What ports are open?



  • Integrated services like VPN and so on doesnt show on port forwarding "page" how can I know when or not the port is open or not?

    Thanks


  • LAYER 8 Global Moderator

    huh?  If your running vpn services it would put a firewall rule in your wan interface.  This opens the port from the internet to pfsense.  If the vpn service is running then the port would be open.


  • Banned

    For openVPN- yes, but for IPsec… I guess the answer is: NO, no firewall rule.


  • LAYER 8 Global Moderator

    Well it might not create the firewall rule for you.  But if there is no firewall rule, then it wouldn't work because of the default block all.  Are you saying there is hidden ipsec rule that allow the traffic?

    From the doc
    https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

    Firewall Rules

    Don't forget to add firewall rules to pass traffic from clients

    Firewall > Rules, IPsec tab
        Add rules that match the traffic that should be allowed, or add a rule to pass any protocol/any source/any destination to allow everything.

    He didn't say what vpn service he was running.


  • Banned

    These rules are on the IPsec tab of the firewall rule section, but no rules on the WAN section AFAIK. I have two old IPsec, not in use currently, but no rules on the WAN interface for those.I read something about "hidden" rules, IIRC…

    Maybe that's the openers concern: Hidden rules...?


  • LAYER 8 Global Moderator

    Guess I could enable it and take a look at the rules.debug or pfctl, I kind of wish there was a way to show all rules in the gui, for example the dhcp rules are ones that I know are hidden and enabled when you turn on dhcp server.


  • Banned

    .


  • Banned

    Question was: How to find out which ports are open…

    Any suggestions?


  • Banned

    
    pfctl -sa
    
    

  • Banned

    Wow, extremely handy! Any idea why GUIs were invented?


  • Banned

    Dude, if you want GUI, then kindly Google for one of the loads of port scanners and let them do their job. Have a nice day. If you do not want the want the auto-added VPN rules, there you have the GUI   ::) checkbox to disable them.


  • Banned

    Sir, I'm definitely not your dude, I would know that.

    I'm not the thread opener. He asked for: HOW can I find out which ports my pfSense opens. Why should I use a port scanner, if the fcking firewall is supposed to tell me, what it is doing with my security? And it has the fcking obligation to show it to me in the GUI.

    Have a nice evening.


  • Banned

    Lick my swamp with your attitude.



  • The answer is unless you have opened a port and see it listed with a pass rule on the WAN, the port is closed.

    The exception would be if you are running uPNP.  If so, check its status to see what ports its opened.

    (I'd stay out of the swamps)



  • Lick my swamp with your attitude.

    The irony is thick….



  • Dumb idea time…

    Wouldn't it be nice to see any open WAN port that wasn't part of the rules added by user listed at the bottom of the WAN firewall tab?

    Like you open the WAN firewall tab and all is as it is now except at the bottom a list of other opened ports and what opened them, like uPNP, would also be shown.


  • LAYER 8 Global Moderator

    "And it has the f*cking obligation to show it to me in the GUI."

    Says WHO??  I am quite sure if you want to supply the patches to do that they can be added to the code base, or people can install them..  But I don't see how the pfsense developers have any sort of obligation on they show the every single rule in the gui.  If you don't like what they are doing, then just don't use pfsense - or come up with the way to do it how you want to do it and submit the code.

    I can tell you one thing for sure showing all the rules would only confuse some users.  And they would prob remove stuff like dhcp rules and then wonder why their wan cant get an address or why their clients don't get an IP, etc.

    Look at how many threads get started because user fires up a opt interface and never bothers to setup any firewall rules or even look to see what rules if any are on the interface.

    The OP has been given method to look at the full rules, he either look at rules.debug or pfctl https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset

    While I also think it would be nice, maybe an advanced option to see all rules in the gui, it sure is not an obligation for the developers to do so.  If your interested or concerned then its very simple to use pfctl or take a look at rules.debug.

    edit:  UPnP as metioned is another hidden thing to be honest, those are not shown in the standard interface tabs on the firewall or forwards.  You need to take a look at UPnP tab to see what might be opened, etc.



  • Ok

    Thanks for the answers



  • @2chemlud:

    HOW can I find out which ports my pfSense opens. Why should I use a port scanner, if the fcking firewall is supposed to tell me, what it is doing with my security? And it has the fcking obligation to show it to me in the GUI.

    As any router device, after initial install, by law (no, don't look for it) nothing can come in. To make things even more tight, NAT is active (read: no rules) so nothing gets send no-where into the LAN.

    Said differently: a device like pfSense is 100 secure. Things start become suspected, even dangerous, when its being operated without knowledge.
    Actually, cars and pfSense aren't any different.


Log in to reply