Open ports from port scan… huh?



  • Hello, I have just done a port scan remotely (from home) to my static IP address at work using Angry IP Scanner 2.21, I have a list of ports that are open. I am running pfsense 2.0.1 pretty much a default set  up.

    25, 80, 110, 119, 143, 465, 563, 587, 993, 995, 3124, 3127, 3128, 8008, 8080

    I am running a web server and have directed all traffic requests to that server which is running on the LAN by using NAT. I also use RDP to hit another internal server. I recognize the ports I just do not see where the ports are open as I have limited rules set up.

    For NAT:

    I have port forward for 80 and 3389 on the WAN
    1:1 nothing is set
    Outbound I have it set to auto mode

    I have the default rules in the LAN for traffic and none in the WAN or Floating.

    I have a few services running
    dhcp
    dnsmasq
    ntop
    ntpd

    If someone could tell me why i have these ports open and how to close them (all except 80 and rdp) or if these ports should be open let me know.

    Thank you very much.



  • Have you tried with nmap (the port-scanning tool used by networking professionals) ?

    Here is its report for my pfsense:

    As seen from WAN (xxx.yyy.1.201 is public IP):

    nmap -p 1-1024 xxx.yyy.1.201

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-03 19:11 EEST
    Nmap scan report for qqq.www.ee (xxx.yyy.1.201)
    Host is up (0.00044s latency).
    All 1024 scanned ports on qqq.www.ee (xxx.yyy.1.201) are filtered
    MAC Address: zzz

    Nmap done: 1 IP address (1 host up) scanned in 22.07 seconds

    As seen from LAN port:

    nmap -p 1-1024 192.168.100.1

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-03 19:18 EEST
    Nmap scan report for fw.localdomain (192.168.100.1)
    Host is up (0.0021s latency).
    Not shown: 1020 filtered ports
    PORT    STATE SERVICE
    22/tcp  open  ssh
    53/tcp  open  domain
    80/tcp  open  http
    443/tcp open  https
    MAC Address: zzz

    Nmap done: 1 IP address (1 host up) scanned in 5.01 seconds



  • Here we go again…  ;D  the at least quarterly "omg I have ports open that I didn't open" thread. It's never actually the case, but why varies from one to the next.

    For one, make sure you're scanning the right IP. Two, make sure what you're scanning from doesn't have a host-based firewall that screws with port scanners, and isn't sitting on a network with any kind of firewall or proxy that answers on ports on every IP on the Internet. Those cover pretty much every such scenario. If you truly only have port forwards on 80 and 3389, then it has to be one of those things.

    If you want, you can PM me the IP and I can scan it from something I know doesn't have anything that will muck with the results.



  • @cmb lol thanks for being nice  ;D, I had kinda prepared for some real reaming about reading the other posts (I did but did not get what you are saying from them) It does seem that there is a ton of this going around.

    My scan was taken from a different ISP on a Windows 7 Ulti. Machine and I have a Linksys router that is not open to anything. However there may be an issue with the windows firewall and open ports there. I do think that you are on to something because I did not find the RDP port open on the firewall.

    @dhatz I am about to walk away from the whole windows thing as I have started to ease into Linux and am enjoying it. The last flavor of anything was actually FreeBSD and when the company I worked for moved away from that I was in a world of Windows. The reason for bringing that up is that I am working in dual boot with my Win7 and Ubuntu 12.04 and have just installed nmap and will test later.

    Thank you guys for your reply I appreciate your time and humor. I do love pfSense and am glad I am using it over the other options I looked at.



  • I just ran nmap using your example above (nmap -p 1-1024 xxx.xxx.xxx.xxx) I was on my brand new Linux Desktop install (Ubuntu 12.04 vs Windows 7 last time)

    and here are my results…

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-06-05 11:12 PHT
    Nmap scan report for <public ip="" address="">Host is up (0.19s latency).
    Not shown: 1023 filtered ports
    PORT   STATE SERVICE
    80/tcp open  http

    I then went in blocks of 1024 (nmap -p 1024-2048 xxx.xxx.xxx.xxx) and found my rdp port and nothing else! Thank you all for the help and calm the freak-out factor! ;D</public>


Locked