Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    nmap-ing new pfSense box

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      homealone
      last edited by

      Hi all,

      Connected a new pfSense box directly to my ISP (no router). Ran an nmap scan from work:

      [root@work]# nmap -A -sS -Pn -p1-65535 home-pfsense
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-26 14:29 UTC
Nmap scan report for home-pfsense (xx.xx.xx.xx)
Host is up (0.00021s latency).
rDNS record for xx.xx.xx.xx: isp-rdns-name
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE     VERSION
113/tcp  closed ident
2000/tcp open   cisco-sccp?
5060/tcp open   sip?
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows Vista|2008 (89%)
OS CPE: cpe:/o:microsoft:windows_vista::sp1:home_premium cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_server_2008
Aggressive OS guesses: Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows Server 2008 or 2008 Beta 3 (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
 
TRACEROUTE (using port 113/tcp)
HOP RTT     ADDRESS
1   0.36 ms yy.yy.yy.yy
2   0.25 ms isp-rdns-name (xx.xx.xx.xx)
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 301.25 seconds

      Strange that 2000 and 5060 are open. Researching 2000, I find that it's typically used as a backdoor (speedguide), which is troubling.

      Checked the pfSense box:

      [2.6.0-RELEASE][root@home-pfsense]/root: netstat | grep -E '(113|2000|5060|auth|callbook|sip)'
[2.6.0-RELEASE][root@home-pfsense]/root: sockstat | grep -E '(113|2000|5060|auth|callbook|sip)'
[2.6.0-RELEASE][root@home-pfsense]/root: pfctl -sa | grep -E '(113|2000|5060|auth|callbook|sip)'
states        hard limit  3262000
src-nodes     hard limit  3262000

      Packages installed: acme, haproxy-devel (disabled), pfBlockerNG-devel. Omitted dependencies.

      Is there someplace else I should look? Is nmap just giving me some kind of false-positive? Does pfSense have some kind of dynamic listener that won't show up in either netstat or sockstat?

      TIA,
      Dave

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @homealone
        last edited by johnpoz

        @homealone said in nmap-ing new pfSense box:

        Ran an nmap scan from work:

        Its quite possible those are open somewhere in the path from your work to your pfsense..

        @homealone said in nmap-ing new pfSense box:

        Network Distance: 2 hops

        Is your pfsense 2 hops away from your work? And running windows? heheh

        You could validate yourself that they are not coming from your pfsense by doing a packet capture on pfsense while your running your nmap - do you see that traffic hit pfsense and answer sent?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        H 1 Reply Last reply Reply Quote 1
        • H
          homealone @johnpoz
          last edited by

          @johnpoz Thanks for the reply.

          I thought the 2 hops was kind of strange too, since home and work are on completely different ISPs. I'll do the packet capture, but I'm guessing you're correct: the traffic from work isn't reaching home. Not sure what would intercept it on the work side. I'll have to check with my network engineer on that.

          Thanks again,
          Dave

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @homealone
            last edited by johnpoz

            @homealone for a quick check of ports outside pfsense - you could use the grc shields up..

            Out of the box no ports are open on pfsense wan, not even icmp, etc.

            https://www.grc.com/shieldsup

            I'm not a fan of steve gibson in general - but the shields up tool can be useful.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • H
              homealone
              last edited by

              @johnpoz Thanks again. I realized I also have some cloud servers available to me too, so I ran nmap from there. Confirmed that nothing is open.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.