Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Which pf rule is triggered by nmap ?

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dhatz
      last edited by

      I've just tried a nmap scan of pfsense's WAN IP (aaa.bbb.1.201) from a LAN IP (192.168.100.66) :

      nmap -p 1-1024 aaa.bbb.1.201

      Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2013-04-16 20:34 EEST
      Interesting ports on <pfsense-wan-fqdn>(aaa.bbb.1.201):
      Not shown: 1022 filtered ports
      PORT   STATE SERVICE
      22/tcp open  ssh
      53/tcp open  domain

      Nmap finished: 1 IP address (1 host up) scanned in 14.988 seconds

      However I've noticed the following one entry in pflog, blocking traffic to port 80
      tcpdump -n -tttt -e -i pflog0
      2013-04-16 20:34:04.296704 rule 3/0(match): block in on em1: 192.168.100.66.46984 > aaa.bbb.1.201.80:  tcp 20 [bad hdr length 0 - too short, < 20]

      Note that this is the only pflog entry.
      Which pf "drop log" rule is triggered in this case ?</pfsense-wan-fqdn>

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You can see the rule numbers by looking at "pfctl -vvsr"

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          I looked it up and it seemed to be the default "drop" rule, but I don't understand why it only gets triggered for port 80, out of all the ports 1-1024 …

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Impossible to say without seeing your full ruleset. It wouldn't log unless it didn't match any other rule.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • D
              dhatz
              last edited by

              I could upload my /tmp/rules.debug or my pfctl -sa if necessary, but there don't seem to be any references to port 80 in them (other than a port-fwd that from a specific src ip, which differs from the one doing the nmap anyway).

              Could someone else please try this simple nmap scan e.g.

              nmap -p22,53,80 <your_pfsense_wan_ip>from a LAN IP, and let me know if you see any blocked traffic for port 80 in Status -> System logs -> Firewall …

              Edit: I just looked at nmap man-page and it seems that it may be due to an idiosyncrasy of nmap, treating port 80 differently by default (sending a TCP ACK packet). If I use nmap -sA -p22,53,80 <your_pfsense_wan_ip>I get the same behavior on all tested ports.</your_pfsense_wan_ip></your_pfsense_wan_ip>

              1 Reply Last reply Reply Quote 0
              • M
                mr_bobo
                last edited by

                @dhatz:

                Could someone else please try this simple nmap scan e.g.

                nmap -p22,53,80 <your_pfsense_wan_ip>from a LAN IP, and let me know if you see any blocked traffic for port 80 in Status -> System logs -> Firewall …</your_pfsense_wan_ip>

                nmap -p22,53,80 
                
                Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-17 00:19 CDT
                sendto in send_ip_packet_sd: sendto(8, packet, 40, 0, xxx.xxx.xxx.xxx:, 16) => Operation not permitted
                Offending packet: TCP 192.168.10.101:53467 > xxx.xxx.xxx.xxx:80 A ttl=48 id=57407 iplen=10240  seq=0 win=1024 
                Nmap scan report for ...
                Host is up (0.00042s latency).
                PORT   STATE    SERVICE
                22/tcp filtered ssh
                53/tcp open     domain
                80/tcp filtered http
                
                Nmap done: 1 IP address (1 host up) scanned in 1.52 seconds
                
                

                I didn't see anything in my firewall logs that indicated I had even scanned my box from the LAN. Plenty of noise from the WAN side to show it's working, but nothing from the LAN whatsoever.

                Why are you using an old version of nmap, if you don't mind me asking?

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.