Nmap scan on WAN reveals captive portal



  • My captive portal is running on OPT1, which has a wireless router plugged into it.  The interface is not bridged with any other interface.  When I perform an nmap scan of my WAN, port 8000 shows up.  Is this right?

    Running a full HD ver. RELENG_1_SNAPSHOT_03-19-2006 built on Sat Mar 18 01:47:08 UTC 2006



  • It should not be happening.

    PF rules take priority over ipfw which the captive portal uses.

    I would double check your wan rules.



  • Starting Nmap 4.01 ( http://www.insecure.org/nmap ) at 2006-03-23 22:43 Pacific
    Standard Time
    Warning:  OS detection will be MUCH less reliable because we did not find at lea
    st 1 open and 1 closed TCP port
    Insufficient responses for TCP sequencing (0), OS detection may be less accurate

    Insufficient responses for TCP sequencing (0), OS detection may be less accurate

    Interesting ports on noip.or.comcast.net (67.171.1X.X):
    (The 1663 ports scanned but not shown below are in state: filtered)
    PORT    STATE SERVICE
    21/tcp  open  ftp
    53/tcp  open  domain
    80/tcp  open  http
    81/tcp  open  hosts2-ns
    443/tcp  open  https
    444/tcp  open  snpp
    1723/tcp open  pptp
    3000/tcp open  ppp
    8000/tcp open  http-alt
    Device type: general purpose
    Running (JUST GUESSING) : OpenBSD 3.X (93%), FreeBSD 5.X|4.x (92%), Linux 2.6.X
    (87%), Microsoft Windows NT/2K/XP|2003/.NET (86%), IBM AIX 4.X (85%)
    Aggressive OS guesses: OpenBSD 3.6 (93%), OpenBSD 3.7 (93%), FreeBSD 5.3 (92%),
    DragonFly 1.1-Stable (FreeBSD-4 fork) (87%), Linux 2.6.10 (87%), Linux 2.6.7 (87
    %), OpenBSD 3.3 x86 with pf "scrub in all" (87%), OpenBSD 3.5 or 3.6 (87%), Free
    BSD 5.2 - 5.4 (86%), FreeBSD 5.4 (86%)
    No exact OS matches for host (test conditions non-ideal).

    Nmap finished: 1 IP address (1 host up) scanned in 29.142 seconds

    I have ports 21, 80, 81, 443, and 444 forwarded on the WAN.  Interesting that the others show up.



  • Well it appears that either your filter is not loaded at all or you have a pass any rule on wan.





  • Never heard of a source of 12.18:

    Is this something new that I should be aware of?



  • I photoshopped half that IP address out.  12.18.X.X



  • Run a pfctl -f /tmp/rules.debug and see if you get an error.



  • pfctl -f /tmp/rules.debug

    returns no errors.



  • Just nmapped our captive portal here… And its not doing this.

    nmap -P0 10.0.0.80

    Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2006-03-24 12:49 EST
    All 1668 scanned ports on 10.0.0.80 are: filtered
    MAC Address: 00:00:24:C1:F7:71 (Connect AS)

    Nmap finished: 1 IP address (1 host up) scanned in 36.169 seconds


Locked