Million dollar question: a floating allowing rule does open a port? If YES, then the rest of the post is useless ^^
Description of Issuenmap scan to check possible opened ports:
Discovered open port 22/tcp on ###### (WAN IP)
Discovered open port 80/tcp on ###### (WAN IP)
Discovered open port 53/tcp on ###### (WAN IP)
Discovered open port 443/tcp on ###### (WAN IP)
Discovered open port 5353/tcp on ###### (WAN IP)
Note: enabling my GEOIP rules show the same ports as 'filtered' but disabling them ports are 'open' instead of 'close'. WHY?
- Firewall > NAT > Port Forward > IS EMPTY
- Firewall > NAT > Outbound > some rules created for Tailscale as follows:
(https://i.imgur.com/GC1kayc.png)
Steps to Reproduce the Issue
nmap -p - -T4 -A -v -Pn WAN-IPExpected Outcomes
- When disabling my custom FW rules (to let nmap scan all ports) all ports should be 'closed' instead of showing some 'open'.
Are you scanning your WAN address from inside your network or from the Internet over a different uplink?
Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".
Quote from: Patrick M. Hausen on September 03, 2024, 04:39:40 PM
Are you scanning your WAN address from inside your network or from the Internet over a different uplink?
Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".
Hey Patrick,
As told in the title, tests are being performed over an external network with tailscale agent disconnected.
Please show the rules at
Firewall > Rules > WAN
Firewall > NAT > Port forwarding
Quote from: Patrick M. Hausen on September 03, 2024, 05:10:38 PM
Please show the rules at
Firewall > Rules > WAN
Firewall > NAT > Port forwarding
(https://i.imgur.com/WwgxmnR.png)
(https://i.imgur.com/8MVo4To.png)
I think I figured out what's happening.
As the default in OPNsense is to block aka 'filter' is why when doing an nmap I see the ports as 'filtered' and not as 'closed'.
(https://i.imgur.com/Mimtc3A.png)
Now if setting a test rule for nmap scan with 'reject' I finally see the port as 'closed'
(https://i.imgur.com/xMoCZOj.png)
(https://i.imgur.com/kizR8Th.png)
The thing I don't understand is why if I create a rule allowing traffic to 80 TCP then the port seems to be automatically opened without touching port forwarding at all...
There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.
Quote from: Patrick M. Hausen on September 03, 2024, 10:11:04 PM
There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.
OK. Make sense all the ports from first post are opened because opnsense using 22 for ssh, 80/443 for web ui, 53/5353 for DNS.
I thought it was mandatory to add those ports in NAT > Port forwarding to keep them Open. Didn't know a FW rule is enough to open a port through WAN...