pfSense is listening on port 36794, but sockstat -l does not show it
-
Hello,
a couple of days ago, I installed two pfSense VMs and configured them as HA cluster.
Yesterday, I ran a vulnerability scan via OpenVAS which shows 36794 as open port.
So, when I run telnet <pfsense-ip> 36794 I will be connected to the firewall. Any input does not result in an output, though.The strange thing is, that sockstat -l does not show an open port 36794.
tcpdump -ni vmx2 port 36794, however, shows packets corresponding to the telnet session.How can I find out, what is listening on port 36794 and how can I list ALL open ports?
Thanks!
-
-
Mmm, where are you testing from? How are the VMs setup?
pfSense does not open that port by default so in a clean install it pretty much has to be something in the hypervisor.
Steve
-
@nogbadthebad
Isn't bugbear a windows worm? A windows malware installation on a FreeBSD would be rather odd, wouldn't it? Nevertheless, I see the states (Diagnostics -> States) when I connect via telnet; probably similar to what I see with tcpdump. -
@stephenw10
Here is my setup:- 2 VMs on an ESXi
- 8 NICs per VM (WAN, LAN1-6, PFSync)
- some RAM, some CPU per VM
- pfSense version 2.6.0 on each VM (installation time was about four days ago)
- HA configuration (quite similar to https://docs.netgate.com/pfsense/en/latest/solutions/reference/highavailability/clusterconfiguration.html)
- from a computer in at least one of the LAN's I can connect to each pfsense on port 36794 (at least nc -v tells me, that the tcp session is established successfully and via telnet I get "Trying ...<cr>Connected to ...<cr>Escape character ...<cr>")
Why could it have something to do with the hypervisor? There are no vm-tools installed.
-
What do the states look like when you connect? There are packets both ways?
Where are you testing from? Another VM inside ESXi?
I assume you have rules to pass that traffic.
Steve
