Can't block TCP 21 on Captive Portal interface

  • I'm sure it's something simple I've missed, but whatever rules I put in place on a captive portal guest interface, TCP port 21 remains open (regardless of whether the guest client is authenticated or not). It's not useful for anything - clients can't actually FTP into the device, but it's bugging me (and out penetration test experts).

    Here's the rules, though actually even if I add a rule at the top to block TCP/UDP 21 to the guest interface address, it's still seen as open.


  • LAYER 8 Global Moderator

    "It's not useful for anything - clients can't actually FTP into the device"

    Um if your not listening on 21, how would it show open??  Sounds more like you have a problem with your test..  UDP is not used for ftp, and udp testing if open is not all that simple..  There is no rule there that allows 21 that I see, and your not listening on 21 it sounds like..  So this points to flaw in your testing software to me.  Why don't you just sniff on the interface and see if an answer is sent back..

    Do you have any rules in floating - those are used before any other rules.

    So are you testing via a AP in bridge mode?  You sure that is not listening on 21 and that is what is answering back?  How exactly are you testing this and how are you connected to the network.  You say it happens without authentication?  So take it your wireless is open - is your wireless actually pfsense or APs?

  • For test purposes I've a client attached directly to the guest interface - no wifi is involved at all (and no other clients).

    It's TCP 21 that shows as open, not UDP 21.

    There are no floating rules (and anti-lockout rule generation is disabled).

    I've removed the pass rules for NTP, DHCP, and 8001 (the last two appear to be overridden anyway, probably because there's DHCP and Captive Portal services on that interface).

    I'll need to dig deeper.

  • LAYER 8 Global Moderator

    "For test purposes I've a client attached directly to the guest interface"

    So your scanning pfsense ip guest interface?

    do a simple netstat on pfsense - do you show it listening on 21??  I am not running the captive portal, guess I could turn it on for testing.  But I can tell you for sure that a default install of pfsense does not listen on 21..  So you have something forwarding 21 to somewhere else?

    This is looking for listening ports with netstat -an, lsof -i

    Nothing listens on 21, even scanning my lan port with any any rule shows exactly the ports I am listening on for tcp, 80 (pfsense gui) 22 and 53

    Starting Nmap 6.40 ( ) at 2014-08-18 07:12 Central Daylight Time

    Nmap scan report for pfsense.local.lan (
    Host is up (0.00096s latency).
    Not shown: 997 filtered ports

    22/tcp open  ssh
    53/tcp open  domain
    80/tcp open  http

    MAC Address: 00:0C:29:1E:18:AE (VMware)
    Nmap done: 1 IP address (1 host up) scanned in 5.32 seconds

Log in to reply