Open Ports, new installation

raidoh

I'm just working through a new installation and trying to configure this. My pfsense router 2440 running 2.2.2 is sitting behind a Verizon FIOS Actiontec router (connected via coax, so I can't reconfigure this). When I set the Actiontec to put the pfSense router in a DMZ, a Shields Up port scan shows half the ports are OPEN. I thought it might be showing the Actiontec ports, but when I remove the DMZ setting, the port scan goes back to stealth, but then I have to individually forward ports on the Actiontec and also allow them on the pfSense, which makes administration challenging.

My WAN firewall rules allow three ports in but otherwise block all traffic. I have UPnP enabled, but disabling it doesn't do anything. I have a floating rule configured by pfBlocker, but disabling those don't change this result either.

I'm sure I'm just missing something simple in the configuration. Any ideas what I can do to troubleshoot this?

Thanks.

Gertjan

Hi,

You might be seeing a false positive.
By default, you have NO WAN rules on pfSEnse, except for one : the hidden "block and drop all".

My pfSense box is directly connected to the Internet, so my WAN IP is an Internet IP. https://www.grc.com/x/ne.dll?rh1dkyd2 says I'm 100 % stealth.

In your case, "Shields Up" hits your cable router, who translates (== DMZ) everything to the declared DMZ zone. Your cable router does accept the connection …. and "Shields Up" sees this as an 'open port', but after your cable router the connection hits the wall.

And, I agree, router-after-router setup isn't a good idea. It works, but you have to admin (NAT) everything twice.
It would be far more better to have a "cable modem", so pfSense 'sees' the real Internet IP.

johnpoz

Dude really you think pfsense is listening on HALF the ports its scans.. Come on….

Why don't you show us this report..  And your pfsense rules..  By default out of the box all ports are blocked inbound on the wan..  For a port to show open something has to be listening..  So do you really think you have half the scanned ports listening?  Or is more likely your actiontec is forwarding them and that is why they are being shown open..

raidoh

Thanks for the responses. I guess this could simply represent the Actiontec having ports open to the DMZ, but wouldn't that show all ports are open, like 993 (IMAP) or 995 (POP3)? Is the DMZ limited in the ports passed?

If it is simply a reflection of the Actiontec responding with open ports, that seems safe enough. How might I inspect the ports from a computer on the Actiontec LAN outside the pfSense to confirm this?

See the attached screenshots.

Thanks.

johnpoz

do you understand that block rule is pointless.. There is a default block rule.. Same goes for those source asia pfbng rules – your default block stops those.  Only reason you would want something like that is if you were forwarding traffic or had ports open and you didn't want those source IPs to get to your forwards or opens.  But you got nothing open or forwarded so what is the point of blocking anything specific since everything is already blocked?

So here is the thing.. Take a look on pfsense.. Is it listening on those ports?  Simple sockstat -4l

Example
[2.2.2-RELEASE][root@pfSense.local.lan]/root: sockstat -4l
USER    COMMAND    PID  FD PROTO  LOCAL ADDRESS        FOREIGN ADDRESS
root    php-fpm    87900 11 udp4  :                  :
root    syslogd    67136 14 udp4  *:514                :
root    ntpd      3034  21 udp4  *:123                :
root    ntpd      3034  23 udp4  192.168.9.253:123    :
root    ntpd      3034  26 udp4  192.168.2.253:123    :
root    ntpd      3034  29 udp4  192.168.3.253:123    :
root    ntpd      3034  31 udp4  127.0.0.1:123        :
ladvd    ladvd      45378 16 udp4  :                  :
root    ladvd      45288 11 udp4  :                  :
root    openvpn    33293 12 tcp4  24.13.xx.xx:443      :
root    lighttpd_p 92537 11 tcp4  127.0.0.1:8081        :
root    lighttpd_p 92537 12 tcp4  127.0.0.1:8443        :
root    miniupnpd  62844 12 tcp4  *:2189                :
root    miniupnpd  62844 13 udp4  *:1900                :
root    miniupnpd  62844 15 udp4  192.168.5.253:25884  :
root    miniupnpd  62844 18 udp4  192.168.5.253:5351    :
dhcpd    dhcpd      42543 17 udp4  *:67                  :
dhcpd    dhcpd      42543 20 udp4  *:41805              :
unbound  unbound    35265 10 udp4  192.168.9.253:53      :
unbound  unbound    35265 11 tcp4  192.168.9.253:53      :
unbound  unbound    35265 14 udp4  192.168.2.253:53      :
unbound  unbound    35265 15 tcp4  192.168.2.253:53      :
unbound  unbound    35265 18 udp4  192.168.3.253:53      :
unbound  unbound    35265 19 tcp4  192.168.3.253:53      :
unbound  unbound    35265 22 udp4  192.168.5.253:53      :
unbound  unbound    35265 23 tcp4  192.168.5.253:53      :
unbound  unbound    35265 24 udp4  127.0.0.1:53          :
unbound  unbound    35265 25 tcp4  127.0.0.1:53          :
unbound  unbound    35265 28 tcp4  127.0.0.1:953        :
root    lighttpd  32909 10 tcp4  *:80                  :
root    inetd      24327 11 udp4  127.0.0.1:6969        :
root    inetd      24327 12 tcp4  127.0.0.1:19000      :
root    openvpn    20588 12 udp4  24.13.xx.xx:1194    :
root    sshd      13719 5  tcp4  *:22                  :
root    php-fpm    239  11 udp4  :                  :

So those are the ports pfsense is listening on and IPs.. these one with * or your public IP would be the only ones of concern without a specific port forward to forward to it.

Clearly your not forwarding it to anything, clearly you have a firewall rule blocking it.. And after you run sockstat or netstat you can see for yourself nothing listening on it, etc.. So how could they be open??  Why don't you snff and even see if the traffic gets to pfsense..  If you were logging you would see the traffic if even hits pfsense get blocked..

Just ran mine
GRC Port Authority Report created on UTC: 2015-06-06 at 18:05:42

Results from scan of ports: 0-1055

1 Ports Open
    0 Ports Closed
1055 Ports Stealth
–-------------------
1056 Ports Tested

NO PORTS were found to be CLOSED.

The port found to be OPEN was: 443

Other than what is listed above, all ports are STEALTH.

See the 443 I have listening.. That is the only thing that shows open..  Because something is actually listening on it..  And its allowed in the firewall rules...  Notice the 80 that I forward has a source limit on there that only allows my vps IPs.. So his scan shows it as closed or his nonsense term "stealth" ;)

raidoh

Big thanks for the detailed explanation. sockstat worked to verify there are only a few open ports.

doktornotor

Sigh… The infamous Shields Up site. Proudly spreading FUD for ages.

Harvy66

@doktornotor:

Sigh… The infamous Shields Up site. Proudly spreading FUD for ages.

I wonder if there are some standard hardware/software that ISPs use that helps "protect" the customer by blocking/rejecting SYN packets for certain ports, leading to false positives.

cmb

raidoh: is the IP you're having it scan the same IP you're coming from accessing this site? I just spot checked several of the ports it showed as open on the IP you're using here, and they're all "stealth" as Shields Up would label it.

@Harvy66:

@doktornotor:

Sigh… The infamous Shields Up site. Proudly spreading FUD for ages.

I wonder if there are some standard hardware/software that ISPs use that helps "protect" the customer by blocking/rejecting SYN packets for certain ports, leading to false positives.

It's definitely one that confuses people and comes up with absurd results from time to time. Most of the time when I've port scanned the IP in question when it claims there is a slew of stuff open, nothing was actually open. One time I worked with someone where it showed a bunch of open ports, and they really were sending replies. Their modem was sending SYN ACKs back in reply on the open ports, but didn't have any services running on any of them, was just some weird modem bug.

Shields Up will show one of three possibilities, open, closed, or "stealth". OP's screenshot shows open and stealth. The ones that are open, either the site is broken, or something is actually sending a SYN ACK in reply. If it were the ISP or modem or anything else rejecting the connection, it'd show up as closed. I think in this case, it's just another instance of Shields Up being broken.

doktornotor

Really no point in wasting time with a guy who claims that a reverse DNS record makes you insecure and that dropping ICMP packets makes you invisible. BTW, is he still selling the Spinrite snakeoil? Someone should have sued him for this ages ago.

tim.mcmanus

@raidoh:

I'm just working through a new installation and trying to configure this. My pfsense router 2440 running 2.2.2 is sitting behind a Verizon FIOS Actiontec router (connected via coax, so I can't reconfigure this).

You can set your ActionTec to passthrough to pfSense.

Here is a very lengthy but extremely informative post regarding FIOS and ActionTec gear.  Discusses multiple scenarios.

http://www.dslreports.com/faq/verizonfios/3.0_Networking

Derelict

I have seen those results explained somewhere. Made sense at the time. Can't remember what it was and can't find it again.