I was fooling around trying to learn nmap and decided to scan my personal host that is running latest ipfire on top of a Raspberry Pi 3b+. I was shocked to see the web interface port showing through on the red interface and able to be logged into. Is there some configuration somewhere that I accidentally enabled to make that possible? How can I get that blocked? Basically, the only thing I expected to be externally accessible was OpenVPN and everything else should be blocked. My nmap results are here:
─$ nmap -F xxx.xxx.xxx.xxx
Starting Nmap 7.93 ( https://nmap.org ) at 2022-10-31 12:58 CDT
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.12s latency).
Not shown: 97 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
81/tcp open hosts2-ns
444/tcp open snpp
Nmap done: 1 IP address (1 host up) scanned in 2.59 seconds
I wonder, can it be a weird security bug? What I find striking is that in either cases are opened both ports: 81 and 444 and also that in 2020 report, it was written by OP that 81 would forward to 444. Can it be a bug around those two ports?
I did see that conversation and I thought it was strikingly similar. However, I didn’t ever really see a resolution and certainly the hardware involved was significantly different.
Have you done this nmap scan from a system in the red network?
If you scan from green/blue/orange or vpn even if you target the red IP you get false open ports because the the connection came in from the internal networks and pass the firewall.
I don’t think so. I’m on my company VPN and using the external IP address. I will retry using my Verizon Mifi device to see if I get the same results, just to be sure.
If you are on VPN, what is the endpoint of your VPN connection? A device inside or outside your IPFire?
If it is in your local net ( including IPFire ) your nmap scan checks from the local net, see Arne’s post.
In your diagram, device1 is inside my home network and device2 is outside. While I don’t understand why that is not a valid test, the good news is that using my Mifi device on Verizon, I get a clean nmap scan. So, it appears that my concerns were not valid.
@csete
Just for clarification.
If you use your local device, which usually uses VPN to your company, it is just a routing decision. I don’t think VPN is used for IPs reachable locally, such as the red IP of IPFire.
If you use your mifi device you are in an external network, the net of your mobile provider. So the requests from nmap really come from outside.