DHCPS not being blocked
I have been running some tests on my firewall and I noticed the following.
I have a 1 to 1 NAT that goes to an internal address.
For the firewall rule I have open 21,80,8080,443,1002,1503,1718-1720,3230-3285
When I run a network scan from outside the WAN to public IP I get the above ports open as I should but it also comes back with port 67 being open.
I have checked the rest of the rules and I don't see anything where this port is listed.
Any ideas why this is open.
How is the public IP address on the pfsense WAN assigned?
hmmm, shouldn't dhcpd only be listening on lan interface? and not all interfaces?
dhcpd dhcpd 47021 8 dgram -> /var/dhcpd/var/run/log
dhcpd dhcpd 47021 12 udp4 *:67 :
dhcpd dhcpd 47021 20 udp4 *:59655 :
dhcpd dhcpd 47021 21 udp6 *:12375 :
And if have to listen on all, shouldn't wan block traffic to 67? As dhcp client all traffic would be to going to 68 in answer to dhcp requests from dhcp client on wan interface.
I just looked and according to gui, dhcp server is only on LAN interface.. But if I do a check from outside I do show it open
Starting Nmap 5.21 ( http://nmap.org ) at 2012-09-19 11:22 PDT
Nmap scan report for snipped.homeip.net (24.13.xx.xx)
Host is up.
rDNS record for 24.13.xx.xx: c-24-13-xxx-xxx.hsd1.il.comcast.net
PORT STATE SERVICE
67/udp open|filtered dhcps
Very unlikely 67 is actually open (impossible if you don't have a rule permitting it). It's likely one of two reasons that comprises every "some port is open that I didn't open!" post that's ever been on here.
- the host you're scanning from is showing that for some reason because it has something interfering with the port scanner.
- something in between the host you're scanning from and the target is answering on that for some reason.
hmmmm – that is odd but I just did a scan from my vps where I did for port 67
and it shows 71 open???
Nmap scan report for snip.homeip.net (24.13.xx.xxx)
Host is up.
rDNS record for 24.13.xx.xx: c-24-13-xx-xx.hsd1.il.comcast.net
PORT STATE SERVICE
71/udp open|filtered netrjs-1
Which clearly is not listening via sockstat -- so WTF???
So yeah what you say makes sense.. Clearly I don't have any rule allowing the access, but not all rules are shown in the gui are they.
All WAN rules are those you configure.
Were you seeing "open|filtered" originally? That means it's blocked, or it's open. No way to tell the difference with UDP. It knows a UDP port is closed if it responds back with an unreachable. An open UDP port, and a filtered UDP port (blocked silently) behave the same way - no response. Hence the "open|filtered". That's what you should see when silently blocking with a firewall.
Yeah as always you are correct. I discovered that the vps I was trying to do the scans from has nmap locked down and does not function correctly as root.
Seems you can not scan udp unless your root? Because I tried scanning my box that I put a reject on for specific udp 71 and never saw the traffic hit my firewall. Contacted the host of my vps and yeah they have nmap restricted – arrghhh.