Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Block Ports enumeration

    Firewalling
    4
    12
    528
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      moelharrak last edited by

      Hi
      Is there any method to stop responding to port scan , if someone try to check if the port is open ,?? without using IDS/IPS
      Thank you

      1 Reply Last reply Reply Quote 0
      • KOM
        KOM last edited by

        This is already the default behaviour.  pfSense WAN blocks unsolicited incoming traffic instead of rejecting it.

        Are you having an issue or seeing something strange?

        1 Reply Last reply Reply Quote 0
        • M
          moelharrak last edited by

          Thank you for your replay
          I have some ports open ( NAT to Internal Server) , by doing scan using nmap I can see the all the information ( web version , ssh version ,..).I know that in some Firewall even the port is open , you get get answer by doing telnet on port or scan using tools like nmap.

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            So you open ports but don't want people to connect to them. Got it.

            Your only hope is probably IDS/IPS.

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              Lock your ports open to only the ips you want to use these forwards if your worried about some one finding them open ;)

              Or use say something like pfblocker to block all the "bad" country IPs that you don't want to be able to scan your ports..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

              1 Reply Last reply Reply Quote 0
              • M
                moelharrak last edited by

                @Derelict yes you got it , I opened some ports and I need if someone scan or telnet one of those ports , he get not response.I tried both SNORT and SURICATA , but I still get the response .
                @johnpoz, How to lock the port with the IPs?

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  On your forward where it says source network.. But in the network/IP you want to use this port forward.  If more than one create an alias put in the IPs or Netblocks you want to be able to use this port forward..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                  1 Reply Last reply Reply Quote 0
                  • M
                    moelharrak last edited by

                    It's exactly what I did , I forward the port to my internal server.But what I'm asking for is how to block port scan and not respond to any request , For example I have a port 80 open and I need if someone do telnet xx.xx.xx.xx 80 get nothing ,or if he use software scan.Is that possible with pfsense?,  I know that most of firewall like stonesoft, juniper … do that natively

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      That is pfsense out of the box!!  If you scan a port with your telnet example and the port is not forward and allowed for the IP its coming from they will get back NOTHING..

                      If I forward port 80 only if your coming from 1.2.3.4, and you are hitting it from 5.6.7.8 you will get back NOTHING…

                      "I know that most of firewall like stonesoft, juniper ... do that natively"

                      Not sure where you got this from??  If you scan a port that is forwarded you will get a response.. On ANY firewall..  If you do not forward any thing or allow anything out of the box you will get NOTHING back from pfsense... Go to grc.com shields up for example..

                      Pfsense is not the one answering anything a forward - the box you forwarded too is the one answering... So lets say you forward 80 to 192.168.1.100, you could setup something on that box to not answer 80 unless you did a port knock on it, etc

                      edit:  Here maybe this will help... So you see I forward ports 32400, and 32401 for plex access.  But I have it locked down to only the source networks that are in my plexaccess alias.. So when scanned from outside those show as "stealth" <rolleyes>  Ie no answer came back from those ports when coming from an IP that is not allowed per the forward and firewall rule.  Because the scanning IP was not in the allowed IP/networks.. There is no answer.

                      But if I come from one of those IPs - then its open.. See plex how it shows that its available - because I allow the netblock their check comes from and my 2 son's specific IPs.. So you can go direct to my plex server from the internet or you can do an indirect stream, etc..

                      See the alias listing of netblocks.. If your coming from any other IP - the grc scan then you will not get any sort of answer..






                      </rolleyes>

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                      1 Reply Last reply Reply Quote 0
                      • M
                        moelharrak last edited by

                        Hi ,
                        Thank you very much , I appreciate your help .
                        Maybe as @Derelict said the only way to prevent ports scan is to use IPS/IDS , in your opinion who is the best between SNORT and SURICATA?

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          Yes a ips can block a port scan if happens fast enough, but if its a slow scan and or they hit your port that you have forwarded first they are going to see it open.

                          How many ports do you have open?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                          1 Reply Last reply Reply Quote 0
                          • M
                            moelharrak last edited by

                            not too many , at max 10 ports

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post