Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [Solved] Port 53, 80, 443 always open on all interfaces

    Firewalling
    7
    38
    2751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Grimson
      Grimson Banned last edited by

      How exactly do you test these ports, any devices in front of pfSense (ISP router for example). Do a packet capture on the WAN interface and see if the traffic actually arives, or if your ISP is doing something with it.

      1 Reply Last reply Reply Quote 0
      • D
        dean2028 last edited by

        @Grimson:

        How exactly do you test these ports, any devices in front of pfSense (ISP router for example). Do a packet capture on the WAN interface and see if the traffic actually arives, or if your ISP is doing something with it.

        Ran a port scanner from my phone (4G gsm network, iPhone, 'Net Analyzer' tool). Targeted the WAN IP, and the VPN public IPs (what you also see as Remote Host IP in Status - OpenVPN).

        Also accessed http/80 for example from an external browser and landed on the pfSense box with an error ("403 Forbidden", nginx). So I'm sure these ports are really open from outside.

        1 Reply Last reply Reply Quote 0
        • Grimson
          Grimson Banned last edited by

          Make sure WLAN is disabled on your phone when you test. If the ports are open then you must have created rules that allow incoming connections. Post screenshots of your WAN and floating rules.

          1 Reply Last reply Reply Quote 0
          • D
            dean2028 last edited by

            @Grimson:

            Make sure WLAN is disabled on your phone when you test.

            Yes, sure. I take care of that, otherwise I would scan from the LAN.

            @Grimson:

            If the ports are open then you must have created rules that allow incoming connections. Post screenshots of your WAN and floating rules.

            My feeling is, it's opened by a service or services and I don't see it on the GUI. (DNS Forwarder and WebConfigurator for example). Btw, I checked DNS forwarder to use only the LAN interface.

            Thanks a lot for your effort reviewing my problem.

            1 Reply Last reply Reply Quote 0
            • D
              dean2028 last edited by

              @Grimson:

              Post screenshots of your WAN and floating rules.

              Added screenshots about Outbound NAT and Port Frowards as well.
              1:1 and NPt are empty.










              1 Reply Last reply Reply Quote 0
              • C
                conor last edited by

                I got caught with this once before where there was a pre existing state entry in the state table for my test before i changed the firewall rules. Can you check your state table and delete any states to those ports and test again?

                1 Reply Last reply Reply Quote 0
                • D
                  dean2028 last edited by

                  @conor:

                  Can you check your state table and delete any states to those ports and test again?

                  Tried a state reset, but did not help. Anyway, thanks for the hint.

                  Did a fresh portscan on WAN, VPN_US and VPN_HU public IPs, seems the WAN and VPN_HU IPs did not have 53 open anymore.

                  Current status:

                  WAN, Open ports: 80, 443
                  VPN_US, Open ports: 53, 80, 443
                  VPN_HU, Open ports: 80, 443

                  Opening the public IPs from external browser:

                  WAN, http/80: timeout
                  WAN, https/443: pfSense login page
                  VPN_US, http/80: 403 Forbidden, error page from nginx, see screenshot
                  VPN_US, https/443: browser error: ERR_CONNECTION_CLOSED
                  VPN_HU, http/80: 403 Forbidden, error page from nginx, see screenshot
                  VPN_HU, https/443: browser error: ERR_CONNECTION_CLOSED








                  1 Reply Last reply Reply Quote 0
                  • KOM
                    KOM last edited by

                    By default, nothing is open on WAN unless you open it up yourself.  You don't need to add specific block rules since all traffic is blocked unless there is an explicit allow rule.  If a scan of your IP always shows open ports for 80,443 then I would tend to believe that it's hitting your ISP's equipment somehow.  Easy enough to do a packet capture on WAN while scanning it and look at the traffic in Wireshark.  Running nmap to fingerprint it might also be helpful if it exposes what kind of device is responding.

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      If you are getting a response into WAN from the outside on 443 then you have a rule passing the same. Period.

                      You're not getting any weird "Can't load rules" errors or anything are you?

                      Here's what I would do:

                      Figure out whatever address you are hitting pfSense from, packet capture on WAN filtered on that address and test again. While you're testing also look at the states filtered on that address. See what it's really doing.

                      1 Reply Last reply Reply Quote 0
                      • Grimson
                        Grimson Banned last edited by

                        You can check the full pf ruleset: https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

                        Did you enable UPnP & NAT-PMP?

                        1 Reply Last reply Reply Quote 0
                        • D
                          dean2028 last edited by

                          @KOM:

                          By Running nmap to fingerprint it might also be helpful if it exposes what kind of device is responding.

                          Understand, but it's not a question what's responding as I see the pfSense login screen if I open https://WANIP from a foreign browser.

                          Capture might be helpful to see what's the situation on the VPN_US IP, as this is the only one which respond to port 53.

                          1 Reply Last reply Reply Quote 0
                          • D
                            dean2028 last edited by

                            @Grimson:

                            Did you enable UPnP & NAT-PMP?

                            No, never touched that. Just checked it under Status - UPnP & NAT-PMP, it's disabled.

                            1 Reply Last reply Reply Quote 0
                            • D
                              dean2028 last edited by

                              @Derelict:

                              If you are getting a response into WAN from the outside on 443 then you have a rule passing the same. Period.
                              You're not getting any weird "Can't load rules" errors or anything are you?

                              I did a week ago, but it's disappeared by setting this value to 400 000:
                              System -> Advanced -> Firewall & NAT -> Maximum Table Entries

                              Read on the forum somewhere, that's the solution. I have no error since then.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dean2028 last edited by

                                @Derelict:

                                Figure out whatever address you are hitting pfSense from, packet capture on WAN filtered on that address and test again. While you're testing also look at the states filtered on that address. See what it's really doing.

                                • Switched to the GSM network again from my phone and checked my public IP
                                • Started a packet capture on WAN with filling the IP above to Host Address.
                                • Ran a portscan from the phone on 443 only

                                Result:

                                16:55:59.218056 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0
                                16:56:00.219797 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0
                                16:56:02.226128 IP PHONEPUBLICIP.54409 > WANIP.443: tcp 0

                                1 Reply Last reply Reply Quote 0
                                • KOM
                                  KOM last edited by

                                  I see the pfSense login screen if I open https://WANIP from a foreign browser.

                                  While on LAN or WAN?  If you are on LAN and access your public address in a browser, pfSense will give you the GUI even though it isn't accessible from WAN.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    dean2028 last edited by

                                    @KOM:

                                    While on LAN or WAN?

                                    While I'm on WAN on a very different network. So Webconfigurator is exposed to WAN attacks at the moment which really concerns me. I will put WebConfigurator to another port to decrease the risk as 80 and 443 are open from WAN.

                                    1 Reply Last reply Reply Quote 0
                                    • Derelict
                                      Derelict LAYER 8 Netgate last edited by

                                      That packet capture shows nothing but SYNs.

                                      Again, if you can get to the WebGUI you have a rule passing the traffic.

                                      Look at the states. See what's really happening.

                                      1 Reply Last reply Reply Quote 0
                                      • johnpoz
                                        johnpoz LAYER 8 Global Moderator last edited by

                                        If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

                                        1 Reply Last reply Reply Quote 0
                                        • KOM
                                          KOM last edited by

                                          I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

                                          1 Reply Last reply Reply Quote 0
                                          • Derelict
                                            Derelict LAYER 8 Netgate last edited by

                                            I'm wondering if he's got the bogonsv6 issue and his ruleset has failed to load?

                                            Already covered.

                                            1 Reply Last reply Reply Quote 0
                                            • D
                                              dean2028 last edited by

                                              @johnpoz:

                                              If he was getting to his gui from his wan, then his packet capture would show answer, ie syn,ack - like derelict says it only shows syn…

                                              That test with the capture was just a port scan from the mobile phone to WAN IP. There was no Webconfig access from the browser on https://WANIP.  I'm going to do additional tests now.

                                              1 Reply Last reply Reply Quote 0
                                              • johnpoz
                                                johnpoz LAYER 8 Global Moderator last edited by

                                                Dude if you send a syn, you would get back a syn,ack if anything was listening o that port.  That is how it works.

                                                1 Reply Last reply Reply Quote 0
                                                • D
                                                  dean2028 last edited by

                                                  @KOM:

                                                  If a scan of your IP always shows open ports for 80,443 then I would tend to believe that it's hitting your ISP's equipment somehow.

                                                  You made me curious about that scenario, so simply switched off the pfSense box, then did another port scan… well... I would say portscan is not so useful as I saw the same result, 80 and 443 were open. When scanned the VPN_US public IP, I got the same result 53, 80, 443 seemed to be open. You're right, this is some equipment of the provider.

                                                  However this still doesn't change the fact, I'm able to reach pfSense Webconfigurator on 443 from the WAN. Now, I put WebConfigurator to a high port, therefore at least the login page cannot be called fron the WAN, even if 443 is open.

                                                  1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    Dude how would that be?  If pfsense is off and something is answer 443 which is NOT pfsense… How exactly are you then access 443 with pfsense webgui?

                                                    This scenario comes up ever couple of weeks or so where some users says my wan is open.. Either something in front of it, or they are checking from the lan side.  Or they actually opened it on their wan rules.

                                                    Here is the thing about your VPN as well - there are a few vpns that will port forward down the tunnel.  But it will NEVER be the standard ports.. Its always some high port that you have to configure on their site for your account, etc.

                                                    Send me your IP and port your listening on in a PM and will check if can get to your web gui..

                                                    1 Reply Last reply Reply Quote 0
                                                    • Grimson
                                                      Grimson Banned last edited by

                                                      Did you try to log into the WebUI, maybe your provider is using pfSense too.

                                                      1 Reply Last reply Reply Quote 0
                                                      • D
                                                        dean2028 last edited by

                                                        @johnpoz:

                                                        Dude how would that be?  If pfsense is off and something is answer 443 which is NOT pfsense… How exactly are you then access 443 with pfsense webgui?

                                                        Sorry, if I was not clear. Those were different tests otherwise I had to be drunk or something…

                                                        1. pfSense box off - start portscan from a mobile provider IP to WAN IP - result: 80, 443 seems to be open.
                                                        2. pfSense box on - start portscan from a mobile provider IP to WAN IP - result: 80, 443 seems to be open.
                                                        3. pfsense box on - open https://WANIP from a mobile provider IP from the browser of the phone - result: pfSense login page

                                                        1 Reply Last reply Reply Quote 0
                                                        • johnpoz
                                                          johnpoz LAYER 8 Global Moderator last edited by

                                                          Send me this wanIP and port your using… I want to see this... Since your rules do not show anything open.  And they are intercepting it clearly since you say you show it open when pfsense is off..

                                                          1 Reply Last reply Reply Quote 0
                                                          • D
                                                            dean2028 last edited by

                                                            @Grimson:

                                                            Did you try to log into the WebUI, maybe your provider is using pfSense too.

                                                            I tried to call http://VPN_US_IP again from the mobile browser and I still see this nginx forbidden page. So there is no magic here, that page comes from the box of the provider. In the meantime I got a very different public IP when reconnected to VPN_US, so it's not my pfSense box for sure. Apologise to everyone, this completely confused me as I thought the error page comes from the pfSense box.

                                                            1 Reply Last reply Reply Quote 0
                                                            • johnpoz
                                                              johnpoz LAYER 8 Global Moderator last edited by

                                                              Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

                                                              1 Reply Last reply Reply Quote 0
                                                              • D
                                                                dean2028 last edited by

                                                                @dean2028:

                                                                3. pfsense box on - open https://WANIP from a mobile provider IP from the browser of the phone - result: pfSense login page

                                                                I simply cannot reproduce this anymore since I put the webconfigurator to high port then back to 443. I'm just wondering, maybe I was distrait and my mobile connected back to the local network when tested… don't have a better idea.

                                                                Ok, let me summarize what's figured out so far:

                                                                Symptom1:
                                                                  Portscan shows ports 80, 443 open when WAN IP scanned from the internet
                                                                  Portscan shows ports 53, 80, 443 open when VPN_US_IP scanned from the internet

                                                                Cause1 (probably): this comes from the boxes of the ISP and VPN provider as portscan gives the same result with powered off pfSense box.

                                                                Symptom2:
                                                                  when http://VPN_US_IP called from a browser from the internet, nginx 403 forbidden error page appears

                                                                Cause2 (at least that's my understanding): the error page comes from the box of the VPN provider

                                                                Symptom3: when https://WAN_IP called from an external browser, pfSense login page visible
                                                                  Cause3: the test was not accurate, the client probably connected back to the access point while testing, then pfSense catched that (even if the WAN IP used).

                                                                1 Reply Last reply Reply Quote 0
                                                                • D
                                                                  dean2028 last edited by

                                                                  @johnpoz:

                                                                  Yeah scanning your IP I don't see 80 or 443 open at all… Nothing comes back on those ports.. NOTHING!!!

                                                                  but why I see this then from the app when scanning? Should I throw this app away then? How did you scan me?
                                                                  I use the iOS version of Net Analyzer, and it shows these ports open, even if I turn off pfSense.

                                                                  Anyway, thanks a lot for your effort to check that.


                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    dean2028 last edited by

                                                                    @Grimson:

                                                                    Did you try to log into the WebUI, maybe your provider is using pfSense too.

                                                                    This did not came to my mind at all at that point as I became upset. Now, I think that page came from internal as I'm not able to reproduce it anymore. No idea at all. As usually there is no magic, I think maybe I was not careful enough to make sure my mobile is completely on external IP and doesn't connected back to the AP.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • D
                                                                      dean2028 last edited by

                                                                      I tried to check again ports 80 and 443 on the WAN IP with telnet. So I disconnected my notebook from the access point, then connected to the phone. The phone was a hotspot. I'm sure it was not connected to the AP this time.

                                                                      result:

                                                                      telnet WANIP 443
                                                                      Trying WANIP…
                                                                      Connected to WANIP.
                                                                      Escape character is '^]'.
                                                                      Connection closed by foreign host.

                                                                      telnet WANIP 80
                                                                      Trying WANIP...
                                                                      Connected to WANIP.
                                                                      Escape character is '^]'.
                                                                      Connection closed by foreign host.

                                                                      Why does telnet able to connect?

                                                                      If I open http://WANIP from the browser, I get an empty white page after 5-10 seconds.
                                                                      https://WANIP doesn't give me anything back, it times out.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • ptt
                                                                        ptt Rebel Alliance last edited by

                                                                        Try with one "external" (online) Tool/Scanner

                                                                        https://mxtoolbox.com/PortScan.aspx

                                                                        http://nmap.online-domain-tools.com/

                                                                        https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap

                                                                        https://www.yougetsignal.com/

                                                                        https://www.grc.com/x/ne.dll?bh0bkyd2

                                                                        And while you're scanning, check the  " WAN Firewall Logs"

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • D
                                                                          dean2028 last edited by

                                                                          @ptt:

                                                                          Try with one "external" (online) Tool/Scanner
                                                                          ….
                                                                          And while you're scanning, check the  " WAN Firewall Logs"

                                                                          Thanks a lot, ptt!

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • johnpoz
                                                                            johnpoz LAYER 8 Global Moderator last edited by

                                                                            Many cell phone providers proxy data..  Look in your cell phone where you set your APN.

                                                                            Scanning from cell phone for open ports is just a Waste of time - you can never be sure of the response..  Its a valid method to check if you can get to something you port forwarded on… But to use to see if something is blocked not so much..  Especially on common ports like http/https which they very well could be running through a proxy.  Which yea going to send back a syn,ack to your syn.

                                                                            Here is simple test - if you did not open the port on your wan.  Then its not open! ;)

                                                                            You scanning and showing that is is, when your firewall is set to not - SCREAMS your Doing it WRONG!! If I had a nickel every time some user thought their ports were open on their wan and had bought bitcoin I would be floating on my yacht having a cold one.. Deciding where I should have my helicopter take me that evening vs here reading the same ole same ole my wan ports are open nonsense ;)

                                                                            If you actually want to validate.. Then sniff on your wan..  Send a SYN from outside, do you see a syn,ack back?  If not then its not freaking open!!  Testing from some unknown connection with some tool you don't really understand from a network you do not understand how it even works not going to provide good info.

                                                                            The whole my vpn is open in this thread is more example of not understanding how any of this actually works in the first place.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • C
                                                                              conor last edited by

                                                                              Johnpoz is correct its a carrier proxy, i had a customer just see the same thing late last week. They were testing from a smart phone on 4G.

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • First post
                                                                                Last post

                                                                              Products

                                                                              • Platform Overview
                                                                              • TNSR
                                                                              • pfSense
                                                                              • Appliances

                                                                              Services

                                                                              • Training
                                                                              • Professional Services

                                                                              Support

                                                                              • Subscription Plans
                                                                              • Contact Support
                                                                              • Product Lifecycle
                                                                              • Documentation

                                                                              News

                                                                              • Media Coverage
                                                                              • Press
                                                                              • Events

                                                                              Resources

                                                                              • Blog
                                                                              • FAQ
                                                                              • Find a Partner
                                                                              • Resource Library
                                                                              • Security Information

                                                                              Company

                                                                              • About Us
                                                                              • Careers
                                                                              • Partners
                                                                              • Contact Us
                                                                              • Legal
                                                                              Our Mission

                                                                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                                              Subscribe to our Newsletter

                                                                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                                              © 2021 Rubicon Communications, LLC | Privacy Policy