Port scan from outside indicates some port are open.



  • Hi All,

    I have a few 1:1 NATed servers that have some ports that are open from outside our LAN that I did not open.
    As I understood in pfsense all ports are blocked unless specifically allowed access to from outside the LAN.

    thanks


  • LAYER 8 Global Moderator

    Well if you did a 1:1 Nat normally open the all the ports to that box.

    Out of the box all unsolicited traffic to your pfsense wan IP would be dropped yes.

    Why don't you post up your wan rules, and then the findings of your port scan from outside.



  • Check you firewall rules. If you have NAT or 1:1 NAT rules created there will associated firewall rules to let the traffic trough. This shouldn't be too surprising since a port forward (RDR) or a 1:1 NAT is useless without a matching firewall rule to allow the traffic in.



  • Thanks Johnpoz,

    Here is the screen shot of of the wan rule for one specific server:
    Protocol     Source  Port     Destination Port       Gateway
    IPV4 TCP      *                *            192.168.2.11      web-ports      *

    web-ports is an alias for port 80 and 443
    192.168.2.11 is the internal server
    and there is a 1:1 NAT rule for that inernal ip address.

    Here is the nmap port scan result:
    PORT      STATE SERVICE
    80/tcp    open  http
    135/tcp  open  msrpc
    139/tcp  open  netbios-ssn
    443/tcp  open  https
    445/tcp  open  microsoft-ds
    1801/tcp  open  msmq
    2103/tcp  open  zephyr-clt
    2105/tcp  open  eklogin
    2107/tcp  open  msmq-mgmt
    3071/tcp  open  csd-mgmt-port
    4899/tcp  open  radmin


  • LAYER 8 Global Moderator

    And that was done to your pfsense wan IP from from outside??  Ie internet, and what is in front of pfsense?

    That is the only rule you have on your wan?  Do you have any rules in floating?  Your alias has what exactly in it - just 80 and 443 (web ports)

    BTW why would you do a 1:1 nat if all you want to go to your 192.168.2.11 box is the web ports?  Why not just do a simple port forward for those ports.



  • Yes it was done from the outside.

    I have quite a few servers that needed to be publicly accessible. A few webservers.
    A few servers that listens to incoming ports from clients sending gps coordiantes.
    A couple of mail servers. So all these need to have their own public facing IP addresses.

    What I am doing right now is just remvong the 1:1 nat entries and  just do port forwarding.

    Thank you


  • LAYER 8 Global Moderator

    Yeah normally you would do 1:1 nat when you want all traffic to go to that box, and then either firewall at the box or just don't listen on the box other than what you want to allow.

    Couple of ports would just be port forwards.

    But something is missing from the puzzle here, since your firewall rule should block the traffic other than what is going to the 192.168.2.11 box..  Per
    https://doc.pfsense.org/index.php/1:1_NAT

    To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP.



  • For now I'll just disable 1:1 nat and stick with forwarding ports bound for public ip addresses to their respective internal ip addresses.

    I would still pursue the 1:1 NAT on a linux server that is not so crucial and has an internal firewall just to satisfy my curiosity.

    Thank you for the advice.


Log in to reply