Ports 80 & 443 Open!



  • I did a port scan from: GRC Shields Up!, scanning: "COMMON PORTS"

    I am showing ports 80 & 443 open

    Is there any specific settings or services in PFsense I need to disable?

    Do I have to make custom firewall rules to block WAN traffic to ports 80 & 443 on my LAN & DMZ for these open ports to be closed?

    I am running SNORT, PFblocker, & Service Watchdog packages.

    Every time you use the Shields Up scan with SNORT running, you must clear the blocked GRC IP address in the SNORT logs after every scan. (in case anyone would like to duplicate the test).

    Thanks.


  • LAYER 8 Netgate

    What are your firewall rules on WAN?



  • @Derelict:

    What are your firewall rules on WAN?

    Third and fourth rules are an attempt to close 80 & 443 with a rule set. These did not work.


  • LAYER 8 Netgate

    See that last rule?  You're allowing traffic into your WAN from the internet for any traffic not explicitly blocked by the rules above.

    Those port 80/443 rules at the top block traffic only from WAN address to LAN address.  Which is pretty much impossible to be received in the WAN interface.

    I would change those to source any dest WAN address if you want an explicit block rule for them (unnecessary) and I would absolutely, positively disable that last rule unless you know exactly why you need it.



  • Well…  At least it wasn't rule number one (-;


  • LAYER 8 Global Moderator

    Why would you create such a rule?  There would not be a reason to create such a rule??  What where you trying to accomplish with a any any on you wan?



  • I think he's also a bit confused on how WAN address and LAN address works. I assume he has the explicit blocks added because he thought they'd block port 80/443 for WAN to LAN.

    WAN IP is the NIC IP address the WAN interface has, and LAN IP is the NIC IP that the LAN interface has, not the IPs of other devices on your LAN. As it stands, the only thing blocked is the WAN NIC from talking to the LAN NIC, but not the devices on either end.

    If you're attempting to block 80/443 to your firewall from the Internet, do Source * and Dest WAN-IP. If you just want to block 80/443 from coming in to any IP, then just place a block on source and dest of * on your WAN interface.

    Firewall rules only apply to new states, states are created at the time they are first seen, and states are first seen by the interface they first arrive on.



  • You never, ever want a pass rule like that on WAN where WAN is an Internet connection, delete it.


Log in to reply