I have the following pf rules :
And i have scanned with nmap command nmap -sU -p 53 -Pn 123.123.123.123 from different location of the server. The result is really strange because it detected port 53 UDP is open:filtered :
Sockstat -4l doesn't show any daemon listening on port 53 :
ifconfig
Neither on bhyve windows guest is listening at port 53.
The only possible daemon is dnsmasq which is listening on port 0 or not listening on port.
dnsmasq config :
The question is how to properly really close the port 53 from WAN access?
Code:
####Interfaces
ext_if="igb0"
bhyve_if_jenkins="bridge0"
####IP Assignment
IP_PUB="123.123.123.123"
IP_BHYVE_JENKINS="172.16.0.15"
###Jail Network
NET_BHYVE_JENKINS="172.16.0.0/24"
###PORT
PORT_JENKINS="{80,443,4242,8080,3389}"
PORT_HOST = "{22,5901}"
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"
################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
### Timeout Options
# set optimization normal
# set timeout { tcp.closing 60, tcp.established 7200}
################ Queueing ####################################################
################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble
# nat all jail traffic
#nat pass on $ext_if from $NET_JAIL_WWW to any -> $IP_PUB
# nat all bhyve traffic
nat pass on $ext_if from $NET_BHYVE_JENKINS to any -> ($ext_if)
# redirect bhyve jenkins port traffic
rdr pass on $ext_if proto tcp from any to ($ext_if) port $PORT_JENKINS -> $IP_BHYVE_JENKINS
## Antispoof
antispoof for ($ext_if) inet
## Block NMAP
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUP
#Block ALL
block log on $ext_if
#Block port DNS
block drop in log quick on $ext_if proto tcp from { !($ext_if), !($bhyve_if_jenkins)} to port $PORT_DNS
block drop in log quick on $ext_if proto udp from { !($ext_if), !($bhyve_if_jenkins)} to port $PORT_DNS
## allow icmp request types specified by $icmp_types
pass in inet proto icmp all icmp-type $icmp_types
#Allow SSH
pass in quick on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port $PORT_HOST
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_HOST
#DNS
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_DNS
pass out quick on $ext_if inet proto udp from ($ext_if) to !($ext_if) port $PORT_DNS
And i have scanned with nmap command nmap -sU -p 53 -Pn 123.123.123.123 from different location of the server. The result is really strange because it detected port 53 UDP is open:filtered :
Code:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-08 03:56 SE Asia Standard Time
Nmap scan report for 123.123.123.123 (123.123.123.123)
Host is up.
PORT STATE SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds
Sockstat -4l doesn't show any daemon listening on port 53 :
Code:
# sockstat -4l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nobody dnsmasq 31884 4 udp4 *:67 *:*
root sendmail 38914 3 tcp4 127.0.0.1:25 *:*
root sshd 31007 4 tcp4 *:22 *:*
root syslogd 82203 7 udp4 *:514 *:*
ifconfig
Code:
# ifconfig
ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:e2:a5:dc
hwaddr a0:36:9f:e2:a5:dc
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
ix1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether a0:36:9f:e2:a5:de
hwaddr a0:36:9f:e2:a5:de
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 18:66:da:8e:52:9d
hwaddr 18:66:da:8e:52:9d
inet 123.123.123.123 netmask 0xffffff00 broadcast 163.172.253.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 18:66:da:8e:52:9e
hwaddr 18:66:da:8e:52:9e
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 0.0.0.0 maxupd: 128 defer: off
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
groups: pflog
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: vm-public
ether 02:5a:71:50:7c:00
inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
nd6 options=1<PERFORMNUD>
groups: bridge
id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 9 priority 128 path cost 2000000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
description: vmnet-jenkins-0-public
options=80000<LINKSTATE>
ether 00:bd:ab:22:04:00
hwaddr 00:bd:ab:22:04:00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
groups: tap
Opened by PID 65353
Neither on bhyve windows guest is listening at port 53.
The only possible daemon is dnsmasq which is listening on port 0 or not listening on port.
dnsmasq config :
Code:
port=0
#domain-needed
#no-resolv
except-interface=lo0
except-interface=igb0
bind-interfaces
local-service
#dhcp-authoritative
interface=bridge0
dhcp-range=172.16.0.10,172.16.0.254
The question is how to properly really close the port 53 from WAN access?