Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd Port problem

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BigTy
      last edited by

      Great Story

      Lastnight I was gaming with the wife and my EQ2 kept dropping to window mode. So I started snooping around and low and behold I saw in ZA I was being hit from outside IPS on my box.I first thight it was EQ2 but my wife did have any hits on her box. Looking at the logs it looked as if everything match was was on the FW so I though somehow I picked up some spyware and or virus. Locked that IP down and started monitoring to to see these same 4-5 IP continue to hit the network. So I changed the subenet just to see what would happen and samething.

      Well after getting tired I made the nub mistake and activated static arps. Well no need to worry about anyone hitting ANY box as none would connect :) (talk about oops). Well due to my newess of this setup I wasnt able to figure out how to undo this change and was forced to reload the box and restore an older config. This wasn't much of an issue until I called a friend at work today to run a full diag on my FW. There are some ports opened inbound on my box I dont have setup on rules and never setup (one I did but not on this config). So I am not sure how to close them and wanted to see if you guys had any input on the matter.

      All ports are inbound.

      21

      25

      110

      143

      465 - ssmtp

      587

      993

      995

      4444  KRB524

      5190  America-online (opened this for a my daughter but not on the list.)

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Post screenshots of your port forward screen and firewall rules on WAN.

        1 Reply Last reply Reply Quote 0
        • B
          BigTy
          last edited by


          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            No way did he scan your pfSense. There are no mailservers on your box. My guess is that your collegue is behind a router/proxy with transparent filtering (like filtering for viruses/spam in mail transparently). These apps will show you open ports when scanning remote IPs but actually you are connecting to these transparent filters and not the IP that you scan.

            Also please note that you have to reset already established states (diagnostics>states, reset states) if you add a block rule and there are already connections that have been passed previously. Otherwise you would have to wait for these connections to be closed or to reach the timeout.

            1 Reply Last reply Reply Quote 0
            • B
              BigTy
              last edited by

              I had reset those states before the reload of the box.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                I'm in agreement with hoba, if you want to make 100% sure, pm me your public IP and I'll scan it as well.

                1 Reply Last reply Reply Quote 0
                • B
                  BigTy
                  last edited by

                  PM on the way thanks for looking into this for with me. I really hope I am wrong in this case :)

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    From pm discussion, I've confirmed those ports aren't really open on his firewall, and it's behaving as his shown firewall ruleset should, proving it was something to do with the network of the person who scanned him originally.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.