GRC closed instead of stealth ports?

JKnott

@johnpoz said in GRC closed instead of stealth ports?:

But pfsense wouldn't send a reject. Now if they were actually forwarded through and could get to that something - it might send a reject.

Wouldn't pfsense send a reject, if that was selected? The choices are "block" which does not respond at all and "reject" which sends a reject.

From the manual:

A packet matching this rule will be discarded and for supported protocols, a message will be sent back to the originator indicating that the connection was refused.

I use block on the WAN interface so that an attacker would waste time waiting for a reponse and reject internally to end the attempt as quickly as possible.

However, in this case above, there is no reject on the WAN interface.

johnpoz

It wouldn't via the rules he has shown was my point. As I said it would have to be a specific reject..

You would have to specific do that - and even the floating rule he has as reject couldn't do it - its to all ports.. So if that was doing it - all the ports would be coming back closed. And its not set for wan anyway, and how would his own wan be in that pb alias? etc..

Bob.Dig

My old shitty cable-ISP used to do this, after maybe 60 days or so, I got this. I then had to manually reconnect and it was gone again and I had my open ports back.

Somehow it is still fascinating to me to look at.

mjgtp

Ok, finally got this figured out. It was my gateway that was rejecting the requests. After a hard reset, it switched over to blocking, but the gateway was still the one doing the work, so had to put it in DMZ+ mode so I could get traffic on the PfSense box. I'm seeing the individual port requests now via the packet capture and they're ALL showing as stealth. Woot!

Thanks all for your help!

johnpoz

@bob-dig ha that is odd graph to be sure.. WTF?? BTW, I take it that is some old IP, so no concern with posting that public IP?

@mjgtp glad you got it sorted.

Bob.Dig

@johnpoz I never had a static IP with any ISP around here. And I even do things that those dynamic IPs change more often.

johnpoz

I don't have static, and my IP hasn't changed in 2 some years.. Why would it ever change? It just keeps renewing the same lease, because my device is on 24/7/365.. I am glad it doesn't change to be honest..

Some people have an aversion to posting their public IP is all.. If your ok with it..

Bob.Dig

@johnpoz said in GRC closed instead of stealth ports?:

If your ok with it..

I am ok with it, I have another one every morning.
Also I am not with that ISP anymore, thanks god.

JKnott

@johnpoz said in GRC closed instead of stealth ports?:

Why would it ever change?

I think some ISPs do it to be nasty.

Mine is virtually static.

I don't worry if my address becomes known. I just don't go out of my way to advertise it.

johnpoz

@jknott said in GRC closed instead of stealth ports?:

I don't worry if my address becomes known. I just don't go out of my way to advertise it.

Exactly..