Advice for port forwarding on upstream ISP modem



  • Help out a newbie.

    I have a comcast modem upstream of my pfsense box. Down stream I run a webserver which is for use only by my family and always gotten to through a single link on a private webpage in an otherwise public website.

    I have pfsense mapping 3 non-standards ports to 80, 8080, and 9090 on the webserver. The single page served on this websever requires those 3 ports and the link to the page incorporates the correct port to access.

    My goal is to prevent port scanners from finding the open ports.

    My understanding:
    pfsense will block the scanners if they scan enough closed ports (I believe so anyway, please correct if I am wrong).

    So in an effort to make sure that pfsense reacts to the port scanners, my thought is to forward all ports from the comcast modem to pfsense so that pfsense is aware the scanning is happening. Otherwise the comcast modem will happily allow the scanner to scan every port until they reach the required forwarded ports. In that case pfsense will only see the scanner hitting the opened ports and will forward the scanner into the network.

    Alternately I could have the comcast modem only forward the ports the webpage needs and hope the scanner never find the ports that are fowarded.

    Can you please comment on which setup is most likely to deter intrusions in to the network?
    If you have other suggestions, please feel free to include but as I am a newbie I must request you keep it simple.


  • LAYER 8 Global Moderator

    huh?

    If your webserver is behind pfsense then the ports are already forwarded through pfsense..

    So this comcast "modem" is doing NAT? Does pfsense doesn't have a private IP or Public on its wan? Your forwarding the 3 ports through to pfsense WAN IP on your "modem" A modem doesn't do nat.. You mean you have a comcast gateway? What is the make and model of this device for comcast?

    You do understand that most things looking for those ports are going to directly look for them - not run through a port scan.. Where did you get the idea that pfsense blocks port scans? You do understand that pfsense blocks all ports that are not forwarded..

    So say scanning ports 1, 2, 3, 4 - etc... until get to 80 would be blocked.. Why do you think that pfsense will say oh wait this source IP was checking other ports, I will not let him through to my port forwarded 80?

    Are you running IPS package? Snort or Suricata?


Log in to reply