My pfsense have ports open on WAN interface

  • Hello!

    if i scan the open ports on my external IP
    i see that is open the ports 21,53,80  :o
    (and maybe others, but the scan is so slow that after 20 minuts i stopped it)

    i have only squid installed (and snort, but it do not load with the system…i think because i have not so much RAM only 384MB)

    how i can close the open ports??
    i have DDNS active, so if you need i can give you my dyndns name


  • The minimum amount of memory supported by pfSense is 512M for the base system install.  Squid uses a significant amount of memory and resources so you definitely want to upgrade your system.

    That said, none of these ports should be showing as open unless you have firewall rules which allow the traffic.  Review your firewall configuration and send along relevant screen shots as you see fit.

  • i will upgrade to 512 tomorrow

    i have add the rule number 3(from WAN to ANY block) of the screenshot for try to close the open ports, without result
    (i think that the only result after add that rule is that the port scanner is slower to detect the ports)

  • This rule does exactly nothing. (There will never be any inbound traffic on the WAN from the WAN itself)
    But you don't need such a rule because there is already an invisible "block everything" rule at the bottom.
    If you don't have any rules, than you block everything.

    Where did you run your portscan from?
    Actually from the outside?
    Or from your LAN side to the WAN-IP?

  • Rebel Alliance Developer Netgate

    If you're running a scan from behind another router that has proxies enabled (FTP proxy/helper, Squid, DNS, etc) or NAT reflection on those ports, they will show as open even though they are open locally, not on the public side of the router being tested.

    Similarly, if you test the WAN address from the LAN side of a pfSense router, you'll see open ports because you're coming from inside not outside and you are subnet to the LAN rules, not the WAN rules.

    Ideally, such scans should be run by a remote system that isn't behind any kind of special firewall/router device, or use some kind of port testing service like SheildsUp (not that I agree with some of the things that Gibson thinks are "threats" but it's still a useful test to see if ports are open…)

  • ah ok, thanks for the reply

  • i think that something do not work..
    in the screenshot you can see that i did a remote scan on the first scanner that i have found on google
    and there some open ports,

    if i use your SheildsUp site all ports are sthealted ???

  • Rebel Alliance Developer Netgate

    Do you maybe have UPnP on and something locally is opening those ports temporarily by using UPnP?

    I tried that site and it showed mine as closed, as expected.

  • UPnP is disabled and i have removed squid just for a test, but the problem is still here

  • Rather than trusting the scanner (which is entirely possibly wrong) simply try to connect to those ports from the outside world.  Even just using an open http proxy would work to ensure you don't actually have http listening externally.

  • after removing squid and reboot, the port are closed now…

    but how and why squid open that ports on wan?? (53,80,21 and maybe others)
    i never configured it for do that...

    i will try another time to install squid.. or havp..

  • Rebel Alliance Developer Netgate

    Did you maybe have the 'wan' interface selected for squid to listen on?

  • no, in the screenshot you can see