Port scan from outside indicates some port are open.
I have a few 1:1 NATed servers that have some ports that are open from outside our LAN that I did not open.
As I understood in pfsense all ports are blocked unless specifically allowed access to from outside the LAN.
Well if you did a 1:1 Nat normally open the all the ports to that box.
Out of the box all unsolicited traffic to your pfsense wan IP would be dropped yes.
Why don't you post up your wan rules, and then the findings of your port scan from outside.
Check you firewall rules. If you have NAT or 1:1 NAT rules created there will associated firewall rules to let the traffic trough. This shouldn't be too surprising since a port forward (RDR) or a 1:1 NAT is useless without a matching firewall rule to allow the traffic in.
Here is the screen shot of of the wan rule for one specific server:
Protocol Source Port Destination Port Gateway
IPV4 TCP * * 192.168.2.11 web-ports *
web-ports is an alias for port 80 and 443
192.168.2.11 is the internal server
and there is a 1:1 NAT rule for that inernal ip address.
Here is the nmap port scan result:
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1801/tcp open msmq
2103/tcp open zephyr-clt
2105/tcp open eklogin
2107/tcp open msmq-mgmt
3071/tcp open csd-mgmt-port
4899/tcp open radmin
And that was done to your pfsense wan IP from from outside?? Ie internet, and what is in front of pfsense?
That is the only rule you have on your wan? Do you have any rules in floating? Your alias has what exactly in it - just 80 and 443 (web ports)
BTW why would you do a 1:1 nat if all you want to go to your 192.168.2.11 box is the web ports? Why not just do a simple port forward for those ports.
Yes it was done from the outside.
I have quite a few servers that needed to be publicly accessible. A few webservers.
A few servers that listens to incoming ports from clients sending gps coordiantes.
A couple of mail servers. So all these need to have their own public facing IP addresses.
What I am doing right now is just remvong the 1:1 nat entries and just do port forwarding.
Yeah normally you would do 1:1 nat when you want all traffic to go to that box, and then either firewall at the box or just don't listen on the box other than what you want to allow.
Couple of ports would just be port forwards.
But something is missing from the puzzle here, since your firewall rule should block the traffic other than what is going to the 192.168.2.11 box.. Per
To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP.
For now I'll just disable 1:1 nat and stick with forwarding ports bound for public ip addresses to their respective internal ip addresses.
I would still pursue the 1:1 NAT on a linux server that is not so crucial and has an internal firewall just to satisfy my curiosity.
Thank you for the advice.