Portscan shows 8+ Ports open but FPR1010 has no such ACL's.

TheGoob · ‎11-28-2022

Hello, I assume something like this is a very well mentioned topic but I am sort of having a problem resolving the issue.

Is a Portscan an actual security concern? I have 3 ports Open but portscan is showing at least 8 open. I even did a BLOCK ACL for 21, and it still comes up as an open port. Is there a way to manually BLOCK everything except the ones I want (i assumed that was already happening).

ahollifield · ‎11-29-2022

Not typically. Do you have application level rules? If so, FTD must allow SOME traffic through to determine what application is actually running over that TCP port. Port scans will show these as opens.

TheGoob · ‎11-29-2022

Hello

The only 2 configurations I have are NAT which is simply associating 5 LAN IP's with my 5 STATIC [WAN] IP's with no port specifics, just NAT and then ACL's based on PORT "to and fro" from 'outside' to 'inside lan ip designated'.

For example, my LAN IP 192.168.5.42 Server ONLY has 4 Ports open; 8080, 8181, 4443 and then 22. Now, access to 8080 does lead to other ports via my NGINX Server but my FPR1010 only has those 4 ports open. Also, 192.168.5.42 is NAT'd to it's correct WAN IP.

What is confusing is #1 Portscan remotely shows 11 Ports open and also #2 I can connect to my WAN IP (going to 192.168.5.42) Port 9000 and it lets me in!!! How?! It is not even in my FPR1010 Firewall.

MHM Cisco World · ‎11-29-2022

no need acl
show conn <<- if there is conn with these port then the port is open.
simply the conn make FW bypass any ACL you config

TheGoob · ‎11-29-2022

So you are saying if a port is opened / initiated from the Inside then it becomes open in general and bypasses ACL?

MHM Cisco World · ‎11-29-2022

Yes it bypass and ACL apply in return back traffic.
do you check conn in FW ?

TheGoob · ‎11-29-2022

Alright, that makes more sense. Upon looking at the conn, I see 2-3 pages of incoming and outgoing. Makes sense. But I will focus on 1 port/application specifically. I run Portainer, an application that allows me to modify/install Dockers. It runs on Port 9000 internally for management. On my FW I do not have Port 9000 in any way shape or form open; I find it critical and unnerving that I, or anyone really, can connect to my WAN x.x.x.x:9000 and connect to it. It is an internal program. Just sort of freaks me out. It is "listening" on Port 9000 on the LAN but to be able to connect remotely? I do not like.

I just want to reiterate; I have WAN x.x.x.177 to LAN 192.168.5.42. No Port allowance, simply WAN to LAN NAT. I then have 4 ACL's; 8181, 8080, 4443 and 22. I just do not see how ANYTHING AT ALL is getting in on Port 9000 even if it is being initiated from the Inside when it is not allowed!

I EVEN BLOCKED in to out and out to in 9000 and it STILL let's me me. Something is wrong.

TheGoob · ‎11-29-2022

This is my NAT and ACL's;

177test

STATIC

inside_2outside

177-OMV-lan

ANY

177-WAN

ANY

NAT is MANUAL, Before Auto NAT Rules

ACL's are like I said, from outside x.x.x.177 to inside 192.168.5.42 on 22,8181,8080 and 4443.

But ANYTHING I connect to on that IP is letting me in.

thomas · ‎12-12-2022

Moving this to the Firewall forum...