Odd Port problem



  • Great Story

    Lastnight I was gaming with the wife and my EQ2 kept dropping to window mode. So I started snooping around and low and behold I saw in ZA I was being hit from outside IPS on my box.I first thight it was EQ2 but my wife did have any hits on her box. Looking at the logs it looked as if everything match was was on the FW so I though somehow I picked up some spyware and or virus. Locked that IP down and started monitoring to to see these same 4-5 IP continue to hit the network. So I changed the subenet just to see what would happen and samething.

    Well after getting tired I made the nub mistake and activated static arps. Well no need to worry about anyone hitting ANY box as none would connect :) (talk about oops). Well due to my newess of this setup I wasnt able to figure out how to undo this change and was forced to reload the box and restore an older config. This wasn't much of an issue until I called a friend at work today to run a full diag on my FW. There are some ports opened inbound on my box I dont have setup on rules and never setup (one I did but not on this config). So I am not sure how to close them and wanted to see if you guys had any input on the matter.

    All ports are inbound.

    21

    25

    110

    143

    465 - ssmtp

    587

    993

    995

    4444  KRB524

    5190  America-online (opened this for a my daughter but not on the list.)



  • Post screenshots of your port forward screen and firewall rules on WAN.






  • No way did he scan your pfSense. There are no mailservers on your box. My guess is that your collegue is behind a router/proxy with transparent filtering (like filtering for viruses/spam in mail transparently). These apps will show you open ports when scanning remote IPs but actually you are connecting to these transparent filters and not the IP that you scan.

    Also please note that you have to reset already established states (diagnostics>states, reset states) if you add a block rule and there are already connections that have been passed previously. Otherwise you would have to wait for these connections to be closed or to reach the timeout.



  • I had reset those states before the reload of the box.



  • I'm in agreement with hoba, if you want to make 100% sure, pm me your public IP and I'll scan it as well.



  • PM on the way thanks for looking into this for with me. I really hope I am wrong in this case :)



  • From pm discussion, I've confirmed those ports aren't really open on his firewall, and it's behaving as his shown firewall ruleset should, proving it was something to do with the network of the person who scanned him originally.


Log in to reply