Port showing Closed on WAN side, but no rule
-
PfSense Blocks by default, and that is great. I did a port scan to my firewall and it returned to me port 113 closed, so I assume that pfsense replayed back with a reject. Why does this happens If I don't have a rule to this port?, way does it returns closed? What will happen if create a rule to block port 113?
Thank You
-
How are you performing your scan? If you're doing it from the LAN side of pfSense what you're seeing is normal because pfSense's default deny policy only applies to traffic that enters the WAN interface from the outside. Traffic that has entered the system via the LAN interface is not subject to filtering until it actually leaves the system via an interface (and by default is allowed but this can be changed with floating rules).
-
I'm doing the scan from another system on a different network.
-
And how does this other network relate to the pfSense system? Does the scan come in via the WAN interface or some other interface? Post your WAN firewall rules in case it does.
-
No, it's a system on a different network… nothing related to this network... my wan rules are clear... nothing
-
pfsense out of the box does not send reject, the packet is just dropped. So if your saying your scanning from outside to wan of pfsense and your getting a "closed" because of a reject sent then either you created a rule to do that. Or your not actually scanning pfsense.
If pfsense was sending rejects then every single port you scan on pfsense would show closed vs the popular even though not really correct term "stealth"
So did you validate that pfsense actually saw this tcp syn to 113? and it sent the reject? Simple enough to test with packet capture on wan then go to something like canyouseeme.org or even the grc scanner for gosh sake..
GRC Port Authority Report created on UTC: 2017-06-08 at 18:14:38 Results from probe of port: 113 0 Ports Open 0 Ports Closed 1 Ports Stealth --------------------- 1 Ports Tested THE PORT tested was found to be: STEALTH. TruStealth: FAILED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - A PING REPLY (ICMP Echo) WAS RECEIVED.Oh my gosh I'm not stealth because I answered ping ;) <rolleyes>F'ing idiot spreading FUD… ;)</rolleyes>
-
Well there has to be a reason for the port to show as closed. The TCP port 113 is usually the auth/ident which might be still used by IRC or some games for identifying the connecting user. It's of course broken as hell as a practice but it's still used Do you have UPnP enabled? Any packages installed?
Btw, which version of pfSense?
