Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advice for port forwarding on upstream ISP modem

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    2 Posts 2 Posters 373 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      infinitefrustration
      last edited by

      Help out a newbie.

      I have a comcast modem upstream of my pfsense box. Down stream I run a webserver which is for use only by my family and always gotten to through a single link on a private webpage in an otherwise public website.

      I have pfsense mapping 3 non-standards ports to 80, 8080, and 9090 on the webserver. The single page served on this websever requires those 3 ports and the link to the page incorporates the correct port to access.

      My goal is to prevent port scanners from finding the open ports.

      My understanding:
      pfsense will block the scanners if they scan enough closed ports (I believe so anyway, please correct if I am wrong).

      So in an effort to make sure that pfsense reacts to the port scanners, my thought is to forward all ports from the comcast modem to pfsense so that pfsense is aware the scanning is happening. Otherwise the comcast modem will happily allow the scanner to scan every port until they reach the required forwarded ports. In that case pfsense will only see the scanner hitting the opened ports and will forward the scanner into the network.

      Alternately I could have the comcast modem only forward the ports the webpage needs and hope the scanner never find the ports that are fowarded.

      Can you please comment on which setup is most likely to deter intrusions in to the network?
      If you have other suggestions, please feel free to include but as I am a newbie I must request you keep it simple.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        huh?

        If your webserver is behind pfsense then the ports are already forwarded through pfsense..

        So this comcast "modem" is doing NAT? Does pfsense doesn't have a private IP or Public on its wan? Your forwarding the 3 ports through to pfsense WAN IP on your "modem" A modem doesn't do nat.. You mean you have a comcast gateway? What is the make and model of this device for comcast?

        You do understand that most things looking for those ports are going to directly look for them - not run through a port scan.. Where did you get the idea that pfsense blocks port scans? You do understand that pfsense blocks all ports that are not forwarded..

        So say scanning ports 1, 2, 3, 4 - etc... until get to 80 would be blocked.. Why do you think that pfsense will say oh wait this source IP was checking other ports, I will not let him through to my port forwarded 80?

        Are you running IPS package? Snort or Suricata?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.