you set up those ports to be forwarded down the tunnel to pfsense?

There are not many vpn services that even support port forwarding, and even the ones that do require you to set them up, and more than likely for sure would not support ports like 80 and 23..

Derelict · Nov 6, 2019, 3:25 AM

If you packet capture while you are testing and the SYN packets do not arrive on the pfSense interface, it is not the pfSense firewall that is responding there. Again, look upstream for your "big security hole."

Bernd6560 · Nov 6, 2019, 3:28 AM

My VPN provider supports it, but I have not changed any settings on my VPN account, it is turned off by default.

PfSense is also mostly on default settings, only OpenVPN has been set up ...

Derelict · Nov 6, 2019, 3:31 AM

Again, pcap on your OpenVPN. If the SYNs don't arrive, something upstream is responding there.

Bernd6560 · Nov 6, 2019, 4:54 AM

🔒 Log in to view

Any chance, that's the cause?
I'm at a loss

johnpoz · Nov 6, 2019, 11:11 AM

DUDE what part do you not get here... If your testing to your VPN public IP... Its not Pfsense answering, or anything behind pfsense... Its your VPN service!!! No your outbound nat has ZERO to do with it!!

Bernd6560 · Nov 6, 2019, 4:51 PM

I've done tests with all the filters turned off by the VPN provider, that's the result.

It looks to me that the ping has gone through the pfSense.

🔒 Log in to view

.

🔒 Log in to view

Derelict · Nov 6, 2019, 4:57 PM

That looks like you connecting out.

It's certainly not ping since ping is ICMP not TCP.

NogBadTheBad · Nov 6, 2019, 4:58 PM

This post is deleted!

johnpoz · Nov 6, 2019, 5:34 PM

Dude you have been given the info... There is NO issue with pfsense... You not understanding basic concepts is not pfsense problem.

Out of the box pfsense doesn't allow anything unsolicited inbound to its wan... If you create some tunnel and then force traffic down that tunnel to pfsense no matter what it is - those rules would be on your tunnel interface..

And yeah that traffic your showing is clearly OUTBOUND to port 80...

Bernd6560 · Nov 6, 2019, 5:59 PM

Thanks for the help so far, so it's definitely the VPN, you say?

I wrote a ticket to my VPN provider, to be honest, I would be surprised if they answer at all.

Derelict · Nov 6, 2019, 6:06 PM

It is something else upstream responding.

Bernd6560 · Nov 7, 2019, 11:39 AM

They have actually responded, but I'm not so sure what to think of it.
Sounds like the "it's a feature" excuse ...

"That's a misunderstanding. The scan was based on the currently used IP address of our VPN server. There are necessarily a lot of open ports, otherwise the server could not offer the necessary services."

NogBadTheBad · Nov 7, 2019, 11:42 AM

@Bernd6560 said in How to close Port 23, 53 and 80 on WAN?:

"That's a misunderstanding. The scan was

Err are they saying the run their VPN using ports 23, 53 and 80 to try and anonymise what the servers look like from the internet ?

Bernd6560 · Nov 7, 2019, 12:37 PM

@NogBadTheBad I asked what you wrote, here is the response ...

"I have already written that it is running on the VPN server services."

johnpoz · Nov 7, 2019, 1:13 PM

It's possible they run vpn services themselves on the 53 and 80 ports to try and circumvent outbound restrictions for some locations. That would explain also say the 465 port.. 23 seems odd.. That is normally not going to be allowed outbound from anywhere..

Doesn't matter why to be honest, The point is this whole thread has been complete an utter waste of everyone's time.. Since what some host on the internet answers to has zero to do with the pfsense wan rules.

Its a akin to omg, www.google.com answers to 80 and 443.