DHCPS not being blocked

  • I have been running some tests on my firewall and I noticed the following.

    I have a 1 to 1 NAT that goes to an internal address.
    For the firewall rule I have open 21,80,8080,443,1002,1503,1718-1720,3230-3285

    When I run a network scan from outside the WAN to public IP I get the above ports open as I should but it also comes back with port 67 being open.

    I have checked the rest of the rules and I don't see anything where this port is listed.

    Any ideas why this is open.

    Thanks Gord.

  • How is the public IP address on the pfsense WAN assigned?

  • LAYER 8 Global Moderator

    hmmm, shouldn't dhcpd only be listening on lan interface? and not all interfaces?

    dhcpd    dhcpd      47021 8  dgram  -> /var/dhcpd/var/run/log
    dhcpd    dhcpd      47021 12 udp4   *:67                  :
    dhcpd    dhcpd      47021 20 udp4   *:59655               :
    dhcpd    dhcpd      47021 21 udp6   *:12375               :

    And if have to listen on all, shouldn't wan block traffic to 67?  As dhcp client all traffic would be to going to 68 in answer to dhcp requests from dhcp client on wan interface.

    I just looked and according to gui, dhcp server is only on LAN interface.. But if I do a check from outside I do show it open

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-09-19 11:22 PDT
    Nmap scan report for snipped.homeip.net (24.13.xx.xx)
    Host is up.
    rDNS record for 24.13.xx.xx: c-24-13-xxx-xxx.hsd1.il.comcast.net
    67/udp open|filtered dhcps

  • Very unlikely 67 is actually open (impossible if you don't have a rule permitting it). It's likely one of two reasons that comprises every "some port is open that I didn't open!" post that's ever been on here.

    1. the host you're scanning from is showing that for some reason because it has something interfering with the port scanner.
    2. something in between the host you're scanning from and the target is answering on that for some reason.

  • LAYER 8 Global Moderator

    hmmmm  – that is odd but I just did a scan from my vps where I did for port 67

    and it shows 71 open???

    Nmap scan report for snip.homeip.net (24.13.xx.xxx)
    Host is up.
    rDNS record for 24.13.xx.xx: c-24-13-xx-xx.hsd1.il.comcast.net
    PORT   STATE         SERVICE
    71/udp open|filtered netrjs-1

    Which clearly is not listening via sockstat -- so WTF???

    So yeah what you say makes sense..  Clearly I don't have any rule allowing the access, but not all rules are shown in the gui are they.

  • All WAN rules are those you configure.

    Were you seeing "open|filtered" originally? That means it's blocked, or it's open. No way to tell the difference with UDP. It knows a UDP port is closed if it responds back with an unreachable. An open UDP port, and a filtered UDP port (blocked silently) behave the same way - no response. Hence the "open|filtered". That's what you should see when silently blocking with a firewall.

  • LAYER 8 Global Moderator

    Yeah as always you are correct.  I discovered that the vps I was trying to do the scans from has nmap locked down and does not function correctly as root.

    Seems you can not scan udp unless your root?  Because I tried scanning my box that I put a reject on for specific udp 71 and never saw the traffic hit my firewall.  Contacted the host of my vps and yeah they have nmap restricted – arrghhh.

Log in to reply