OPNsense Forum
English Forums => General Discussion => Topic started by: jojothehumanmonkey on May 08, 2021, 05:19:43 pm
-
hello and thanks,
using opnsense as a home router and working great.
i did a netscan from the internet and noticed that ports such as smtp are `filtered`, not closed.
i am sure there is a logic to that approach but would it not be better to have unused ports closed, to just drop the packets and reply at all?
thanks much,
jojo
-
Usually, filtered means that the packet is silently dropped (no response from target).
Closed means that the server replies with RST flag set.
-
thanks,
are you sure about that?
if a door is closed, and someone knocks on it.
if i do not open the door, it is closed.
if i ask 'who is there` and ignore the knocker, then that is filtered.
so it this website wrong?
http://www.ipv6scanner.com/cgi-bin/main.py (http://www.ipv6scanner.com/cgi-bin/main.py)
OPEN An application is listening for connections on that port.
CLOSED No application listening on that port.
FILTERED The port is blocked by firewall or other network obstacle.
-
thanks.
just now i added a firewall rule to block telnet from wan
i have tried several online scanners and they all say the port is filtered, not closed or blocked
-
UDP or TCP scan?
-
tcp scan
for example,
https://hackertarget.com/nmap-online-port-scanner/
thanks,
-
But when you say you created a block rule (which happens always when you're not allowing stuff)
Then filtered is the correct answer
Maybe you could try to switch your block rule to a drop rule
-
thanks.
from https://www.ipfingerprints.com/portscan.php
i get `23/tcp open|filtered telnet`
as per the opnsense firewall gui, there is not a `drop`.
only `pass, block, reject` where block = `block the packet is dropped silently`
sorry but i am confused about the terminology.
perhaps filtered is the same as blocked?
-
Reject will send a RST back.
-
so it this website wrong?
http://www.ipv6scanner.com/cgi-bin/main.py (http://www.ipv6scanner.com/cgi-bin/main.py)
OPEN An application is listening for connections on that port.
CLOSED No application listening on that port.
FILTERED The port is blocked by firewall or other network obstacle.
No, but there's often common misunderstanding on the scanning results.
Basically there are lots of scanning techniques that are used for fingerprinting the target machine: https://nmap.org/book/man-port-scanning-techniques.html
They rely on the design of TCP/IP stack of the target. In case of online scanners, the TCP SYN scan is commonly in use. What the non-firewalled OS does upon receiving SYN is that it responds with RST to indicate that there's no service listening on the particular port.
-
This is just about terminology. 'Pass' -> 'open', 'Block' -> 'filtered', 'Reject' -> 'closed'. The 'Default deny rule' blocks anything, so you normally don't have to create 'Block' rules on the WAN.
Cheers
Maurice