[NMAP] - Showing some ports as open (running scan on external network)

[sergiy0]

Million dollar question: a floating allowing rule does open a port? If YES, then the rest of the post is useless ^^

Description of Issue
nmap scan to check possible opened ports:

Discovered open port 22/tcp on ###### (WAN IP)
Discovered open port 80/tcp on ###### (WAN IP)
Discovered open port 53/tcp on ###### (WAN IP)
Discovered open port 443/tcp on ###### (WAN IP)
Discovered open port 5353/tcp on ###### (WAN IP)

Note: enabling my GEOIP rules show the same ports as 'filtered' but disabling them ports are 'open' instead of 'close'. WHY?

• Firewall > NAT > Port Forward > IS EMPTY
• Firewall > NAT > Outbound > some rules created for Tailscale as follows:

Steps to Reproduce the Issue

Code: [Select]

nmap -p - -T4 -A -v -Pn WAN-IP
Expected Outcomes

• When disabling my custom FW rules (to let nmap scan all ports) all ports should be 'closed' instead of showing some 'open'.

[Patrick M. Hausen]

Are you scanning your WAN address from inside your network or from the Internet over a different uplink?

Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".

[sergiy0]

Are you scanning your WAN address from inside your network or from the Internet over a different uplink?

Scanning from inside will not work, respectively not give the correct and desired results. If e.g. SSH is allowed on LAN, scanning port 22 from LAN will result in "open", even if the target is "WAN address".

Hey Patrick,

As told in the title, tests are being performed over an external network with tailscale agent disconnected.

[Patrick M. Hausen]

Please show the rules at

Firewall > Rules > WAN
Firewall > NAT > Port forwarding

[sergiy0]

Please show the rules at

Firewall > Rules > WAN
Firewall > NAT > Port forwarding

[sergiy0]

I think I figured out what's happening.

As the default in OPNsense is to block aka 'filter' is why when doing an nmap I see the ports as 'filtered' and not as 'closed'.



Now if setting a test rule for nmap scan with 'reject' I finally see the port as 'closed'






The thing I don't understand is why if I create a rule allowing traffic to 80 TCP then the port seems to be automatically opened without touching port forwarding at all...

[Patrick M. Hausen]

There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.

[sergiy0]

There's the OPNsense UI listening on 80, so with an allow rule in place a connect can happen.

OK. Make sense all the ports from first post are opened because opnsense using 22 for ssh, 80/443 for web ui, 53/5353 for DNS.

I thought it was mandatory to add those ports in NAT > Port forwarding to keep them Open. Didn't know a FW rule is enough to open a port through WAN...