[NMAP] - Showing some ports as open (running scan on external network)

Started by sergiy0, September 03, 2024, 04:02:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 03, 2024, 04:02:18 PM Last Edit: September 03, 2024, 04:12:04 PM by sergiy0
Million dollar question: a floating allowing rule does open a port? If YES, then the rest of the post is useless ^^

Description of Issue
nmap scan to check possible opened ports:

Discovered open port 22/tcp on ###### (WAN IP)
Discovered open port 80/tcp on ###### (WAN IP)
Discovered open port 53/tcp on ###### (WAN IP)
Discovered open port 443/tcp on ###### (WAN IP)
Discovered open port 5353/tcp on ###### (WAN IP)

Note: enabling my GEOIP rules show the same ports as 'filtered' but disabling them ports are 'open' instead of 'close'. WHY?


  • Firewall > NAT > Port Forward > IS EMPTY
  • Firewall > NAT > Outbound > some rules created for Tailscale as follows:


Steps to Reproduce the Issue
Code Select
nmap -p - -T4 -A -v -Pn WAN-IP

Expected Outcomes

  • When disabling my custom FW rules (to let nmap scan all ports) all ports should be 'closed' instead of showing some 'open'.
September 03, 2024, 04:39:40 PM #1
Are you scanning your WAN address from inside your network or from the Internet over a different uplink?

Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 03, 2024, 05:05:28 PM #2
Quote from: Patrick M. Hausen on September 03, 2024, 04:39:40 PM
Are you scanning your WAN address from inside your network or from the Internet over a different uplink?

Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".

Hey Patrick,

As told in the title, tests are being performed over an external network with tailscale agent disconnected.
September 03, 2024, 05:10:38 PM #3
Please show the rules at

Firewall > Rules > WAN
Firewall > NAT > Port forwarding
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 03, 2024, 05:23:29 PM #4
Quote from: Patrick M. Hausen on September 03, 2024, 05:10:38 PM
Please show the rules at

Firewall > Rules > WAN
Firewall > NAT > Port forwarding


September 03, 2024, 10:05:45 PM #5
I think I figured out what's happening.

As the default in OPNsense is to block aka 'filter' is why when doing an nmap I see the ports as 'filtered' and not as 'closed'.



Now if setting a test rule for nmap scan with 'reject' I finally see the port as 'closed'






The thing I don't understand is why if I create a rule allowing traffic to 80 TCP then the port seems to be automatically opened without touching port forwarding at all...
September 03, 2024, 10:11:04 PM #6
There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 03, 2024, 11:39:00 PM #7
Quote from: Patrick M. Hausen on September 03, 2024, 10:11:04 PM
There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.

OK. Make sense all the ports from first post are opened because opnsense using 22 for ssh, 80/443 for web ui, 53/5353 for DNS.

I thought it was mandatory to add those ports in NAT > Port forwarding to keep them Open. Didn't know a FW rule is enough to open a port through WAN...
Print
Go Up Pages1
User actions