How to close Port 23, 53 and 80 on WAN?



  • pfsense port 2.jpg

    I put a block any any any rule on WAN, but it didn't help.

    Port 22, 53, 80, 465, 853, 9929, 31337 are maybe open (Zenmap)

    23 and 80 are open for sure (Public test)


  • LAYER 8 Netgate

    Show your firewall rules on WAN and Floating if any. The listening sockets do not matter.



  • @Derelict Lan Rules.jpg

    I dont know if its important, but the ports are only open when using OpenVPN.
    The other rules are default except the block any rule on WAN.


  • LAYER 8 Netgate

    On WAN and Floating (if any). Not LAN.

    Firewall rules are processed on the interface the connection is established INTO.



  • @Derelict WAN rules.jpg

    Floating and the others are empty.

    Pfsense is behind a router, if that has anything to do with it.


  • LAYER 8 Global Moderator

    There is zero reason for that rule you put on there.. Unless you don't want traffic hitting your wan logged.

    out of the box all unsolicated traffic is blocked inbound to wan.

    If your doing a port scan from outside then its what is in front of pfsense..


  • LAYER 8 Netgate

    Nope. Nothing will pass into WAN with that rule set.

    The third rule is unnecessary as the default deny rule will block that traffic.



  • If I use an online port scanner like this http://www.t1shopper.com/tools/port-scan/
    While using OpenVPN it always shows me Port 23 and 80 are open.

    That's a big security hole, so how can I close these ports?

    OpenVPN works fine, but I can not use it like that ...


  • LAYER 8 Netgate

    Something in front of your pfSense firewall is likely responding on those. It's not the pfSense WAN or anything running on pfSense that is doing it.

    If there is a "big security hole" look upstream.

    If you are running port scanners while connected to OpenVPN, the controlling rules will be on the OpenVPN tab and/or and assigned interface tab, which is your WAN in that scenario. In that case "upstream" would be your OpenVPN provider. You certainly trust them to do the right thing, I assume.


  • LAYER 8 Global Moderator

    I don't even think you could enable telnet (23) on pfsense if you wanted too - without installing some 3rd party package? your output shows its not even listening on 23.. So how could it be pfsense answering?

    Its a well know fact that many an isp device answers to some of these ports..

    You want a for sure test... Go to can you see me . org.. Do a test for 23.. Sniff on pfsense.. Do you see it hit? Do you see an answer?

    Here..

    test.jpg

    Can you see me shows not open... But I see the traffic hit pfsense wan - but NO response.. So it is closed/dropped/not answered.. So no its not open. If something was answering from pfsense, or from behind pfsense you would see it with this test an answer.



  • Port 80   222.jpg

    Traffic does not (?) hit the pfSense, but that probably would not make sense ... what is the issue here?
    Same with port 23.


  • LAYER 8 Global Moderator

    You have something in front of pfsense that is sending back syn,ack.. What is in front of pfsense? ISP modem/router/gateway?

    What is that 81.x IP? Its not any IPs that you have talked to the forum from.. You routing traffic through a vpn - and testing to your VPN IP?



  • @johnpoz In front of pfSense is a Router.
    Yes, 81.x is VPN IP, all tests were done on this IP

    I have tested the router in front of pfSense for open ports, no open Ports found.
    The only thing I did on that router before pfSense was port forwarding for udp 1149 to pfSense, in case that matters.


  • LAYER 8 Global Moderator

    So your testing to some public IP from a vpn connection.. How would you think that is forwarded down the tunnel to you? Does your vpn support port forwarding? Did you set up those ports to be forwarded down the tunnel to pfsense?

    There are not many vpn services that even support port forwarding, and even the ones that do require you to set them up, and more than likely for sure would not support ports like 80 and 23..


  • LAYER 8 Netgate

    If you packet capture while you are testing and the SYN packets do not arrive on the pfSense interface, it is not the pfSense firewall that is responding there. Again, look upstream for your "big security hole."



  • My VPN provider supports it, but I have not changed any settings on my VPN account, it is turned off by default.

    PfSense is also mostly on default settings, only OpenVPN has been set up ...


  • LAYER 8 Netgate

    Again, pcap on your OpenVPN. If the SYNs don't arrive, something upstream is responding there.



  • NAT 80.jpg

    Any chance, that's the cause?
    I'm at a loss


  • LAYER 8 Global Moderator

    DUDE what part do you not get here... If your testing to your VPN public IP... Its not Pfsense answering, or anything behind pfsense... Its your VPN service!!! No your outbound nat has ZERO to do with it!!



  • I've done tests with all the filters turned off by the VPN provider, that's the result.

    It looks to me that the ping has gone through the pfSense.

    VPN + port 80 222222.jpg

    .

    VPN2 + port 80 222222.jpg


  • LAYER 8 Netgate

    That looks like you connecting out.

    It's certainly not ping since ping is ICMP not TCP.



  • This post is deleted!

  • LAYER 8 Global Moderator

    Dude you have been given the info... There is NO issue with pfsense... You not understanding basic concepts is not pfsense problem.

    Out of the box pfsense doesn't allow anything unsolicited inbound to its wan... If you create some tunnel and then force traffic down that tunnel to pfsense no matter what it is - those rules would be on your tunnel interface..

    And yeah that traffic your showing is clearly OUTBOUND to port 80...



  • Thanks for the help so far, so it's definitely the VPN, you say?

    I wrote a ticket to my VPN provider, to be honest, I would be surprised if they answer at all.


  • LAYER 8 Netgate

    It is something else upstream responding.



  • They have actually responded, but I'm not so sure what to think of it.
    Sounds like the "it's a feature" excuse ...

    "That's a misunderstanding. The scan was based on the currently used IP address of our VPN server. There are necessarily a lot of open ports, otherwise the server could not offer the necessary services."



  • @Bernd6560 said in How to close Port 23, 53 and 80 on WAN?:

    "That's a misunderstanding. The scan was

    Err are they saying the run their VPN using ports 23, 53 and 80 to try and anonymise what the servers look like from the internet ?



  • @NogBadTheBad I asked what you wrote, here is the response ...

    "I have already written that it is running on the VPN server services."


  • LAYER 8 Global Moderator

    It's possible they run vpn services themselves on the 53 and 80 ports to try and circumvent outbound restrictions for some locations. That would explain also say the 465 port.. 23 seems odd.. That is normally not going to be allowed outbound from anywhere..

    Doesn't matter why to be honest, The point is this whole thread has been complete an utter waste of everyone's time.. Since what some host on the internet answers to has zero to do with the pfsense wan rules.

    Its a akin to omg, www.google.com answers to 80 and 443.



  • Just to complete the info : what are the rules on your OpenVPN interface ?
    That's the interface being used when you use your VPN service.
    It's the OpenVPN that acts as your WAN interface now (the real WAN interface just transports the VPN tunnel outside - initiated from the inside iof your network - pfSense itself or some other device).

    Your VPN service probable NAT's standard 'usual' ports to you, like 23,53,80 443 etc.
    That's no big deal actually, up to you to block all incoming non solicited traffic.

    On a default pfSense with no rules added by you - no VPN (client) setup, just the minimal "click and online" setup, there will be no security issues.
    Do not take my word for it, just do the test.

    Now, when you find issues after adding things like 'OpenVPN client' I tend to say : finish your setup first - or check what "unknown facilities" you added to your setup .

    This question is easy to answer :

    @Bernd6560 said in How to close Port 23, 53 and 80 on WAN?:

    That's a big security hole, so how can I close these ports?

    Shut down the VPN connection - and you'll be fine.


  • LAYER 8 Global Moderator

    Those ports are not going to be sent down the tunnel to his box... Not unless his vpn supports them and he set them up... I would be LARGE sums of money that there is no vpn service on the planet that would forward those down.. For them to do that they would need an IP for every single client..



  • @johnpoz said in How to close Port 23, 53 and 80 on WAN?:

    Those ports are not going to be sent down the tunnel to his box...

    I asked about it, you're right.

    I would bet LARGE sums of money that there is no vpn service on the planet that would forward those down.. For them to do that they would need an IP for every single client..

    You would probably lose that bet, they do just that.

    If anyone is interested, here is the full conversation ->

    [me]
    Why are LESS services running with your filters?

    [staff]
    Presumably because the tests were done with different IP addresses (of the VPN server). Some of the services do not run on all IP addresses, or there are different services behind the ports depending on the IP address.

    [me]
    Is port 23 and 80 NORMAL?

    [staff]
    Yes, depending on the IP address of the VPN server this is normal. These are IP addresses that you share with other other companies, and in addition to which some ports are used for services of the server. That there are ports open and in use is, as already written perfectly normal. Sure, we could close down all ports, then just none of the services on the VPN servers would work anymore. ;)

    [me]
    Does INBOUND (port 23, 80) get through to me?

    [staff]
    No, I had already written several times. What is passed through are the ports of the port forwarding, of which we offer two different types, both of which can be configured on the corresponding configuration page in the customer area of ​​our website.


  • LAYER 8 Netgate

    @Bernd6560 said in How to close Port 23, 53 and 80 on WAN?:

    [staff]
    No, I had already written several times.

    There's a lot of that going around. Plenty of explaining going on but not a lot of listening.

    What is passed through are the ports of the port forwarding, of which we offer two different types, both of which can be configured on the corresponding configuration page in the customer area of ​​our website.

    Exactly. If they offer port forwarding (some do) you have to configure it. Then you have to pass that traffic on the OpenVPN or assigned interface tab for the connection to be passed into the firewall.


  • LAYER 8 Global Moderator

    And you clearly stated you did not configure any of that...

    My VPN provider supports it, but I have not changed any settings on my VPN account, it is turned off by default

    And sure they might offer you to forward port 32456 to your port 80.. But it has to be freaking configured!!! And that is not 80... If it was 80 they could do it once for each IP...

    Again what your seeing is you scanning freaking google.com and asking why they show 80 open... Turn off your vpn and actually scan pfsense WAN IP... Not your vpn endpoint.. Now what do you see open??



  • Again what your seeing is you scanning freaking google.com and asking why they show 80 open...

    Lol no, I scan my OWN public VPN ip, I dont understand how you get on google ...

    heise ping test PP 222.jpg

    Turn off your vpn and actually scan pfsense WAN IP... Not your vpn endpoint.. Now what do you see open??

    How am I supposed to do that?
    PfSense is behind a router and has an internal IP.


  • LAYER 8 Global Moderator

    So what if you are scanning your vpn public IP... That IP is being used by 100 other clients at the same time... Its NOT yours - its the vpn service... You have zero control over what services they run on it.. They are NOT!!!! sent down your tunnel.. Unless you specifically set that up

    You might as well scan www.google.com and be concerned..

    So pfsense is behind a nat... Well again HOW AND THE F!!! do you think ports are open on pfsense wan then...

    Turn off your vpn, and scan your routers IP.. Now sniff on pfsense do you see any traffic get to pfsense? Did you setup any port forwards on your router? To pfsense wan IP?



  • I've forwarded ALL ports from the router to pfSense for the test, here are the results.
    Tests were done WITHOUT VPN.

    Test port 23 2.jpg

    Test port 53 2.jpg

    Test port 80 2.jpg


  • LAYER 8 Global Moderator

    And there you go - you see the traffic get there and ZERO answers... So are we done now?

    Doing exactly what it should be doing..



  • Does that mean, even if it comes from VPN, it still blocked?


  • LAYER 8 Global Moderator

    OMG dude - what part are you not getting about it is NOT coming down your freaking vpn!!

    The vpn is like your router in front of pfsense - pfsense didn't see shit until you forwarded the ports... Have you forwarded them on your vpn? Then they wouldn't be coming down your tunnel to pfsense..

    But you can block them all you want on the vpn interface you created that connects to your vpn.


Log in to reply