DHCPS not being blocked

Reply to DHCPS not being blocked on Thu, 20 Sep 2012 16:14:11 GMT

johnpoz — Thu, 20 Sep 2012 16:14:11 GMT

Yeah as always you are correct. I discovered that the vps I was trying to do the scans from has nmap locked down and does not function correctly as root.

Seems you can not scan udp unless your root? Because I tried scanning my box that I put a reject on for specific udp 71 and never saw the traffic hit my firewall. Contacted the host of my vps and yeah they have nmap restricted – arrghhh.

Reply to DHCPS not being blocked on Thu, 20 Sep 2012 03:46:05 GMT

cmb — Thu, 20 Sep 2012 03:46:05 GMT

All WAN rules are those you configure.

Were you seeing "open|filtered" originally? That means it's blocked, or it's open. No way to tell the difference with UDP. It knows a UDP port is closed if it responds back with an unreachable. An open UDP port, and a filtered UDP port (blocked silently) behave the same way - no response. Hence the "open|filtered". That's what you should see when silently blocking with a firewall.

Reply to DHCPS not being blocked on Thu, 20 Sep 2012 02:26:54 GMT

johnpoz — Thu, 20 Sep 2012 02:26:54 GMT

hmmmm – that is odd but I just did a scan from my vps where I did for port 67

and it shows 71 open???

Nmap scan report for snip.homeip.net (24.13.xx.xxx)
Host is up.
rDNS record for 24.13.xx.xx: c-24-13-xx-xx.hsd1.il.comcast.net
PORT STATE SERVICE
71/udp open|filtered netrjs-1

Which clearly is not listening via sockstat -- so WTF???

So yeah what you say makes sense.. Clearly I don't have any rule allowing the access, but not all rules are shown in the gui are they.

Reply to DHCPS not being blocked on Wed, 19 Sep 2012 23:45:28 GMT

cmb — Wed, 19 Sep 2012 23:45:28 GMT

Very unlikely 67 is actually open (impossible if you don't have a rule permitting it). It's likely one of two reasons that comprises every "some port is open that I didn't open!" post that's ever been on here.

the host you're scanning from is showing that for some reason because it has something interfering with the port scanner.
something in between the host you're scanning from and the target is answering on that for some reason.

Reply to DHCPS not being blocked on Wed, 19 Sep 2012 18:21:20 GMT

johnpoz — Wed, 19 Sep 2012 18:21:20 GMT

hmmm, shouldn't dhcpd only be listening on lan interface? and not all interfaces?

dhcpd dhcpd 47021 8 dgram -> /var/dhcpd/var/run/log
dhcpd dhcpd 47021 12 udp4 *:67 :
dhcpd dhcpd 47021 20 udp4 *:59655 :
dhcpd dhcpd 47021 21 udp6 *:12375 :

And if have to listen on all, shouldn't wan block traffic to 67? As dhcp client all traffic would be to going to 68 in answer to dhcp requests from dhcp client on wan interface.

I just looked and according to gui, dhcp server is only on LAN interface.. But if I do a check from outside I do show it open

Starting Nmap 5.21 ( http://nmap.org ) at 2012-09-19 11:22 PDT
Nmap scan report for snipped.homeip.net (24.13.xx.xx)
Host is up.
rDNS record for 24.13.xx.xx: c-24-13-xxx-xxx.hsd1.il.comcast.net
PORT STATE SERVICE
67/udp open|filtered dhcps

Reply to DHCPS not being blocked on Wed, 19 Sep 2012 17:23:42 GMT

gderf — Wed, 19 Sep 2012 17:23:42 GMT

How is the public IP address on the pfsense WAN assigned?