Why so many open ports ?

General questions.
zimbodel
Posts: 20
Joined: October 1st, 2018, 10:58 pm

Why so many open ports ?

Post by zimbodel » October 2nd, 2018, 4:06 pm

I installed IPFire as I cannot continue with IPCop I used for years, it is now discontinued. However after installation of IPFire, I find a LOT of open ports on the RED interface doing a zenmap intense scan over all ports from a computer on the RED network side against the IPFire firewall.

This is a default IPFire installation from the newest IPfire I downloaded yesterday.

The open ports on RED interface were found as follows.
Discovered open port 53/tcp on 192.168.1.5
Discovered open port 444/tcp on 192.168.1.5
Discovered open port 1013/tcp on 192.168.1.5
Discovered open port 81/tcp on 192.168.1.5

In more detail:

53/tcp open domain
81/tcp open http Apache httpd
444/tcp open ssl/http Apache httpd
1013/tcp open http Apache httpd

Clearly these are seemingly for the administration webpage, but definitely should not be accessible on the RED interface as everyone on the web can try and access these ports.
These (except 53) should for security sake only be open on the GREEN interface.

53 can be omitted if your router does the lookup reply as it usually does and therefore should be closed too.

Otherwise of serious concern is that IPfire allows the hostname ( Iconfigured it as "ipfire") to be visible on the RED interface through the certificate name !
This should be something else and not just the server hostname as it can assist telnet ssh attacks etc on RED as the hostname has been disclosed.

ssl-cert: Subject: commonName=ipfire
| Issuer: commonName=ipfire


Here are the details of the portscan I did on the RED interface.
---------------------------------------------------------------------------------------------------------------
Starting Nmap 7.01 ( https://nmap.org ) at 2018-10-01 18:06 EDT
NSE: Loaded 132 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
Initiating NSE at 18:06
Completed NSE at 18:06, 0.00s elapsed
Initiating Ping Scan at 18:06
Scanning 192.168.1.5 [4 ports]
Completed Ping Scan at 18:06, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:06
Completed Parallel DNS resolution of 1 host. at 18:06, 0.04s elapsed
Initiating SYN Stealth Scan at 18:06
Scanning 192.168.1.5 [65535 ports]
Discovered open port 53/tcp on 192.168.1.5
Increasing send delay for 192.168.1.5 from 0 to 5 due to 285 out of 711 dropped probes since last increase.
Increasing send delay for 192.168.1.5 from 5 to 10 due to 247 out of 616 dropped probes since last increase.
SYN Stealth Scan Timing: About 4.04% done; ETC: 18:19 (0:12:15 remaining)
SYN Stealth Scan Timing: About 6.52% done; ETC: 18:22 (0:14:35 remaining)
SYN Stealth Scan Timing: About 8.98% done; ETC: 18:23 (0:15:23 remaining)
SYN Stealth Scan Timing: About 12.49% done; ETC: 18:25 (0:16:14 remaining)
SYN Stealth Scan Timing: About 26.33% done; ETC: 18:27 (0:15:18 remaining)
Discovered open port 444/tcp on 192.168.1.5
SYN Stealth Scan Timing: About 32.71% done; ETC: 18:28 (0:14:14 remaining)
SYN Stealth Scan Timing: About 38.42% done; ETC: 18:28 (0:13:10 remaining)
SYN Stealth Scan Timing: About 43.91% done; ETC: 18:28 (0:12:05 remaining)
SYN Stealth Scan Timing: About 49.41% done; ETC: 18:28 (0:10:58 remaining)
SYN Stealth Scan Timing: About 54.68% done; ETC: 18:28 (0:09:53 remaining)
SYN Stealth Scan Timing: About 59.95% done; ETC: 18:28 (0:08:46 remaining)
SYN Stealth Scan Timing: About 65.23% done; ETC: 18:28 (0:07:38 remaining)
SYN Stealth Scan Timing: About 70.50% done; ETC: 18:28 (0:06:30 remaining)
SYN Stealth Scan Timing: About 75.55% done; ETC: 18:28 (0:05:24 remaining)
SYN Stealth Scan Timing: About 80.61% done; ETC: 18:28 (0:04:17 remaining)
SYN Stealth Scan Timing: About 85.66% done; ETC: 18:29 (0:03:10 remaining)
SYN Stealth Scan Timing: About 90.71% done; ETC: 18:29 (0:02:04 remaining)
SYN Stealth Scan Timing: About 95.77% done; ETC: 18:29 (0:00:56 remaining)
Discovered open port 1013/tcp on 192.168.1.5
Discovered open port 81/tcp on 192.168.1.5
Completed SYN Stealth Scan at 18:33, 1595.02s elapsed (65535 total ports)
Initiating Service scan at 18:33
Scanning 4 services on 192.168.1.5
Completed Service scan at 18:33, 17.09s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.1.5
Retrying OS detection (try #2) against 192.168.1.5
Retrying OS detection (try #3) against 192.168.1.5
Retrying OS detection (try #4) against 192.168.1.5
Retrying OS detection (try #5) against 192.168.1.5
Initiating Traceroute at 18:33
Completed Traceroute at 18:33, 0.01s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:33
Completed Parallel DNS resolution of 1 host. at 18:33, 0.04s elapsed
NSE: Script scanning 192.168.1.5.
Initiating NSE at 18:33
Completed NSE at 18:34, 8.83s elapsed
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Nmap scan report for 192.168.1.5
Host is up (0.00054s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain
81/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: 49261D719D1FBD6703FF78C03D1E516E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
|_http-title: Did not follow redirect to https://192.168.1.5:444/index.cgi
444/tcp open ssl/http Apache httpd
|_http-favicon: Unknown favicon MD5: 49261D719D1FBD6703FF78C03D1E516E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache
| http-title: 400 Bad Request
|_Requested resource was /cgi-bin/index.cgi
| ssl-cert: Subject: commonName=ipfire
| Issuer: commonName=ipfire
| Public Key type: ec
| Public Key bits: 384
| Signature Algorithm: ecdsa-with-SHA256
| Not valid before: 2018-10-01T21:55:06
| Not valid after: 4756-08-27T21:55:06
| MD5: e5a1 bd6a 7d69 194d f00e 8adf 7857 85b4
|_SHA-1: 5854 01db 9773 a33e 41ad 74dc 785a ae58 992f 9396
1013/tcp open http Apache httpd
|_http-favicon: Unknown favicon MD5: 49261D719D1FBD6703FF78C03D1E516E
|_http-server-header: Apache
|_http-title: 500 Internal Server Error
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.01%E=4%D=10/1%OT=53%CT=1%CU=43629%PV=Y%DS=1%DC=T%G=Y%TM=5BB2A0D
OS:F%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10F%TS=A)SEQ(SP=FF%GCD=1%ISR
OS:=10F%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4
OS:ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W
OS:5=7120%W6=7120)ECN(R=Y%DF=N%T=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=N
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=
OS:G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 4.293 days (since Thu Sep 27 11:32:25 2018)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

TRACEROUTE (using port 25/tcp)
HOP RTT ADDRESS
1 0.37 ms 192.168.1.5

NSE: Script Post-scanning.
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Initiating NSE at 18:34
Completed NSE at 18:34, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1636.66 seconds
Raw packets sent: 132947 (5.859MB) | Rcvd: 130135 (5.215MB)

User avatar
Deepcuts
Posts: 461
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: Why so many open ports ?

Post by Deepcuts » October 2nd, 2018, 9:50 pm

I replied to another post of yours which you seem to have deleted.

You messed up something in your WUI setup.
By default, no ports are open on red.
Start from scratch I would say.
Image
Image

zimbodel
Posts: 20
Joined: October 1st, 2018, 10:58 pm

Re: Why so many open ports ?

Post by zimbodel » October 2nd, 2018, 10:07 pm

I didnt delete the post it was deleted by a moderator or such for strange reasons.
The post is still in my control-panel but someone wiped it off the forum with only a guest entry remaining with a 1969 datestamp. I cant do that.
Very curious that about 1/2 an hour after I posted this initially, the entire Ipfire website was unavailable for hours.

Already repeated the installation twice.
Either my download has been tampered with or there is a real problem with IPfire

That is why I post the open ports because I exhausted all configuration options during install.

What exactly can I mess up during the install?
No way to configure the webserver to be only available on GREEN.

Did you run nmap against all 65536 ports of your ipfire box from the RED network with an intensive scan ?
I think you might be surprised. The online scanners are not going to show what nmap/zenmap does.

It looks like clearly that the webadmin is either intended to be visible from the RED network... not a good thing.

User avatar
Deepcuts
Posts: 461
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: Why so many open ports ?

Post by Deepcuts » October 2nd, 2018, 11:04 pm

I said in WUI setup not during install.
WUI=WebUserInterface

From an external host:

Code: Select all

nmap -v -A 188.25.43.106

Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-03 01:55 EEST
NSE: Loaded 110 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 01:55
Scanning 188.25.43.106 (188.25.43.106) [4 ports]
Completed Ping Scan at 01:55, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:55
Completed Parallel DNS resolution of 1 host. at 01:55, 0.00s elapsed
Initiating SYN Stealth Scan at 01:55
Scanning 188.25.43.106 (188.25.43.106) [1000 ports]
Completed SYN Stealth Scan at 01:55, 21.06s elapsed (1000 total ports)
Initiating Service scan at 01:55
Initiating OS detection (try #1) against 188.25.43.106 (188.25.43.106)
Retrying OS detection (try #2) against 188.25.43.106 (188.25.43.106)
Initiating Traceroute at 01:55
Completed Traceroute at 01:55, 0.02s elapsed
Initiating Parallel DNS resolution of 5 hosts. at 01:55
Completed Parallel DNS resolution of 5 hosts. at 01:55, 0.13s elapsed
NSE: Script scanning 188.25.43.106.
Initiating NSE at 01:55
Completed NSE at 01:55, 0.00s elapsed
Nmap scan report for 188.25.43.106 (188.25.43.106)
Host is up (0.0028s latency).
rDNS record for 188.25.43.106: 188-25-43-106.rdsnet.ro
All 1000 scanned ports on 188.25.43.106 (188.25.43.106) are filtered
Too many fingerprints match this host to give specific OS details
Network Distance: 5 hops

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.51 seconds
           Raw packets sent: 2056 (94.036KB) | Rcvd: 25 (2.152KB)

Also a syn scan:

Code: Select all

nmap -sS -O 188.25.43.106

Starting Nmap 6.40 ( http://nmap.org ) at 2018-10-03 02:01 EEST
Nmap scan report for 188.25.43.106 (188.25.43.106)
Host is up (0.0025s latency).
rDNS record for 188.25.43.106: 188-25-43-106.rdsnet.ro
All 1000 scanned ports on 188.25.43.106 (188.25.43.106) are filtered
Too many fingerprints match this host to give specific OS details

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.07 seconds

As you can see, zero (0) ports open on the 1st 1000 ports.
Conclusion: you are doing something terribly wrong. What I cannot say.
Image
Image

zimbodel
Posts: 20
Joined: October 1st, 2018, 10:58 pm

Re: Why so many open ports ?

Post by zimbodel » October 2nd, 2018, 11:11 pm

Scanning the first 1000 ports is not really an intense scan.
I will post the nmap scan you must use.
Here it is
nmap -p 1-65535 -T4 -A -v
AND DO IT DIRECTLY ON YOUR IPFIRE RED INTERFACE not through your router. Your router blocks ports.

Also the IP address you scanned is that of your ROUTER on the web and not directly on the RED interface of your firewall which will be a DHCP address from your router in the 10. or 192. domains. You scanned from the WEB !! See the whois of the IP you used and it is clearly resolving on the web !! NOT valid scan.
You obviously used a WEB based nmap (explains the 1000 only ports) . This will not work. Used a Linux laptop and configure it to serve DHCP and connect straight to your IPfire Red ethernet. That way you test only the IPFire firewall. What you posted above is not a test. You tested basically the Router!

You will have to use a Linux laptop and connect it to your router by DHCP so that you can directly access the IpFire firewall on the RED interface.
Your router is blocking the ports that are open on ipfire.


$] whois 188.25.43.106
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '188.25.0.0 - 188.25.255.255'

% Abuse contact for '188.25.0.0 - 188.25.255.255' is 'abuse@rcs-rds.ro'

inetnum: 188.25.0.0 - 188.25.255.255
netname: RO-RESIDENTIAL
descr: RCS & RDS Residential
descr: City: Bucuresti
country: RO
admin-c: RDS-RIPE
tech-c: RDS-RIPE
tech-c: RDS2012-RIPE
status: ASSIGNED PA
mnt-by: AS8708-MNT
mnt-lower: AS8708-MNT
created: 2012-11-09T16:12:14Z
last-modified: 2013-10-03T10:47:27Z
source: RIPE # Filtered




Anyway,
If a user installs Ipfire from scratch without configuring with the Web interface, which ports will be open on RED ?

User avatar
Deepcuts
Posts: 461
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: Why so many open ports ?

Post by Deepcuts » October 2nd, 2018, 11:52 pm

Dear, no need for capital letters.
IPFire is my router.
I see no reason to use an extra router in front of my IPFire.

I think you should stick to using a plain old commercial router of your choosing.
Image
Image

zimbodel
Posts: 20
Joined: October 1st, 2018, 10:58 pm

Re: Why so many open ports ?

Post by zimbodel » October 2nd, 2018, 11:59 pm

Ipfire is your router right? Regardless I dont think you know anything about security.
You need to test your firewall One on One from a laptop connected straight to youor red interface if you are serious about security not by the 1000 port limited online scanners.
That is really dangerous.

It is pretty clear.
Thanks for the reply anyway.

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: Why so many open ports ?

Post by ummeegge » October 3rd, 2018, 9:19 am

Hi all,
scanned from a IPFire machine to another IPFire machine from/to red0 subnet:
Infrasctructure:
IPFire nmap scanner = 192.168.223.2 ---- IPFire victim = 192.168.223.3

Code: Select all

nmap -p0-65535 -sS -sU -T4 -v 192.168.223.3
Result for UDP and TCP and all ports incl. aggressive/intense mode :

Code: Select all

$ nmap -p0-65535 -sS -sU -T4 -v 192.168.223.3 
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-03 07:31 CEST
Initiating ARP Ping Scan at 07:31
Scanning 192.168.223.3 [1 port]
Completed ARP Ping Scan at 07:31, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:31
Completed Parallel DNS resolution of 1 host. at 07:31, 0.00s elapsed
Initiating SYN Stealth Scan at 07:31
Scanning 192.168.223.3 [65535 ports]
SYN Stealth Scan Timing: About 2.26% done; ETC: 07:54 (0:22:21 remaining)
SYN Stealth Scan Timing: About 5.22% done; ETC: 07:54 (0:21:11 remaining)
SYN Stealth Scan Timing: About 9.55% done; ETC: 07:53 (0:20:02 remaining)
SYN Stealth Scan Timing: About 14.34% done; ETC: 07:53 (0:18:55 remaining)
SYN Stealth Scan Timing: About 19.36% done; ETC: 07:53 (0:17:46 remaining)
SYN Stealth Scan Timing: About 24.38% done; ETC: 07:53 (0:16:39 remaining)
SYN Stealth Scan Timing: About 29.39% done; ETC: 07:53 (0:15:32 remaining)
SYN Stealth Scan Timing: About 34.41% done; ETC: 07:53 (another0:14:25 remaining)
SYN Stealth Scan Timing: About 39.43% done; ETC: 07:53 (0:13:19 remaining)
SYN Stealth Scan Timing: About 44.44% done; ETC: 07:53 (0:12:13 remaining)
SYN Stealth Scan Timing: About 49.46% done; ETC: 07:53 (0:11:06 remaining)
SYN Stealth Scan Timing: About 54.48% done; ETC: 07:53 (0:10:00 remaining)
SYN Stealth Scan Timing: About 59.50% done; ETC: 07:53 (0:08:54 remaining)
SYN Stealth Scan Timing: About 64.51% done; ETC: 07:53 (0:07:48 remaining)
SYN Stealth Scan Timing: About 69.53% done; ETC: 07:53 (0:06:41 remaining)
SYN Stealth Scan Timing: About 74.77% done; ETC: 07:53 (0:05:32 remaining)
SYN Stealth Scan Timing: About 80.02% done; ETC: 07:53 (0:04:23 remaining)
SYN Stealth Scan Timing: About 85.26% done; ETC: 07:53 (0:03:14 remaining)
SYN Stealth Scan Timing: About 90.28% done; ETC: 07:53 (0:02:08 remaining)
SYN Stealth Scan Timing: About 95.29% done; ETC: 07:53 (0:01:02 remaining)
Completed SYN Stealth Scan at 07:53, 1316.81s elapsed (65535 total ports)
Initiating UDP Scan at 07:53
Scanning 192.168.223.3 [65535 ports]
UDP Scan Timing: About 2.27% done; ETC: 08:16 (0:22:16 remaining)
UDP Scan Timing: About 5.23% done; ETC: 08:16 (0:21:07 remaining)
UDP Scan Timing: About 9.80% done; ETC: 08:15 (0:19:57 remaining)
UDP Scan Timing: About 14.81% done; ETC: 08:15 (0:18:47 remaining)
UDP Scan Timing: About 19.83% done; ETC: 08:15 (0:17:39 remaining)
UDP Scan Timing: About 24.84% done; ETC: 08:15 (0:16:32 remaining)
UDP Scan Timing: About 29.86% done; ETC: 08:15 (0:15:26 remaining)
UDP Scan Timing: About 34.88% done; ETC: 08:15 (0:14:19 remaining)
UDP Scan Timing: About 39.89% done; ETC: 08:15 (0:13:12 remaining)
UDP Scan Timing: About 45.14% done; ETC: 08:15 (0:12:03 remaining)
UDP Scan Timing: About 50.15% done; ETC: 08:15 (0:10:57 remaining)
UDP Scan Timing: About 55.17% done; ETC: 08:15 (0:09:51 remaining)
UDP Scan Timing: About 60.18% done; ETC: 08:15 (0:08:45 remaining)
UDP Scan Timing: About 65.20% done; ETC: 08:15 (0:07:38 remaining)
UDP Scan Timing: About 70.44% done; ETC: 08:15 (0:06:29 remaining)
UDP Scan Timing: About 75.69% done; ETC: 08:15 (0:05:20 remaining)
UDP Scan Timing: About 80.71% done; ETC: 08:15 (0:04:14 remaining)
UDP Scan Timing: About 85.72% done; ETC: 08:15 (0:03:08 remaining)
UDP Scan Timing: About 90.73% done; ETC: 08:15 (0:02:02 remaining)
UDP Scan Timing: About 95.75% done; ETC: 08:15 (0:00:56 remaining)
Completed UDP Scan at 08:15, 1316.92s elapsed (65535 total ports)
Nmap scan report for 192.168.223.3
Host is up (0.00071s latency).
All 131070 scanned ports on 192.168.223.3 are filtered (65535) or open|filtered (65535)
MAC Address: 00:30:18:AA:50:55 (Jetway Information)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2634.56 seconds
           Raw packets sent: 262141 (9.443MB) | Rcvd: 92 (9.477KB)
Second try with little more options with a:

Code: Select all

nmap -Pn -sS -sV --version-all --reason -v -A -O --osscan-guess -p0-65535 192.168.223.3 
Results:

Code: Select all

$ nmap -Pn -sS -sV --version-all --reason -v -A -O --osscan-guess -p0-65535 192.168.223.3  
Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-03 08:33 CEST
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 08:33
Completed NSE at 08:33, 0.00s elapsed
Initiating NSE at 08:33
Completed NSE at 08:33, 0.00s elapsed
Initiating ARP Ping Scan at 08:33
Scanning 192.168.223.3 [1 port]
Completed ARP Ping Scan at 08:33, 0.22s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:33
Completed Parallel DNS resolution of 1 host. at 08:33, 0.00s elapsed
Initiating SYN Stealth Scan at 08:33
Scanning 192.168.223.3 [65536 ports]
SYN Stealth Scan Timing: About 2.23% done; ETC: 08:57 (0:22:40 remaining)
SYN Stealth Scan Timing: About 4.74% done; ETC: 08:56 (0:21:27 remaining)
SYN Stealth Scan Timing: About 8.84% done; ETC: 08:56 (0:20:17 remaining)
SYN Stealth Scan Timing: About 13.63% done; ETC: 08:56 (0:19:07 remaining)
SYN Stealth Scan Timing: About 18.64% done; ETC: 08:56 (0:17:58 remaining)
SYN Stealth Scan Timing: About 23.65% done; ETC: 08:56 (0:16:50 remaining)
SYN Stealth Scan Timing: About 28.66% done; ETC: 08:56 (0:15:43 remaining)
SYN Stealth Scan Timing: About 33.68% done; ETC: 08:56 (0:14:36 remaining)
SYN Stealth Scan Timing: About 38.70% done; ETC: 08:56 (0:13:30 remaining)
SYN Stealth Scan Timing: About 43.71% done; ETC: 08:55 (0:12:23 remaining)
SYN Stealth Scan Timing: About 48.72% done; ETC: 08:55 (0:11:17 remaining)
SYN Stealth Scan Timing: About 53.74% done; ETC: 08:55 (0:10:10 remaining)
SYN Stealth Scan Timing: About 58.75% done; ETC: 08:55 (0:09:04 remaining)
SYN Stealth Scan Timing: About 63.77% done; ETC: 08:55 (0:07:58 remaining)
SYN Stealth Scan Timing: About 68.78% done; ETC: 08:55 (0:06:52 remaining)
SYN Stealth Scan Timing: About 73.79% done; ETC: 08:55 (0:05:46 remaining)
SYN Stealth Scan Timing: About 78.80% done; ETC: 08:55 (0:04:39 remaining)
SYN Stealth Scan Timing: About 84.05% done; ETC: 08:55 (0:03:30 remaining)
SYN Stealth Scan Timing: About 89.29% done; ETC: 08:55 (0:02:21 remaining)
SYN Stealth Scan Timing: About 94.31% done; ETC: 08:55 (0:01:15 remaining)
Completed SYN Stealth Scan at 08:55, 1317.49s elapsed (65536 total ports)
Initiating Service scan at 08:55
Initiating OS detection (try #1) against 192.168.223.3
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:33282 FPU ttl=58 id=51739 iplen=60  seq=3934745727 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:33282 FPU ttl=49 id=28157 iplen=60  seq=3934745727 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:33282 FPU ttl=45 id=7801 iplen=60  seq=3934745727 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:33282 FPU ttl=37 id=51448 iplen=60  seq=3934745727 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
Retrying OS detection (try #2) against 192.168.223.3
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:39755 FPU ttl=55 id=46407 iplen=60  seq=1309874112 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:39755 FPU ttl=59 id=44108 iplen=60  seq=1309874112 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:39755 FPU ttl=37 id=46393 iplen=60  seq=1309874112 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
sendto in send_ip_packet_sd: sendto(6, packet, 60, 0, 192.168.223.3, 16) => Operation not permitted
Offending packet: TCP 192.168.223.2:33807 > 192.168.223.3:39755 FPU ttl=54 id=44580 iplen=60  seq=1309874112 win=65535 <wscale 15,nop,mss 265,timestamp 4294967295 0,sackOK>
NSE: Script scanning 192.168.223.3.
Initiating NSE at 08:56
Completed NSE at 08:56, 0.01s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Nmap scan report for 192.168.223.3
Host is up, received arp-response (0.00070s latency).
All 65536 scanned ports on 192.168.223.3 are filtered because of 65536 no-responses
MAC Address: 00:30:18:AA:50:55 (Jetway Information)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.223.3

NSE: Script Post-scanning.
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Initiating NSE at 08:56
Completed NSE at 08:56, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1325.12 seconds
           Raw packets sent: 131110 (5.773MB) | Rcvd: 59 (6.777KB)
Scanned system is a freshly installed Core 123. Some arguments in here i really do not understand, nevertheless in here no open ports so far.

UE

P.S. Please use code tags for better reading thanks.
Image
Image

callifo
Posts: 34
Joined: September 30th, 2013, 4:14 pm

Re: Why so many open ports ?

Post by callifo » October 3rd, 2018, 1:39 pm

Yeah I think the OP needs to better explain what they are doing. The RED interface should definitely not be a 10.,192.,172.x address unless he is running an IPFire instance on his home network for testing (and green is now a double NAT'd subnet). IPFire would normally have the external internet facing address assigned to its RED interace.

The open ports + the network address being scanned looks like they are scanning the GREEN interface.
Image

zimbodel
Posts: 20
Joined: October 1st, 2018, 10:58 pm

Re: Why so many open ports ?

Post by zimbodel » October 3rd, 2018, 3:12 pm

The cable router has an internal DHCP network of 192.168 etc.
Firewall gets address from DHCP on cable router.
Nothing out of the ordinary here.

I double checked and It is the RED interface I scanned.
If my internal network was on the Red interface I wouldnt have been able to access anything on the web, but it works normally.
Furthermore, the web interface is active on BOTH green and red after a default install.

Something isnt right with IPFire. I repeated the installation several times, same result.

Also, remeber that I configured a Linux Laptop as a DHCP server and connected one-to-one to the firewall RED interface.
Same result.. open ports on RED. There is no way out of this test.

I would suggest that everyone check their firewalls like this. It is senseless to do tests from the web and is only feelgood.

zargano
Posts: 192
Joined: December 29th, 2017, 7:50 pm
Location: Nordlicht im Ländle

Re: Why so many open ports ?

Post by zargano » October 3rd, 2018, 3:33 pm

I checked my installations using an external nmap based scanner, and I could not find any open ports on the Red interface.

Regards, zargano

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Why so many open ports ?

Post by BeBiMa » October 3rd, 2018, 4:39 pm

My opinion to this thread ( and others of zimbodel ):
  • without an exact definition of the configured network, all is just a looking on a crystal ball.
  • if there are really port holes in the out-of-the-box installation, why wasn't that found before and how can these been proved by inspection of the firewall generation code?
  • firewall construction has undergone an intensive process of rewrite in ipfire project. A great number ( relative to the size of the devel team ) of developpers were involved.
  • The WUI lets one configure exceptions as mentioned in the OP. Are these possibilties used?
  • The default for the WAN interface the ethernet interface provided by the ISP and thus has a public(!) IP. Any construct with two routers is an exception to the standard. Therefore it isn't eaysy possible to install a second device in the network of the ISP.
Sorry, if this doesn't help directly. But without a real proof of a possible deficiency, I haven't checked the FW code yet.
Image
Unitymedia Cable Internet ( 32MBit )

Frank.M
Posts: 520
Joined: September 13th, 2013, 6:26 am
Contact:

Re: Why so many open ports ?

Post by Frank.M » October 3rd, 2018, 4:45 pm

Router -> IPFire -> Green

My ipfire

Code: Select all

red0      Link encap:Ethernet  HWaddr 00:0A:CD:XX:XX:XX
          inet addr:192.168.0.164  Bcast:192.168.0.255  Mask:255.255.255.0
My notebook @ router

Code: Select all

root@thinkpad:/home/frank# nmap 192.168.0.164 -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-03 18:34 CEST
Nmap scan report for 192.168.0.164
Host is up (0.00035s latency).
All 1000 scanned ports on 192.168.0.164 are filtered
MAC Address: EC:A8:6B:FE:66:2E (Elitegroup Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds
Nothing is open. All fine. Now scan complete subnet

Code: Select all

root@thinkpad:/home/frank# nmap 192.168.0.164 -Pn

Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-03 18:34 CEST
Nmap scan report for 192.168.0.164
Host is up (0.00035s latency).
All 1000 scanned ports on 192.168.0.164 are filtered
MAC Address: EC:A8:6B:FE:66:2E (Elitegroup Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 21.49 seconds
root@thinkpad:/home/frank# nmap 192.168.0.1/24

Starting Nmap 7.40 ( https://nmap.org ) at 2018-10-03 18:35 CEST
Nmap scan report for 192.168.0.1
Host is up (0.0018s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
5000/tcp open  upnp
MAC Address: 90:5C:44:CF:39:35 (Compal Broadband Networks)

Nmap scan report for 192.168.0.164
Host is up (0.00032s latency).
All 1000 scanned ports on 192.168.0.164 are filtered
MAC Address: EC:A8:6B:XX:XX:XX (Elitegroup Computer Systems)

Nmap scan report for 192.168.0.144
Host is up (0.000014s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind

Nmap done: 256 IP addresses (3 hosts up) scanned in 201.98 seconds
So, IPFire do all right. Sorry, this Thread is BS.
Image

callifo
Posts: 34
Joined: September 30th, 2013, 4:14 pm

Re: Why so many open ports ?

Post by callifo » October 3rd, 2018, 9:45 pm

You should be bridging the cable router, otherwise you just end up with double NAT.

I've tested mine from the internet as it's using PPPoE to initiate the connection. I've tested it with a full detailed nessus scan. Nothing open but the ports I had opened (sip, openvpn, etc).
Image

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Why so many open ports ?

Post by BeBiMa » October 3rd, 2018, 10:46 pm

Once more, I can't believe that this elementary problem exists!

The rewrite of the firewall part was tested ( and verified ) very intensively. The implementation may be not very "elegant" in all parts, but it's functioning , especially in the basics.

BTW: One goal of the redesign was to overcome the "grown structure" of the IPCOP firewall source. Therefore the basic definition "allow traffic from WAN only, if it is initiated from LAN ( green, blue )" has been tested and verified very deeply.
Image
Unitymedia Cable Internet ( 32MBit )

Post Reply