Ports open with rules set to block (openvpn roadwarrior)

FuriousRage

Hi.
I have setup an openvpn connection for my home and connect to a service.
this service has all ports open just like my own connection (wan).

I have set a bunch of WAN and OPT1 and floating rules to close port 80, 443 as example, and i still can access those ports from internet (it shows my pfSense webgui)

what can be wrong?

![Screenshot at 2017-09-28 16-04-23.png](/public/imported_attachments/1/Screenshot at 2017-09-28 16-04-23.png)
![Screenshot at 2017-09-28 16-04-23.png_thumb](/public/imported_attachments/1/Screenshot at 2017-09-28 16-04-23.png_thumb)
![Screenshot at 2017-09-28 16-08-00.png](/public/imported_attachments/1/Screenshot at 2017-09-28 16-08-00.png)
![Screenshot at 2017-09-28 16-08-00.png_thumb](/public/imported_attachments/1/Screenshot at 2017-09-28 16-08-00.png_thumb)

johnpoz

Where is said traffic coming from and what interface(s) did you set those rules on in floating?

None of your rules have any hits on them - notice the 0/0 B on the left.. Other than your opt rule on the bottom.. That is an any any block.. So would mean whatever is hitting that rule doesn't match any of your other rules for dest ports… BTW you have tcp on 53, normally dns is UDP.. Sure it can switch over to tcp.. But the pretty all dns traffic would be UDP..

doktornotor

Where are the WAN rules?

FuriousRage

@johnpoz:

Where is said traffic coming from and what interface(s) did you set those rules on in floating?

None of your rules have any hits on them - notice the 0/0 B on the left.. Other than your opt rule on the bottom.. That is an any any block.. So would mean whatever is hitting that rule doesn't match any of your other rules for dest ports… BTW you have tcp on 53, normally dns is UDP.. Sure it can switch over to tcp.. But the pretty all dns traffic would be UDP..

Ok.
When i connect to the dyndns address with my openvpn client ip, i get served webgui with a warning

Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding

I am going to change that to udp, but grc.com's shieldsup tests only TCP i believe, and the page shows port 53 open
@doktornotor:

Where are the WAN rules?

johnpoz

"shieldsup tests only TCP i believe, and the page shows port 53 open"

Post your WAN rules.. As to your rebinding.. Do you have your dyndns reporting rfc1918 - then yeah that would be a rebind issue!

FuriousRage

@johnpoz:

"shieldsup tests only TCP i believe, and the page shows port 53 open"

Post your WAN rules.. As to your rebinding.. Do you have your dyndns reporting rfc1918 - then yeah that would be a rebind issue!

wan rules is in my previous post.

IIRC, i am using the ddclient in a debian server, to report to dyndns.com

johnpoz

No they are not.. Those are opt1 and floating..

edit: Oh my bad, that proxy I was using was blocking your link.. So much easier if people just attach their pictures vs links.. Ok let me look at them.

FuriousRage

@johnpoz:

No they are not.. Those are opt1 and floating..

https://forum.pfsense.org/index.php?topic=137270.msg750866#msg750866

johnpoz

You understand that every one of those rules are POINTLESS since there is a default deny on wan.. Unless you wanted to log something specific and turned off default logging those block rules on your wan are pointless!!

If your scanning from grc and it shows something open then its not hitting pfsense.. What is in front of pfsense? That is most likely what is open - that happens ALL the time!!! Some isp router has something X listening and blaming it on pfsense for why grc shows it open..

Why don't you sniff on pfsense wan when you run your grc scan and see if what they say is open even gets to pfsense. Unless you turned off the firewall on pfsense??

And your rule just below the pfblocker rules is set to NOT log, and is ipv4 any any.. So your not goign to be logging much of anything.. Unless it triggers the rfc rule or the bogon rule or your pfblocker rules.. before it gets to that rule. Which would then block everything and not log it.

FuriousRage

@johnpoz:

You understand that every one of those rules are POINTLESS since there is a default deny on wan.. Unless you wanted to log something specific and turned off default logging those block rules on your wan are pointless!!

If your scanning from grc and it shows something open then its not hitting pfsense.. What is in front of pfsense? That is most likely what is open - that happens ALL the time!!! Some isp router has something X listening and blaming it on pfsense for why grc shows it open..

Why don't you sniff on pfsense wan when you run your grc scan and see if what they say is open even gets to pfsense. Unless you turned off the firewall on pfsense??

And your rule just below the pfblocker rules is set to NOT log, and is ipv4 any any.. So your not goign to be logging much of anything.. Unless it triggers the rfc rule or the bogon rule or your pfblocker rules.. before it gets to that rule. Which would then block everything and not log it.

when i use grc shields up, i use my opt1 addtress, which is on my ovpn.com connection.
between pfsense box and internet is the fios converter, and then isp to internet.

johnpoz

So your scanning your vpn providers endpoint.. And what the F do you think it has open?? Why would you think anything that is unsolicited would be sent down the tunnel to you?

Did you setup the 7 port forwards they allow?
https://www.ovpn.com/en/faq/network/do-you-support-port-forwarding

What does that have to do with a Roadwarrior setup?