Netgate SG-1000 microFirewall

Author Topic: Block Ports enumeration  (Read 275 times)

0 Members and 1 Guest are viewing this topic.

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Block Ports enumeration
« on: January 03, 2018, 11:30:50 am »
Hi
Is there any method to stop responding to port scan , if someone try to check if the port is open ,?? without using IDS/IPS
Thank you

Offline KOM

  • Hero Member
  • *****
  • Posts: 5835
  • Karma: +711/-23
    • View Profile
Re: Block Ports enumeration
« Reply #1 on: January 03, 2018, 11:52:01 am »
This is already the default behaviour.  pfSense WAN blocks unsolicited incoming traffic instead of rejecting it.

Are you having an issue or seeing something strange?

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Block Ports enumeration
« Reply #2 on: January 03, 2018, 12:16:10 pm »
Thank you for your replay
I have some ports open ( NAT to Internal Server) , by doing scan using nmap I can see the all the information ( web version , ssh version ,..).I know that in some Firewall even the port is open , you get get answer by doing telnet on port or scan using tools like nmap.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: Block Ports enumeration
« Reply #3 on: January 03, 2018, 12:28:08 pm »
So you open ports but don't want people to connect to them. Got it.

Your only hope is probably IDS/IPS.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15765
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Block Ports enumeration
« Reply #4 on: January 03, 2018, 01:03:28 pm »
Lock your ports open to only the ips you want to use these forwards if your worried about some one finding them open ;)

Or use say something like pfblocker to block all the "bad" country IPs that you don't want to be able to scan your ports..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Block Ports enumeration
« Reply #5 on: January 04, 2018, 02:30:10 am »
@Derelict yes you got it , I opened some ports and I need if someone scan or telnet one of those ports , he get not response.I tried both SNORT and SURICATA , but I still get the response .
@johnpoz, How to lock the port with the IPs?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15765
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Block Ports enumeration
« Reply #6 on: January 04, 2018, 07:10:41 am »
On your forward where it says source network.. But in the network/IP you want to use this port forward.  If more than one create an alias put in the IPs or Netblocks you want to be able to use this port forward..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Block Ports enumeration
« Reply #7 on: January 04, 2018, 11:15:57 am »
It's exactly what I did , I forward the port to my internal server.But what I'm asking for is how to block port scan and not respond to any request , For example I have a port 80 open and I need if someone do telnet xx.xx.xx.xx 80 get nothing ,or if he use software scan.Is that possible with pfsense?,  I know that most of firewall like stonesoft, juniper ... do that natively

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15765
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Block Ports enumeration
« Reply #8 on: January 04, 2018, 12:40:26 pm »
That is pfsense out of the box!!  If you scan a port with your telnet example and the port is not forward and allowed for the IP its coming from they will get back NOTHING..

If I forward port 80 only if your coming from 1.2.3.4, and you are hitting it from 5.6.7.8 you will get back NOTHING...

"I know that most of firewall like stonesoft, juniper ... do that natively"

Not sure where you got this from??  If you scan a port that is forwarded you will get a response.. On ANY firewall..  If you do not forward any thing or allow anything out of the box you will get NOTHING back from pfsense... Go to grc.com shields up for example..

Pfsense is not the one answering anything a forward - the box you forwarded too is the one answering... So lets say you forward 80 to 192.168.1.100, you could setup something on that box to not answer 80 unless you did a port knock on it, etc

edit:  Here maybe this will help... So you see I forward ports 32400, and 32401 for plex access.  But I have it locked down to only the source networks that are in my plexaccess alias.. So when scanned from outside those show as "stealth" <rolleyes>  Ie no answer came back from those ports when coming from an IP that is not allowed per the forward and firewall rule.  Because the scanning IP was not in the allowed IP/networks.. There is no answer.

But if I come from one of those IPs - then its open.. See plex how it shows that its available - because I allow the netblock their check comes from and my 2 son's specific IPs.. So you can go direct to my plex server from the internet or you can do an indirect stream, etc..

See the alias listing of netblocks.. If your coming from any other IP - the grc scan then you will not get any sort of answer..

« Last Edit: January 04, 2018, 01:07:08 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Block Ports enumeration
« Reply #9 on: January 05, 2018, 04:05:53 am »
Hi ,
Thank you very much , I appreciate your help .
Maybe as @Derelict said the only way to prevent ports scan is to use IPS/IDS , in your opinion who is the best between SNORT and SURICATA?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 15765
  • Karma: +1502/-210
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Block Ports enumeration
« Reply #10 on: January 05, 2018, 05:06:28 am »
Yes a ips can block a port scan if happens fast enough, but if its a slow scan and or they hit your port that you have forwarded first they are going to see it open.

How many ports do you have open?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE (home)

Offline moelharrak

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: Block Ports enumeration
« Reply #11 on: January 05, 2018, 05:41:55 am »
not too many , at max 10 ports