The pfSense Store

Author Topic: pfsense open ports [SOLVED]  (Read 13492 times)

0 Members and 1 Guest are viewing this topic.

Offline vorgusa

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
pfsense open ports [SOLVED]
« on: March 02, 2011, 09:18:39 am »
I have done a fairly default install and did an nmap external to my network

Starting Nmap 5.21 ( http://nmap.org ) at 2011-03-02 10:13 EST
Nmap scan report for x.x.x.x (x.x.x.x)
Host is up (0.013s latency).
rDNS record for x.x.x.x: ME.comcast.net
Not shown: 996 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.06 seconds

I have enabled ssh and that is about it... why are all of these other ports Open to the internet!!! when I try to log into the web interface it does not work, thankfully, but I can ssh into it.
« Last Edit: March 04, 2011, 07:20:43 am by vorgusa »

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #1 on: March 02, 2011, 09:31:12 am »
Did you do this from another computer like @ work or a friends house or lan side? All those ports are open LAN side by default.

« Last Edit: March 02, 2011, 10:06:19 am by heavy1metal »

Offline vorgusa

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: pfsense open ports
« Reply #2 on: March 02, 2011, 09:38:14 am »
yep, I am at work now... decided to check on it and got surprised by those results

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #3 on: March 02, 2011, 10:03:40 am »
Yikes, what's your WAN ruleset look like?

yep, I am at work now... decided to check on it and got surprised by those results

Offline vorgusa

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: pfsense open ports
« Reply #4 on: March 02, 2011, 10:09:00 am »
pretty much I added on for my torrents and one for OpenVPN and everything else is default.  I can not get into it now using the web interface, but I can check at lunch, unless someone knows how to get it from SSH.  I did do the Filter Logs option in the CLI and I see connections being blocked. 

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #5 on: March 02, 2011, 10:13:13 am »
Well, I allow a few ports from my work IP, however I have a T-Mobile card on a laptop I decided to run nmap on. And this is what I came up with as well....

Starting Nmap 5.51 ( http://nmap.org ) at 2011-03-02 10:05 Central America Standard Time

Nmap scan report for WAN IP

Host is up (0.076s latency).

rDNS record for WAN IP

Not shown: 993 filtered ports

PORT     STATE SERVICE

21/tcp   open  ftp

25/tcp   open  smtp

80/tcp   open  http

110/tcp  open  pop3

143/tcp  open  imap

443/tcp  open  https

8080/tcp open  http-proxy

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #6 on: March 02, 2011, 10:21:45 am »
Anyone know if this is because pfsense is rejecting packets instead of dropping packets for these ports?

Offline vorgusa

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: pfsense open ports
« Reply #7 on: March 02, 2011, 10:23:07 am »
You might want to test to make sure you can not proxy through your box externally, unless you have it set that way on purpse. 

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #8 on: March 02, 2011, 10:28:03 am »
No reverse proxy set up, using linux if I try to connect to it on any port via nmap it fails. I also see in the firewall logs where it is all being blocked.

No machines are on at my home at the moment, and I do not host any of the services listed beyond 80/443 externally.

I believe it's showing up as open because of the response nmap got, I'm just wondering what response.

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #9 on: March 02, 2011, 10:39:18 am »
After firing up a PC @ home, ShieldsUP! (https://www.grc.com/x/ne.dll?bh0bkyd2) shows all ports as closed. I understand nmap uses a little more "thorough" method, however if it can't make a connection, then what response is causing nmap to see it as open?

I don't want to give people the false impression I have a port open and then they start hammering away.

Offline vorgusa

  • Jr. Member
  • **
  • Posts: 75
    • View Profile
Re: pfsense open ports
« Reply #10 on: March 02, 2011, 10:42:30 am »
On my end I can get to the login screen for my admin web interface, but it will not allow me to log in.  I am not a huge fan of that even if it does prevent login

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: pfsense open ports
« Reply #11 on: March 02, 2011, 10:52:58 am »
The ports would only be open if you opened them. Everything is blocked by default.

A lot depends on not only where you run the scan from but from what kind of router you are running the scan from behind.

If you are running a scan from a system behind a proxy (ftp proxy, web proxy, etc) you may be getting lured into that proxy instead of actually hitting the box you are trying to scan.

A scan from somewhere else like GRC is likely to be more accurate than an nmap scan from a 3G dongle/tethering setup.

If you can hit the web port on pfSense, you can login. If you can't login, you are probably hitting something else -- not your firewall.

A packet capture on WAN during the scan could confirm more of this.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline Cino

  • Hero Member
  • *****
  • Posts: 1050
    • View Profile
Re: pfsense open ports
« Reply #12 on: March 02, 2011, 11:01:12 am »
I just ran a nmap scan from work to my pfsense box at home.. Just the ports I want open are:

Discovered open port 443/tcp
Discovered open port 21/tcp
Discovered open port 80/tcp
Discovered open port 3389/tcp

I'm using nmap on a xp box... Funny, because my web server is a windows box, its 90% sure i'm running windows..

What I did notice the scan states that port 15000/tcp is closed. I've seen this before and can't remember what triggers this.

Offline heavy1metal

  • Full Member
  • ***
  • Posts: 205
    • View Profile
Re: pfsense open ports
« Reply #13 on: March 02, 2011, 11:02:22 am »
That's a little more reassuring. I cannot connect to any ports using ncat, or simply by accessing the service. I do not get the webportal like the OP.

I believe you are right, I'm sure T-Mobile uses some sort of in between to do QoS and other fancy filtering.

I'm using Zenmap (nmap gui), and it gives me option of "intensive" scan, and it did show 3 hops before it got to my actual computer. So what you are suggesting is that I ended up testing one of the nodes instead of my box @ home? Sort of neat how that works out. More interesting that some/partial of my connections are being made to the node, and possibly the node is making connections on my behalf like a MITM.

Jimp, as always you're very informative and helpful :-D


The ports would only be open if you opened them. Everything is blocked by default.

A lot depends on not only where you run the scan from but from what kind of router you are running the scan from behind.

If you are running a scan from a system behind a proxy (ftp proxy, web proxy, etc) you may be getting lured into that proxy instead of actually hitting the box you are trying to scan.

A scan from somewhere else like GRC is likely to be more accurate than an nmap scan from a 3G dongle/tethering setup.

If you can hit the web port on pfSense, you can login. If you can't login, you are probably hitting something else -- not your firewall.

A packet capture on WAN during the scan could confirm more of this.
« Last Edit: March 02, 2011, 11:12:24 am by heavy1metal »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14934
    • View Profile
Re: pfsense open ports
« Reply #14 on: March 02, 2011, 11:16:22 am »
You must be hitting something else along the way that is redirecting ports into itself.

The most common example of this is pfSense's FTP proxy. If you do an nmap scan from behind a pfSense router for an external IP, it will show FTP open if you have the FTP proxy on, because the proxy is grabbing the FTP traffic.

If you really want to know for sure, PM me an IP and I'll nmap it from a known good source and tell you what is really open. :-)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!