Solved Why I can check (with telnet) ports?

L

leonardorame

Usually I check for open ports using telnet <IP> <port>. Now in my DMZ I installed PF and want to block everything but some ports.

The weird thing I found was that I can telnet <IP> <ANY PORT> and it returns:

Code: 
Trying .....
Connected to .....
Escape character is '^]'.

I mean it looks like any port is open, not only those I defined in my pf rules.
 
leonardorame said:
Usually I check for open ports using telnet <IP> <port>. Now in my DMZ I installed PF and want to block everything but some ports.

The weird thing I found was that I can telnet <IP> <ANY PORT> and it returns:

Code: 
Trying .....
Connected to .....
Escape character is '^]'.

I mean it looks like any port is open, not only those I defined in my pf rules.
Click to expand...
What type of machine are you telnetting from? Any special network configuration or security software (ZScaler?)

For TCP to connect, not only does the port need to be open, but something (typically an application) needs to be listening on it. Something strange is going on here if it does that for any port.
 
I'm telnetting from a VPS. And yes, I asked here because this is very strange (to me), aparently something is responding even if no port is open. Maybe the one that is responding is the router (provided by my ISP).
 
I'd suggest a dumb modem that is still compatible with the ISP, and a router that you can flash with DD-WRT or OpenWRT. That generally makes troubleshooting and monitoring easier.

If ISP is the one providing the router, firewall's default settings may not be the most sensible ones.
 
astyle said:
I'd suggest a dumb modem that is still compatible with the ISP, and a router that you can flash with DD-WRT or OpenWRT. That generally makes troubleshooting and monitoring easier.

If ISP is the one providing the router, firewall's default settings may not be the most sensible ones.
Click to expand...
Yes, probably I ask the ISP to bridge the modem, instead of using a DMZ. What I'm trying to do with PF is to control all the router actions (instead of a DD-WRT or Mikrotik), it should work the same way.
 
I enabled pflog and found the packets I test with telnet are indeed blocked, but I still wonder why I get the response "Connected..." instead of rejected or something different.
 
leonardorame said:
I enabled pflog and found the packets I test with telnet are indeed blocked, but I still wonder why I get the response "Connected..." instead of rejected or something different.
Click to expand...
That's why I recommend the dumb modem/own router setup. If you want to find out more detail on what's happening with your packets, there are usually ways to do that, just not on rented equipment. If you own a router, you can install anything on it, even snort or other packet generators/sniffers. On ISP-owned equipment, you have to ask them to do stuff, and be mentally prepared to hear 'no'.
 
I tend to use nc(1) for this. The communication is a bit less processed.

That said, some firewall setups are done to not send anything back, not even low level packets relating to rejection. In that case I guess telnet just assumes the connection is established (though note that nc(1) can as well on some setups).
 
I’d blame the ISP’s modem. It may accept everything initially and then actually try to create the connection on the “inside network” to whatever host it’s been configured to use as the DMZ host. It’s the opposite approach to dropping connection attempts to blocked ports; if every port appears open, you don’t learn anything from port scanning.
 
You must log in or register to reply here.
Back
Top