Ports open which should be closed

[Abstract]

Hi Everyone,

I've set up a PF firewall on my FreeBSD server, but I'm a bit confused. I've blocked all the traffic by default and only allowed the traffic I want. When I do a port scan on my server it shows the TCP ports 119, 995, 993, 587, 563, 465 to be open. I didn't explicitly mark those as open. Why are these still open and ports like 21 are closed as I would expect?

Below are the firewall rules I use:

## Macros 
SYN_ONLY="S/FSRA"
EXT_NIC="re0"

# Internet IP, (comments out for posting purpose)
EXT_IP="###.###.###.###" 

## TABLES 
## GLOBAL OPTIONS 
## TRAFFIC NORMALIZATION 
## QUEUEING RULES
## TRANSLATION RULES (NAT)

## FILTER RULES 

# Block everything
block all

block return-rst in log on $EXT_NIC proto TCP all
pass in log quick on $EXT_NIC proto TCP from any to any port 22 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto TCP from any to any port 443 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto TCP from any to any port 113 flags $SYN_ONLY keep state

pass in log quick on $EXT_NIC proto TCP from any to any port 110 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto TCP from any to any port 143 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto TCP from any to any port 25 flags $SYN_ONLY keep state

pass in log quick on $EXT_NIC proto TCP from any to any port 80 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto TCP from any to any port 2222 flags $SYN_ONLY keep state

pass in log quick on $EXT_NIC proto TCP from any to any port 53 flags $SYN_ONLY keep state
pass in log quick on $EXT_NIC proto udp from any to any port 53 flags $SYN_ONLY keep state

block out log on $EXT_NIC all
pass out log quick on $EXT_NIC from $EXT_IP to any keep state

# Allow the local interface
pass in quick on lo0 all
pass out quick on lo0 all

Thanks.

 

[SirDice]

How did you scan? Can you post that output?

 

[Abstract]

Results scan

I've scanned the server with Windows software called Angry Ip Scanner 2.1. Below you can find the details, but there isn't much additional information.

I'm pretty new to more advanced network diagnostics, maybe the results aren't that reliable? For example I notice the ports 443 and 113 are not among the results. The port 443 is open for sure, I'm connecting to that every hour.

IP                          Ping                  Hostname              Open Ports

###.###.###.###              139 ms                ##########    22,25,53,80,110,119,143,465,563,587,993,995,2222

I did change the pf.conf to allow ICMP as well by adding the following line.

pass in log on $EXT_NIC proto icmp all

 

[SirDice]

You can't scan your ports from within the same network. You need to scan from the outside.

Also learn the difference between incoming and outgoing connections. They are quite different.

http://www.tcpipguide.com/free/index.htm

 

[Abstract]

I didn't scan the ports in the same network. It's a server located in a data center and I'm doing the port scan from my home office.

I think, correct me if I'm wrong, that I understand the incoming and outgoing connections. When I do a scan from a completely different location and network I believe my scan is incoming traffic and not outgoing.

 

[SirDice]

I don't know what software you used to scan the machine but it's not very accurate. Try something like security/nmap.

 

[kpa]

Try changing those flags to the default S/SA. In fact you can leave out the flags directive out in you rules because pf defaults to S/SA. Also keep state is the default so you can leave that out as well. Have you taken a look at your firewall log? Which rule(s) get matched when you probe a port that is open when it is supposed to be closed?

 

[Abstract]

Hi everyone,

This problem has been solved now. What I did is probably a newbie mistake, it seems PF was not enabled. Below you'll find the answer of my tech support.

I did enable it in the rc.conf file and started the PF firewall with /etc/rc.d/pf start. I don't understand it if PF wasn't enabled how come the FTP port got blocked as soon as I started the PF firewall and was working again when I stopped it. Like it should happen as defined in the rules. Based on that and some other tests I would say PF did work.

Tech Support:

I took a close look at your setup this evening. PF was not enabled - rather, it wasn't running as the kernel modules were not loaded. I have setup your system to load them at boot now (and they are loaded and pf is running now).

I'll check what they mean exactly. Thank you all for the input!

 

[mharvey]

After the service is started you still have to enable the firewall I believe

pfctl -e

and

pfctl -d

to disable

 

[wblock@]

/etc/rc.d/pf does that already.

 

[SirDice]

/etc/rc.d/pf does that already.

Assuming you have

pf_enable="YES"

in /etc/rc.conf