ports showing as open on zenmap despite being explicitly blocked on firewall

  • Hi!

    Got a relatively default PfSense install handling routing and firewalling for our office network. Got explicit firewall rules blocking inbound traffic to 80, 8080, 443 and 993 but all of them still show up in nmap/zenmap as being open. There's no ability to connect down them thanks to the aforementioned rules and actual traffic is being blocked - but for PCI Compliance its much easier and less paperwork for us to have these not show up as being open on a scan. How can I close these ports?

  • @jaklawrence
    Are the fw rules set to “reject” or “block”? And are we talking tcp or udp or both?

  • @jaklawrence By default, pfsense blocks all inbound traffic on WAN, so why do you have explicit blocks?

  • It is purely an exercise in preparation since we know that when the compliance testers scan us, any open ports showing on our WAN IP require a fair bit of irritating paperwork to declare false positive.

    I've been playing around and have set WAN Rejects (also tried block with the same result) on all traffic inbound ports 80, 8080, 443 and 993 but nmap is still showing those ports as 'open' under an intense scan. I've got no doubt that any traffic on them will be blocked, but I'd like to prevent them from appearing as 'open' on a scan for the aforementioned compliance test reasons!

  • You definitely want a Block rule instead of Reject. Block rules silently block the traffic and that's all. Reject rules send back a GO AWAY, so a scanner knows something is listening on that port.

    Post a screen of your WAN rules with any public details obscured so we can see what we're dealing with.

  • @KOM and in some cases can be used as part of a reflected DDoS, so yeah definitely never reject on WAN side, only block.

  • I would also ask where you are testing from. If it is anywhere from behind your own LAN then you will fool yourself.

    These kinds of tests must be done from the WAN side.

Log in to reply