netgate85 last edited by
Isn't 5060 one of the default SIP ports? Perhaps open for VOIP stuff?
Or you loaded a package that opens it, or you selected a configuration option that opens it. See, based on the information about your configuration (loaded packages, rules, config options chosen), it's very difficult to make any kind of intelligent guess as to what opened it. All I was doing was pointing out that it is one of the standard SIP ports, so it is likely that it got opened by "something". You didn't even say which port it's open on, WAN or LAN? By default, out of the box, with no changes pfSense is "allow everything in on LAN, deny everything in on WAN". That means any traffic originating from a client on the LAN side is allowed into the pfSense device. Any traffic that originates from outside the WAN is blocked from being processed in on the WAN (it gets dropped, you'll see a log entry). Traffic that is inbound on the WAN in response to a LAN originated traffic will come into the pfSense device (that's what stateful firewall means).
Sorry if I couldn't provide a better answer to your original question.
What's in front of your WAN interface? Does your WAN have a public IP or is the public IP the equipment in front of the WAN?
Basically are you sure that the scan is actually scanning the pfSense device?
Is there a proxy running anywhere? 8008 is often used for an alternate HTTP port
pfSense logs are showing that the connections are blocked, but the scanner is saying the ports are open?
If so, then it's a false positive by the scanner.
Traffic on any port winds up making it some way into the network stack before a decision is made to drop or accept. Most firewalls have a "what do I do when I deny? Silently drop the packet or send back an ICMP return code?" Arguments on both sides, silently dropping causes the sender to retry, some people take any return code as "evidence" the port is open. Not sure where it is in the GUI but you should be able to set pfSense to silently deny, high probability that changes the scanner results.
If pfSense logs say a packet has been denied, it has been denied. It came in, got evaluated, got tossed in the bit bucket. I'll take what pfSense logs say over an external scanner any day.