rlucas.net: The Next Generation Rotating Header Image

February 28th, 2011:

Why is Port 21 apparently open on my firewall?

Scenario: You set up a server somewhere on the public Internet.  You lock down its ports to the minimal subset you need using firewall(s).  Yet, somehow and for some strange reason, nmap reports that port 21 (FTP) is open on your server!  Sure enough, you do a “telnet myhost.cxm 21” and it connects!  Shit-damn, what’s going on??

Don’t bang your head against your iptables or pf or PIX or ASA config.  First, check to make sure that the environment you’re checking from behaves right.  Do a “telnet google.com 21” and see if it connects.

Some NAT setups in offices apparently try to do some stateful inspection of outbound active FTP in order to rewrite the addresses/ports involved, and these can intercept outbound requests on port 21, making it seem like any host is picking up on that port.

Try nmap’ing or telnet’ing from an outside host directly connected to the public internet.  And make sure that your subsequent security scans/checks come from such a host.