Open FTP-Port, but why?

  • Hello,

    im new to pfsense and linux at all.
    today i set up openvpn and by monitoring the logs i saw an allowed access which should not be allowed.

    i have uploaded two pictures where you can see the intruder and the set firewall rules.

    now i have done a portscan with "knocker" und he alerts port 21/tcp
    i just dont get it :(

    thanks in advance

  • pf blocks all inbound by default.
    perhaps it is another pc on the network?

  • i know, it should block all without an extra rule
    but after i have seen this i just made the rule to be sure (actually i changed it from tcp/udp to any)

    even if the request comes from another internal pc, it shouldn't be visible in the firewall log as far as i know, cause the request starts from my network

    in the meantime knocker found more open ports, 21, 80 and 110 and i guess there are more coming like 443 etc.
    and thats something i dont unterstand

  • so you installed knocker on your pf box?

    go here to do a port scan:

    besides having someone (or you) scanning you externally for you this is the next best thing. (turn snort off as it will block it, or add the ip addresses that are specified whitelisted)

  • This is mostly likely the ftp helper opening ports automatically for active mode ftp connections. nothing to worry about.

    Edit: Looking at the source address of the connection confirms this, it comes from port 20 which is the standard port for an ftp server to use as source port for actice mode ftp (data) connection.

  • @XIII: no, i have run knocker from another isp-connection

    @kpa: ok, thanks, maybe thats the solution for the ftp port, but knocker also found 80 und 110

  • Seen from where? Outside or your LAN network? Run the grc portscan test that XIII suggested and you can verify that your WAN rules are working correctly.

  • outside
    The ShieldUp Scan was ok, good for my nerves :D

    i'm still wondering how knocker could find open ports when there are none
    big thanks to you all for your help and the shieldup site!

  • perhaps the other site that you used knocker from has some sort of trusted connection to it? (vpn/active remote session, etc.) if so then it can see your lan dependent on your environment. I had a device on a lan that would leave ports open but it wasnt using them. Also if you have cable Internet, you can see your modems management ports and your cable boxes as well, again dependent on the environment.

  • Rebel Alliance Developer Netgate

    kpa is correct. That is normal traffic from the FTP helper, which is why it was logged.

Log in to reply