PfSense keeps Port 21 open??
-
I recently scanned my external IP to find that port 21 was open on my firewall. The only rule I have under my firewall tab is 443 for SSL.
Any ideas why port 21 would be open? This is on latest 2.2.6-latest.
-
What extra packages if any do you have installed/running? Do you have ftp/tftp proxy enabled?
-
Another thought: Do you have a router running in front of your firewall? Could this have an open port somewhere?
-
So unless you forwarded ftp, there is no ftp service running on pfsense so it wold be impossible for that port to be open.. I would have to check if the ftp proxy package would do that, I doubt it since its for clients… I would think you would know if you installed that and set it up??
More than likely its some router in front of pfsense.
edit
I just installed the ftp/proxy package.. And it does not enable 21 on wan that is for sure..edit2
Ok if you were stupid enough to highlight your WAN interface in the ftp/proxy setup - then yeah 21 would show open on a scan from outside.. Why would anyone do that???
-
No extra packages, and no FTP. Although I'm considering snort or suricata now.
I'm not running a router in front of the firewall.
Comcast -> Modem -> Firewall -> Server (router) -> Switch -> LAN
Lol, this is really weird - running NMap off of pentest-tools.com doesn't show ftp as being open. Running NMap off of my laptop tethered to my cellphone (not on the same network) still displays 21 open.
With the mac ftp client, I can open a connection to my ip address:
ftp> o (to) xxx Connected to xxx. 421 Service not available, remote server timed out. Connection closed.With filezilla it says:
Status: Connecting to xxx:21... Status: Connection established, waiting for welcome message... Error: Connection timed out after 20 seconds of inactivity Error: Could not connect to server Status: Waiting to retry...Any ideas?
-
If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.
-
If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.
-
Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests.
There you are then!
-
Alright sir, I won't worry about it then. Thanks for the help everyone.
-
I see the same thing, I think the ONT modem has FTP open because it’s closed on the WAN on the firewall.
-
@muswellhillbilly said in PfSense keeps Port 21 open??:
www.grc.com
GRC Port Authority Report created on UTC: 2024-07-11 at 06:47:55 Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113, 119, 135, 139, 143, 389, 443, 445, 1002, 1024-1030, 1720, 5000 0 Ports Open 22 Ports Closed 4 Ports Stealth --------------------- 26 Ports Tested NO PORTS were found to be OPEN. Ports found to be STEALTH were: 0, 135, 139, 445 Other than what is listed above, all ports are CLOSED. TruStealth: FAILED - NOT all tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received.
-
I show this on wan side
blocked everything nothing is open
Make sure to upvote
-
But mine said failed
-
That's your "ISP device", the one with the ONT. Ports should be stealth ... dono why is activily says 'closed' which means : it was listening. For what ?
So 'they' can keep an eye on you ^^But you don't care, your pfSense WAN is locked. Normally, only something like an OpenVPN port 1194 UDP should be open.
True, it's now possible to stuff a major doss app into your own local ONT device, and fully focus on your (pfSense) WAN IP without disturbing everybody else.It's probably not useful to ditch this ISP, as other ISP devices don't have ports open, but apps in the device will 'call home' for their updates and other 'control'.
The best way out : get an Netgate router with a 'FTP' ONT slot, slide in the FTP adapter that is compatible with the Netgate device and your fiber link.
And if possible, open only IPv6 ports. grc.com won't see any fire neither smoke, and you feel safe now ^^
Mine went all green decades ago :
-
@Gertjan I know I pay for a static IP and I set OpenVPN port to a timer like a door it closes at night on a schedule. I like Consolidated never had issues beyond the one off weird bill items when transferring services but they even fixed that with my tantrum, I am sure they have the fiber modem accessible for their team, I am just confused as to why on my zen map it shows wide open and not stealth mode. Anyone that doesn’t use schedules for vpn ports should think about doing that, if your not using your vpn at 3am turn it off right?
-
It is the modem I disconnected everything and ran the test again same ports same issue. That is ISP stuff not my concern my stuff is protected. I got the 2100 it has the stp ports, again consolidated wants that modem, I am just gonna leave it how they have it.
-
@muswellhillbilly said in PfSense keeps Port 21 open??:
If you try the ShieldsUP site (www.grc.com), what does it tell you? This sounds like a 'herring-rouge' to me if you're getting conflicting reports from different sources.
Reply
Does shields up work with ipv6 also?
-
@JonathanLee said in PfSense keeps Port 21 open??:
Does shields up work with ipv6 also?
You've motivated me to find that video again that I ones saw, many years ago, an interview, where he said "Not needed, IPv6 won't make it to the public ...". (Gibson is special ^^)
-
@Gertjan said in PfSense keeps Port 21 open??:
Gibson is special ^^)
hahah - yeah remember when he said the sky was falling when XP had raw sockets. it was going to crash the internet ;)
He term stealth for not answering ping is just more nonsense. Not sure he is playing with all 52 cards if you know what I mean ;)
-
You know what it was I had it set to reject and not block HAHA I can't believe I didn't see that before, that is a Homer Simpson moment.
-
G Gertjan referenced this topic
