Have traffic hitting (and passing) on a blocked port. What am i doing wrong

  • Hi I'm new to using pfsense (love it by the way). I have a setup with pfsense running on a pc with 2 network cards, the wan out to the internet on one, and my lan on the other. I am seeing traffic being "passed" in my firewall logs to a computer on my network, that i think shouldn't be happening. Basically i have a qnap ts-451 NAS with its web admin interface using port 8080 on ip address 192.168.06 on my network. I recently started seeing INBOUND traffic from my WAN from many different external IP addresses and ports hitting this computer. I can understand perhaps seeing outbound traffic, as the NAS does some automatic updates of its software, but if i am reading the PFsense firewall logs correctly, this is INBOUND traffic trying to hit this NAS and get to the admin gui on port 8080. am i reading the logs wrong, all the traffic indicates its coming in on the WAN interface, and rule (@1) is allowing it to pass, and its destination is my NAS box runnign on port 8080.
    this caused me a bit of concern, so i did an explicit "block" of port 8080 on the firewall rules blocking any source and destination from using port 8080, but pfsense is still passing the traffic.
    I do have UpNP activated. Where is the "pass" rule coming from? when i click on the green checkmark to see the rule, it says: @1(0) rdr log quick on em0 inet proto tcp from any to any port=8080 keep state label "56ec2c669a972a0372c3e1dee8b6586c-webg admin" rtable 0-> port 8080.

  • I think i have answered my own question. in inspecting the upnp& nat-pmp status, it shows the entry that matches the ""56ec2c669a972a0372c3e1dee8b6586c-webg admin" label.

    i would have thought my explicit block of port 8080 would override that.
    Does the fact that the traffic is inbound to this NAS box on port 8080, mean someone is trying to hack into that NAS?

  • When you create a new rule(s), you need to reset the state table to clear connections already established. Then the rule should take effect and it should be blocked.

Log in to reply