PF Nmap detecting 'bogus' port?

I have the following pf rules :
Code:
####Interfaces
ext_if="igb0"
bhyve_if_jenkins="bridge0"

####IP Assignment
IP_PUB="123.123.123.123"
IP_BHYVE_JENKINS="172.16.0.15"

###Jail Network
NET_BHYVE_JENKINS="172.16.0.0/24"

###PORT
PORT_JENKINS="{80,443,4242,8080,3389}"

PORT_HOST = "{22,5901}"

icmp_types = "{ 0, 3, 4, 8, 11, 12 }"

################ Options ######################################################
### Misc Options
 set skip on lo
 set debug urgent
 set block-policy drop
 set loginterface $ext_if
 set state-policy if-bound
 set fingerprints "/etc/pf.os"
 set ruleset-optimization none

### Timeout Options
# set optimization normal
# set timeout { tcp.closing 60, tcp.established 7200}


################ Queueing ####################################################


################ Normalization ###############################################
# set-tos 0x1c is Maximize-Reliability + Minimize-Delay + Maximize-Throughput
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub     log on $ext_if all reassemble tcp fragment reassemble

# nat all jail traffic
#nat pass on $ext_if from $NET_JAIL_WWW to any -> $IP_PUB

# nat all bhyve traffic
nat pass on $ext_if from $NET_BHYVE_JENKINS to any -> ($ext_if)

# redirect bhyve jenkins port traffic
rdr pass on $ext_if proto tcp from any to ($ext_if) port $PORT_JENKINS -> $IP_BHYVE_JENKINS

## Antispoof
antispoof for ($ext_if) inet

## Block NMAP
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick on $ext_if proto tcp from any to any flags FUP/FUP


#Block ALL
block log on $ext_if

#Block port DNS
block drop in log quick on $ext_if proto tcp from { !($ext_if), !($bhyve_if_jenkins)} to port $PORT_DNS
block drop in log quick on $ext_if proto udp from { !($ext_if), !($bhyve_if_jenkins)} to port $PORT_DNS

## allow icmp request types specified by $icmp_types
pass in inet proto icmp all icmp-type $icmp_types
#Allow SSH
pass in quick on $ext_if inet proto tcp from !($ext_if) to ($ext_if) port $PORT_HOST
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_HOST
#DNS
pass out quick on $ext_if inet proto tcp from ($ext_if) to !($ext_if) port $PORT_DNS
pass out quick on $ext_if inet proto udp from ($ext_if) to !($ext_if) port $PORT_DNS

And i have scanned with nmap command nmap -sU -p 53 -Pn 123.123.123.123 from different location of the server. The result is really strange because it detected port 53 UDP is open:filtered :
Code:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-08 03:56 SE Asia Standard Time

Nmap scan report for 123.123.123.123 (123.123.123.123)

Host is up.

PORT   STATE         SERVICE

53/udp open|filtered domain



Nmap done: 1 IP address (1 host up) scanned in 9.65 seconds

Sockstat -4l doesn't show any daemon listening on port 53 :
Code:
# sockstat -4l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS    
nobody   dnsmasq    31884 4  udp4   *:67                  *:*
root     sendmail   38914 3  tcp4   127.0.0.1:25          *:*
root     sshd       31007 4  tcp4   *:22               *:*
root     syslogd    82203 7  udp4   *:514                 *:*

ifconfig
Code:
 # ifconfig
ix0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether a0:36:9f:e2:a5:dc
        hwaddr a0:36:9f:e2:a5:dc
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
ix1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=e407bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether a0:36:9f:e2:a5:de
        hwaddr a0:36:9f:e2:a5:de
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 18:66:da:8e:52:9d
        hwaddr 18:66:da:8e:52:9d
        inet 123.123.123.123 netmask 0xffffff00 broadcast 163.172.253.255 
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
igb1: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 18:66:da:8e:52:9e
        hwaddr 18:66:da:8e:52:9e
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 
        inet 127.0.0.1 netmask 0xff000000 
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        groups: lo 
pfsync0: flags=0<> metric 0 mtu 1500
        groups: pfsync 
        syncpeer: 0.0.0.0 maxupd: 128 defer: off
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
        groups: pflog 
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vm-public
        ether 02:5a:71:50:7c:00
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255 
        nd6 options=1<PERFORMNUD>
        groups: bridge 
        id 00:00:00:00:00:00 priority 0 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 9 priority 128 path cost 2000000
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: vmnet-jenkins-0-public
        options=80000<LINKSTATE>
        ether 00:bd:ab:22:04:00
        hwaddr 00:bd:ab:22:04:00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect
        status: active
        groups: tap 
        Opened by PID 65353

Neither on bhyve windows guest is listening at port 53.

The only possible daemon is dnsmasq which is listening on port 0 or not listening on port.

dnsmasq config :
Code:
port=0
#domain-needed
#no-resolv
except-interface=lo0
except-interface=igb0
bind-interfaces
local-service
#dhcp-authoritative

interface=bridge0
dhcp-range=172.16.0.10,172.16.0.254

The question is how to properly really close the port 53 from WAN access?
 
From nmap(1):
Code:
If an ICMP port unreachable error (type 3, code 3)
           is returned, the port is closed. Other ICMP unreachable errors
           (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port as filtered.
           Occasionally, a service will respond with a UDP packet, proving
           that it is open. [b]If no response is received after retransmissions,
           the port is classified as open|filtered. This means that the port
           could be open, or perhaps packet filters are blocking the
           communication.[/b]
 
Thank you, it make sense other bogus ports detected as filtered. The strange thing is when doing slow comprehensive scans "nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (discovery and safe)"", when it reaches service scans, if it's filtered why only port 53 being detected as filtered and no port 80 being detected as filtered?.

Could it be my sysctl settings :
Code:
net.inet.tcp.blackhole=2 
net.inet.tcp.drop_synfin=1 
net.inet.udp.blackhole=1
 
Back
Top