Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nmap scan of ports

    Firewalling
    3
    7
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skeating
      last edited by

      Hello

      I have scanned with Nmap a mail server behind my pfSense firewall. The scan of the firewall shows that port 25 is closed, but that it is open on the mail server (no surprise). I have a rule on the firewall opening port 25, with the mail server being the destination. I have no problem sending email from the mail server. What could cause the port to be "closed" to the scan?

      I have a NAT of
      WAN TCP  *  *  xxx.xxx.49.33  25(SMTP)    192.168.31.35    25(SMTP)

      And a Rule
      IPv4 TCP  *    *    192.168.31.35  25(SMTP)  *  none

      Duplication of effort?  Does one conflict with the other?

      1 Reply Last reply Reply Quote 0
      • H
        Harvy66
        last edited by

        did you add your rule on the LAN or WAN interface?

        1 Reply Last reply Reply Quote 0
        • S
          skeating
          last edited by

          WAN

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Sending email from the mail server does not require a port forward. Just like browsing web pages from the inside does not.

            That port forward looks good.

            Yes, you need both the NAT and the pass rule. First NAT happens then the firewall is checked. If your mail server on the inside had a routable address, you would only need the pass rule.

            I would:

            Check that the firewall on the mail server itself is passing the traffic from anywhere

            Check with a packet capture that connections to 25 into WAN are actually arriving on WAN. It would be strange for an ISP to allow outbound to 25 but not inbound but ISPs do strange things.

            This is all assuming you are testing from outside into WAN and you are not looking at a NAT reflection issue.

            Good list of things to check here:

            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              skeating
              last edited by

              Full disclosure, I am the "ISP", who inherited this, and I am trying to figure why port 25 shows up as blocked. Are yo saying there could be a problem between the mail server and the firewall? My understanding is the Rule is the allow inbound.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                No, I'm saying there might be a firewall rule on the host itself blocking traffic. Or something else on the path.

                Or the connections from the outside to pfSense WAN might be blocked.

                It looks like you have done everything on pfSense WAN that you need to.

                Check everything here:

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  skeating
                  last edited by

                  Okay, thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.