Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ports shown as [ closed ] instead of [ stealthed ]

    Firewalling
    3
    6
    1558
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      craymore last edited by

      Hi all,

      While checking the ports filtering on my pfSense appliance, I found something I can't explain  ???

      -> some ports are shown as closed instead of stealthed when performing an outside scan on the WAN interface ( the scan is done trough http://www.pcflank.com/scanner1.htm )

      If these ports were ports for which a NAT rule was activated or if UPnP was ON (which isn't the case), I wouldn't have been surprised, but in this case, these closed ports don't match anything !  :o

      Here's a screenshot to illustrate that :

      The two last ports are shown as closed when they should be listed as stealthed (I even checked the current connection states trough the pfSense dashboard : no entries were related to these ports  :P)

      If someone as a good explanation …. I'll gladly listen to it  :)

      1 Reply Last reply Reply Quote 0
      • M
        mr_bobo last edited by

        Try the following online scanners and see if you don't get different results:

        http://www.grc.com/default.htm (Steve Gibson's Shields Up)

        http://nmap-online.com

        http://www.t1shopper.com/tools/port-scan/

        I have an explanation but will let you come to your own conclusion. ;)

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          Unless you added firewall rules on WAN with reject as the action, it's not your firewall doing that. May be your ISP, that'd be my guess. Sometimes modems do weird stuff like that with some traffic too.

          1 Reply Last reply Reply Quote 0
          • M
            mr_bobo last edited by

            @cmb:

            May be your ISP, that'd be my guess.

            PCFlank rigged their scans to show TCP ports 135, 137, 138 and 139 in a close state on their Quick Test scan and were a shill for Outpost Firewall Pro. They were outed for it years ago, closed their forum down, and if you view their index page source they haven't updated it since March 6 2001.

            When your ports returned a closed state they recommended getting Outpost Firewall Pro, which they still have ads for on their site, and still showed the same closed port state even if you installed it and ran the tests again.

            I was around their forums when it happened.

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              Ah, I just assumed it was a trustworthy site, apparently a poor assumption. :)

              1 Reply Last reply Reply Quote 0
              • C
                craymore last edited by

                Thank you all for the answers  :)

                I didn't know pcflank had rigged the scans, but I confirm that it is true : I did several scans, just to check, and apparently the Netbios ports are randomly shown as closed instead of stealthed :o

                Using the other provided websites, the other ports appearing as closed were indicated as filtered for some of them, but I found out that my ISP is also doing some custom blocking on specific ports !

                I checked with a tcpdump monitoring the WAN interface : some external requests never came trough, meaning that they were trapped somewhere before  :P

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post