Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't block TCP 21 on Captive Portal interface

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 841 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sheepthief
      last edited by

      I'm sure it's something simple I've missed, but whatever rules I put in place on a captive portal guest interface, TCP port 21 remains open (regardless of whether the guest client is authenticated or not). It's not useful for anything - clients can't actually FTP into the device, but it's bugging me (and out penetration test experts).

      Here's the rules, though actually even if I add a rule at the top to block TCP/UDP 21 to the guest interface address, it's still seen as open.

      "https://www.flickr.com/photos/gingercoo/14737759298/"

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "It's not useful for anything - clients can't actually FTP into the device"

        Um if your not listening on 21, how would it show open??  Sounds more like you have a problem with your test..  UDP is not used for ftp, and udp testing if open is not all that simple..  There is no rule there that allows 21 that I see, and your not listening on 21 it sounds like..  So this points to flaw in your testing software to me.  Why don't you just sniff on the interface and see if an answer is sent back..

        Do you have any rules in floating - those are used before any other rules.

        So are you testing via a AP in bridge mode?  You sure that is not listening on 21 and that is what is answering back?  How exactly are you testing this and how are you connected to the network.  You say it happens without authentication?  So take it your wireless is open - is your wireless actually pfsense or APs?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          sheepthief
          last edited by

          For test purposes I've a client attached directly to the guest interface - no wifi is involved at all (and no other clients).

          It's TCP 21 that shows as open, not UDP 21.

          There are no floating rules (and anti-lockout rule generation is disabled).

          I've removed the pass rules for NTP, DHCP, and 8001 (the last two appear to be overridden anyway, probably because there's DHCP and Captive Portal services on that interface).

          I'll need to dig deeper.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "For test purposes I've a client attached directly to the guest interface"

            So your scanning pfsense ip guest interface?

            do a simple netstat on pfsense - do you show it listening on 21??  I am not running the captive portal, guess I could turn it on for testing.  But I can tell you for sure that a default install of pfsense does not listen on 21..  So you have something forwarding 21 to somewhere else?

            This is looking for listening ports with netstat -an, lsof -i

            Nothing listens on 21, even scanning my lan port with any any rule shows exactly the ports I am listening on for tcp, 80 (pfsense gui) 22 and 53

            Starting Nmap 6.40 ( http://nmap.org ) at 2014-08-18 07:12 Central Daylight Time

            Nmap scan report for pfsense.local.lan (192.168.1.253)
            Host is up (0.00096s latency).
            Not shown: 997 filtered ports

            PORT  STATE SERVICE
            22/tcp open  ssh
            53/tcp open  domain
            80/tcp open  http

            MAC Address: 00:0C:29:1E:18:AE (VMware)
            Nmap done: 1 IP address (1 host up) scanned in 5.32 seconds

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.