Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense keeps Port 21 open??

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 6 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IonutZ
      last edited by

      I recently scanned my external IP to find that port 21 was open on my firewall. The only rule I have under my firewall tab is 443 for SSL.

      Any ideas why port 21 would be open? This is on latest 2.2.6-latest.

      1 Reply Last reply Reply Quote 0
      • M
        mer
        last edited by

        What extra packages if any do you have installed/running?  Do you have ftp/tftp proxy enabled?

        1 Reply Last reply Reply Quote 0
        • M
          muswellhillbilly
          last edited by

          Another thought: Do you have a router running in front of your firewall? Could this have an open port somewhere?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So unless you forwarded ftp, there is no ftp service running on pfsense so it wold be impossible for that port to be open..  I would have to check if the ftp proxy package would do that, I doubt it since its for clients…  I would think you would know if you installed that and set it up??

            More than likely its some router in front of pfsense.

            edit
            I just installed the ftp/proxy package.. And it does not enable 21 on wan that is for sure..

            edit2
            Ok if you were stupid enough to highlight your WAN interface in the ftp/proxy setup - then yeah 21 would show open on a scan from outside..  Why would anyone do that???

            ftpproxy.png
            ftpproxy.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 1
            • I
              IonutZ
              last edited by

              No extra packages, and no FTP. Although I'm considering snort or suricata now.

              I'm not running a router in front of the firewall.

              Comcast -> Modem -> Firewall -> Server (router) -> Switch -> LAN

              Lol, this is really weird - running NMap off of pentest-tools.com doesn't show ftp as being open. Running NMap off of my laptop tethered to my cellphone (not on the same network) still displays 21 open.

              With the mac ftp client, I can open a connection to my ip address:

              ftp> o
              (to) xxx
              Connected to xxx.
              
              421 Service not available, remote server timed out. Connection closed. 
              

              With filezilla it says:

              
              Status:      	Connecting to xxx:21...
              Status:      	Connection established, waiting for welcome message...
              Error:        	Connection timed out after 20 seconds of inactivity
              Error:        	Could not connect to server
              Status:      	Waiting to retry...
              

              Any ideas?

              1 Reply Last reply Reply Quote 0
              • M
                muswellhillbilly
                last edited by

                If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

                1 Reply Last reply Reply Quote 0
                • I
                  IonutZ
                  last edited by

                  @muswellhillbilly:

                  If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

                  Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

                  1 Reply Last reply Reply Quote 0
                  • M
                    muswellhillbilly
                    last edited by

                    @IonutZ:

                    Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.

                    There you are then!

                    1 Reply Last reply Reply Quote 0
                    • I
                      IonutZ
                      last edited by

                      Alright sir, I won't worry about it then. Thanks for the help everyone.

                      1 Reply Last reply Reply Quote 0
                      • JonathanLeeJ
                        JonathanLee
                        last edited by JonathanLee

                        I see the same thing, I think the ONT modem has FTP open because it’s closed on the WAN on the firewall.

                        e5cb7fae-154a-4c92-bd68-429c42a0c4d8-image.png

                        Make sure to upvote

                        1 Reply Last reply Reply Quote 0
                        • JonathanLeeJ
                          JonathanLee
                          last edited by JonathanLee

                          @muswellhillbilly said in PfSense keeps Port 21 open??:

                          www.grc.com


                          GRC Port Authority Report created on UTC: 2024-07-11 at 06:47:55
                          
                          Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 
                                                      119, 135, 139, 143, 389, 443, 445, 
                                                      1002, 1024-1030, 1720, 5000
                          
                              0 Ports Open
                             22 Ports Closed
                              4 Ports Stealth
                          ---------------------
                             26 Ports Tested
                          
                          NO PORTS were found to be OPEN.
                          
                          Ports found to be STEALTH were: 0, 135, 139, 445
                          
                          Other than what is listed above, all ports are CLOSED.
                          
                          TruStealth: FAILED - NOT all tested ports were STEALTH,
                                             - NO unsolicited packets were received,
                                             - NO Ping reply (ICMP Echo) was received.
                          

                          9dad8892-b15f-450b-95f9-d98e2ca42207-image.png

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee
                            last edited by

                            d9bc5d7b-ce7d-4e88-ac4b-f3e0cd5ce5ed-image.png

                            I show this on wan side

                            blocked everything nothing is open

                            Make sure to upvote

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • JonathanLeeJ
                              JonathanLee
                              last edited by

                              But mine said failed 😞

                              Make sure to upvote

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan @JonathanLee
                                last edited by Gertjan

                                @JonathanLee

                                That's your "ISP device", the one with the ONT. Ports should be stealth ... dono why is activily says 'closed' which means : it was listening. For what ?
                                So 'they' can keep an eye on you ^^

                                But you don't care, your pfSense WAN is locked. Normally, only something like an OpenVPN port 1194 UDP should be open.
                                True, it's now possible to stuff a major doss app into your own local ONT device, and fully focus on your (pfSense) WAN IP without disturbing everybody else.

                                It's probably not useful to ditch this ISP, as other ISP devices don't have ports open, but apps in the device will 'call home' for their updates and other 'control'.

                                The best way out : get an Netgate router with a 'FTP' ONT slot, slide in the FTP adapter that is compatible with the Netgate device and your fiber link.

                                And if possible, open only IPv6 ports. grc.com won't see any fire neither smoke, and you feel safe now ^^

                                Mine went all green decades ago :

                                de5dfe70-648a-450f-a7bb-49c844600866-image.png

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                JonathanLeeJ 1 Reply Last reply Reply Quote 1
                                • JonathanLeeJ
                                  JonathanLee @Gertjan
                                  last edited by JonathanLee

                                  @Gertjan I know I pay for a static IP and I set OpenVPN port to a timer like a door it closes at night on a schedule. I like Consolidated never had issues beyond the one off weird bill items when transferring services but they even fixed that with my tantrum, I am sure they have the fiber modem accessible for their team, I am just confused as to why on my zen map it shows wide open and not stealth mode. Anyone that doesn’t use schedules for vpn ports should think about doing that, if your not using your vpn at 3am turn it off right?

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 0
                                  • JonathanLeeJ
                                    JonathanLee
                                    last edited by JonathanLee

                                    It is the modem I disconnected everything and ran the test again same ports same issue. That is ISP stuff not my concern my stuff is protected. I got the 2100 it has the stp ports, again consolidated wants that modem, I am just gonna leave it how they have it.

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • JonathanLeeJ
                                      JonathanLee
                                      last edited by

                                      @muswellhillbilly said in PfSense keeps Port 21 open??:

                                      If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.

                                      Reply

                                      Does shields up work with ipv6 also?

                                      Make sure to upvote

                                      GertjanG 1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan @JonathanLee
                                        last edited by

                                        @JonathanLee said in PfSense keeps Port 21 open??:

                                        Does shields up work with ipv6 also?

                                        You've motivated me to find that video again that I ones saw, many years ago, an interview, where he said "Not needed, IPv6 won't make it to the public ...". (Gibson is special ^^)

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @Gertjan
                                          last edited by

                                          @Gertjan said in PfSense keeps Port 21 open??:

                                          Gibson is special ^^)

                                          hahah - yeah remember when he said the sky was falling when XP had raw sockets. it was going to crash the internet ;)

                                          He term stealth for not answering ping is just more nonsense. Not sure he is playing with all 52 cards if you know what I mean ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.