• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port scan from outside indicates some port are open.

Scheduled Pinned Locked Moved Firewalling
8 Posts 3 Posters 2.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    m3tatr0n
    last edited by May 10, 2017, 2:18 PM

    Hi All,

    I have a few 1:1 NATed servers that have some ports that are open from outside our LAN that I did not open.
    As I understood in pfsense all ports are blocked unless specifically allowed access to from outside the LAN.

    thanks

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by May 10, 2017, 3:30 PM

      Well if you did a 1:1 Nat normally open the all the ports to that box.

      Out of the box all unsolicited traffic to your pfsense wan IP would be dropped yes.

      Why don't you post up your wan rules, and then the findings of your port scan from outside.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by May 10, 2017, 4:22 PM

        Check you firewall rules. If you have NAT or 1:1 NAT rules created there will associated firewall rules to let the traffic trough. This shouldn't be too surprising since a port forward (RDR) or a 1:1 NAT is useless without a matching firewall rule to allow the traffic in.

        1 Reply Last reply Reply Quote 0
        • M
          m3tatr0n
          last edited by May 10, 2017, 4:23 PM

          Thanks Johnpoz,

          Here is the screen shot of of the wan rule for one specific server:
          Protocol     Source  Port     Destination Port       Gateway
          IPV4 TCP      *                *            192.168.2.11      web-ports      *

          web-ports is an alias for port 80 and 443
          192.168.2.11 is the internal server
          and there is a 1:1 NAT rule for that inernal ip address.

          Here is the nmap port scan result:
          PORT      STATE SERVICE
          80/tcp    open  http
          135/tcp  open  msrpc
          139/tcp  open  netbios-ssn
          443/tcp  open  https
          445/tcp  open  microsoft-ds
          1801/tcp  open  msmq
          2103/tcp  open  zephyr-clt
          2105/tcp  open  eklogin
          2107/tcp  open  msmq-mgmt
          3071/tcp  open  csd-mgmt-port
          4899/tcp  open  radmin

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by May 10, 2017, 5:06 PM

            And that was done to your pfsense wan IP from from outside??  Ie internet, and what is in front of pfsense?

            That is the only rule you have on your wan?  Do you have any rules in floating?  Your alias has what exactly in it - just 80 and 443 (web ports)

            BTW why would you do a 1:1 nat if all you want to go to your 192.168.2.11 box is the web ports?  Why not just do a simple port forward for those ports.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              m3tatr0n
              last edited by May 10, 2017, 5:28 PM

              Yes it was done from the outside.

              I have quite a few servers that needed to be publicly accessible. A few webservers.
              A few servers that listens to incoming ports from clients sending gps coordiantes.
              A couple of mail servers. So all these need to have their own public facing IP addresses.

              What I am doing right now is just remvong the 1:1 nat entries and  just do port forwarding.

              Thank you

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by May 10, 2017, 5:42 PM

                Yeah normally you would do 1:1 nat when you want all traffic to go to that box, and then either firewall at the box or just don't listen on the box other than what you want to allow.

                Couple of ports would just be port forwards.

                But something is missing from the puzzle here, since your firewall rule should block the traffic other than what is going to the 192.168.2.11 box..  Per
                https://doc.pfsense.org/index.php/1:1_NAT

                To allow traffic in from the Internet, a firewall rule must be added on the associated WAN interface allowing the desired traffic, using the destination IP of the internal private IP.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  m3tatr0n
                  last edited by May 10, 2017, 6:01 PM

                  For now I'll just disable 1:1 nat and stick with forwarding ports bound for public ip addresses to their respective internal ip addresses.

                  I would still pursue the 1:1 NAT on a linux server that is not so crucial and has an internal firewall just to satisfy my curiosity.

                  Thank you for the advice.

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received