Reciving blocks at LAN side towards IP:80\. when using. nmap -sP ?!?!



  • Hi I have a clean pfsense 2.latest  on Intel i3. No pakage installed, i keep it clean and simple for max speed.

    Problem:

    One of my liux server doing a nmap -sP at a /21 network.

    Problem is it show up as blocked in my firewall logs ?!?!

    Recreate problem: nmap -sP x.x.x.x

    My rules:

    My firewall log ?!?!?

    I can't figure out why this is happening ?

    @1 block drop in log all label "Default deny rule"

    Nothing should be blocked from my LAN towards anything, still that nmap shows up?!

    The nmap -sP is working but just flooding my firewall logs!

    Please help..



  • According to the firewall logs, something (presumably nmap) is sending TCP ACK packets to remote hosts on tcp port 80, which wouldn't be correct since no preceding SYN -> SYN ACK has taken place, and no existing state between two hosts therefore exists.

    You might be able to create a firewall rule which allows this traffic if you experiment with the 'State type' and 'TCP flags' advanced rule options.



  • Still pfsense should not block anything when I allow everything ?

    (Why nmap going for port 80 looks strange for me when using the -sP)



  • @fableman:

    Still pfsense should not block anything when I allow everything ?

    Only legit traffic gets passed by (good) stateful firewalls. An ACK out of nowhere is not legit traffic. Allow all means allow all new connections (for TCP, flags S/SA).



  • @cmb:

    @fableman:

    Still pfsense should not block anything when I allow everything ?

    Only legit traffic gets passed by (good) stateful firewalls. An ACK out of nowhere is not legit traffic. Allow all means allow all new connections (for TCP, flags S/SA).

    nmap is not producing legit traffic then ? I thougth they knew what they was doing :)

    Is it possible to filter this stuff out, My logs are useless when I getting tons of blocks, cant see anything important in all the mess ?



  • Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

    • Andreas


  • @fableman:

    nmap is not producing legit traffic then ? I thougth they knew what they was doing :)

    No question they know what they're doing, they intentionally create brokenness to test certain things, such as the OS identification relies on what kind of response is generated by various brokenness. Amongst many other things, there's a lot to how it works. You want to use -sS, or go out without any firewall at all if you want to use scans other than SYN. There isn't any easy way to filter that stuff out of your logs. I always run nmap to Internet hosts from a box with a public IP directly assigned and no firewall if anything other than a SYN scan is needed.



  • @inflamer:

    Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

    • Andreas

    same results.

    All I need is a very fast way to check what hoste respond to ping and get them into a list.
    Guess I have to make my own bash script for this, will be slower but can't have it like this.



  • @fableman:

    @inflamer:

    Fableman, you might want to run nmap with -sS instead, to have nmap run a SYN scan, pfsense would allow that outbound traffic.

    • Andreas

    same results.

    All I need is a very fast way to check what hoste respond to ping and get them into a list.
    Guess I have to make my own bash script for this, will be slower but can't have it like this.

    I would be surprised if pfSense blocks an -sS scan from nmap, could you post some screenshots to show the firewall log from such a scan?

    • Andreas


  • After reading this: http://nmap.org/docs/discovery.pdf

    The solution was to use:  nmap -sP -PS x.x.x.x/yy

    problem solved.


Locked