• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Ports open with rules set to block (openvpn roadwarrior)

Scheduled Pinned Locked Moved Firewalling
11 Posts 3 Posters 682 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    FuriousRage
    last edited by Sep 28, 2017, 2:10 PM

    Hi.
    I have setup an openvpn connection for my home and connect to a service.
    this service has all ports open just like my own connection (wan).

    I have set a bunch of WAN and OPT1 and floating rules to close port 80, 443 as example, and i still can access those ports from internet (it shows my pfSense webgui)

    what can be wrong?

    ![Screenshot at 2017-09-28 16-04-23.png](/public/imported_attachments/1/Screenshot at 2017-09-28 16-04-23.png)
    ![Screenshot at 2017-09-28 16-04-23.png_thumb](/public/imported_attachments/1/Screenshot at 2017-09-28 16-04-23.png_thumb)
    ![Screenshot at 2017-09-28 16-08-00.png](/public/imported_attachments/1/Screenshot at 2017-09-28 16-08-00.png)
    ![Screenshot at 2017-09-28 16-08-00.png_thumb](/public/imported_attachments/1/Screenshot at 2017-09-28 16-08-00.png_thumb)

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 28, 2017, 5:09 PM

      Where is said traffic coming from and what interface(s) did you set those rules on in floating?

      None of your rules have any hits on them - notice the 0/0 B on the left.. Other than your opt rule on the bottom..  That is an any any block.. So would mean whatever is hitting that rule doesn't match any of your other rules for dest ports… BTW you have tcp on 53, normally dns is UDP.. Sure it can switch over to tcp.. But the pretty all dns traffic would be UDP..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by Sep 28, 2017, 5:15 PM

        • Where are the WAN rules?
        1 Reply Last reply Reply Quote 0
        • F
          FuriousRage
          last edited by Sep 28, 2017, 6:59 PM

          @johnpoz:

          Where is said traffic coming from and what interface(s) did you set those rules on in floating?

          None of your rules have any hits on them - notice the 0/0 B on the left.. Other than your opt rule on the bottom..  That is an any any block.. So would mean whatever is hitting that rule doesn't match any of your other rules for dest ports… BTW you have tcp on 53, normally dns is UDP.. Sure it can switch over to tcp.. But the pretty all dns traffic would be UDP..

          Ok.
          When i connect to the dyndns address with my openvpn client ip, i get served webgui with a warning

          Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
          

          I am going to change that to udp, but grc.com's shieldsup tests only TCP i believe, and the page shows port 53 open
          @doktornotor:

          • Where are the WAN rules?

          1 Reply Last reply Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator
            last edited by Sep 28, 2017, 7:04 PM

            "shieldsup tests only TCP i believe, and the page shows port 53 open"

            Post your WAN rules.. As to your rebinding.. Do you have your dyndns reporting rfc1918 - then yeah that would be a rebind issue!

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              FuriousRage
              last edited by Sep 28, 2017, 7:06 PM

              @johnpoz:

              "shieldsup tests only TCP i believe, and the page shows port 53 open"

              Post your WAN rules.. As to your rebinding.. Do you have your dyndns reporting rfc1918 - then yeah that would be a rebind issue!

              wan rules is in my previous post.

              IIRC, i am using the ddclient in a debian server, to report to dyndns.com

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Sep 28, 2017, 7:07 PM

                No they are not.. Those are opt1 and floating..

                edit:  Oh my bad, that proxy I was using was blocking your link.. So much easier if people just attach their pictures vs links.. Ok let me look at them.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • F
                  FuriousRage
                  last edited by Sep 28, 2017, 7:08 PM

                  @johnpoz:

                  No they are not.. Those are opt1 and floating..

                  https://forum.pfsense.org/index.php?topic=137270.msg750866#msg750866

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Sep 28, 2017, 7:16 PM Sep 28, 2017, 7:12 PM

                    You understand that every one of those rules are POINTLESS since there is a default deny on wan..  Unless you wanted to log something specific and turned off default logging those block rules on your wan are pointless!!

                    If your scanning from grc and it shows something open then its not hitting pfsense.. What is in front of pfsense?  That is most likely what is open - that happens ALL the time!!!  Some isp router has something X listening and blaming it on pfsense for why grc shows it open..

                    Why don't you sniff on pfsense wan when you run your grc scan and see if what they say is open even gets to pfsense.  Unless you turned off the firewall on pfsense??

                    And your rule just below the pfblocker rules is set to NOT log, and is ipv4 any any.. So your not goign to be logging much of anything.. Unless it triggers the rfc rule or the bogon rule or your pfblocker rules.. before it gets to that rule.  Which would then block everything and not log it.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • F
                      FuriousRage
                      last edited by Sep 28, 2017, 7:18 PM

                      @johnpoz:

                      You understand that every one of those rules are POINTLESS since there is a default deny on wan..  Unless you wanted to log something specific and turned off default logging those block rules on your wan are pointless!!

                      If your scanning from grc and it shows something open then its not hitting pfsense.. What is in front of pfsense?  That is most likely what is open - that happens ALL the time!!!  Some isp router has something X listening and blaming it on pfsense for why grc shows it open..

                      Why don't you sniff on pfsense wan when you run your grc scan and see if what they say is open even gets to pfsense.  Unless you turned off the firewall on pfsense??

                      And your rule just below the pfblocker rules is set to NOT log, and is ipv4 any any.. So your not goign to be logging much of anything.. Unless it triggers the rfc rule or the bogon rule or your pfblocker rules.. before it gets to that rule.  Which would then block everything and not log it.

                      when i use grc shields up, i use my opt1 addtress, which is on my ovpn.com connection.
                      between pfsense box and internet is the fios converter, and then isp to internet.

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Sep 29, 2017, 4:10 PM

                        So your scanning your vpn providers endpoint..  And what the F do you think it has open??  Why would you think anything that is unsolicited would be sent down the tunnel to you?

                        Did you setup the 7 port forwards they allow?
                        https://www.ovpn.com/en/faq/network/do-you-support-port-forwarding

                        What does that have to do with a Roadwarrior setup?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received