Ports shown as [ closed ] instead of [ stealthed ]
-
Hi all,
While checking the ports filtering on my pfSense appliance, I found something I can't explain ???
-> some ports are shown as closed instead of stealthed when performing an outside scan on the WAN interface ( the scan is done trough http://www.pcflank.com/scanner1.htm )
If these ports were ports for which a NAT rule was activated or if UPnP was ON (which isn't the case), I wouldn't have been surprised, but in this case, these closed ports don't match anything ! :o
Here's a screenshot to illustrate that :
The two last ports are shown as closed when they should be listed as stealthed (I even checked the current connection states trough the pfSense dashboard : no entries were related to these ports :P)
If someone as a good explanation …. I'll gladly listen to it :)
-
Try the following online scanners and see if you don't get different results:
http://www.grc.com/default.htm (Steve Gibson's Shields Up)
http://nmap-online.com
http://www.t1shopper.com/tools/port-scan/
I have an explanation but will let you come to your own conclusion. ;)
-
Unless you added firewall rules on WAN with reject as the action, it's not your firewall doing that. May be your ISP, that'd be my guess. Sometimes modems do weird stuff like that with some traffic too.
-
@cmb:
May be your ISP, that'd be my guess.
PCFlank rigged their scans to show TCP ports 135, 137, 138 and 139 in a close state on their Quick Test scan and were a shill for Outpost Firewall Pro. They were outed for it years ago, closed their forum down, and if you view their index page source they haven't updated it since March 6 2001.
When your ports returned a closed state they recommended getting Outpost Firewall Pro, which they still have ads for on their site, and still showed the same closed port state even if you installed it and ran the tests again.
I was around their forums when it happened.
-
Ah, I just assumed it was a trustworthy site, apparently a poor assumption. :)
-
Thank you all for the answers :)
I didn't know pcflank had rigged the scans, but I confirm that it is true : I did several scans, just to check, and apparently the Netbios ports are randomly shown as closed instead of stealthed :o
Using the other provided websites, the other ports appearing as closed were indicated as filtered for some of them, but I found out that my ISP is also doing some custom blocking on specific ports !
I checked with a tcpdump monitoring the WAN interface : some external requests never came trough, meaning that they were trapped somewhere before :P