Solved

sonic wall rules say deny, but nmap says open open open...

Posted on 2011-03-16
7
1,143 Views
Last Modified: 2012-08-13
My wan->lan rules on my sonicwall tz210 are pretty simple - open 80, 443, 3389 to a server.
Everything else is covered with the standard "Deny" rule.
But running NMAP intense scan, all ports against the firewall shows a TON of open ports.

On the lan->wan rule side, it's pretty open, except I block SMTP from everything except the server.

Tried with and without stealth mode, same results.

What am I missing here??

Here's the NMAP results:
Initiating SYN Stealth Scan at 21:42

Scanning xxx.xxx.com (x,x,x,x) [65535 ports]

Discovered open port 5900/tcp on x,x,x,x

Discovered open port 80/tcp on x,x,x,x

Discovered open port 443/tcp on x,x,x,x

Discovered open port 25/tcp on x,x,x,x

Discovered open port 31370/tcp on x,x,x,x

Discovered open port 12236/tcp on x,x,x,x

Discovered open port 44034/tcp on x,x,x,x

Discovered open port 41532/tcp on x,x,x,x

Discovered open port 40786/tcp on x,x,x,x

Discovered open port 29209/tcp on x,x,x,x

Discovered open port 25427/tcp on x,x,x,x

Discovered open port 9301/tcp on x,x,x,x

Discovered open port 59360/tcp on x,x,x,x

Discovered open port 25947/tcp on x,x,x,x

Discovered open port 24887/tcp on x,x,x,x

Discovered open port 14193/tcp on x,x,x,x

Discovered open port 33510/tcp on x,x,x,x

Discovered open port 33887/tcp on x,x,x,x

Discovered open port 54280/tcp on x,x,x,x

Discovered open port 23207/tcp on x,x,x,x

Discovered open port 18619/tcp on x,x,x,x

Discovered open port 10803/tcp on x,x,x,x

Discovered open port 57102/tcp on x,x,x,x

Discovered open port 32181/tcp on x,x,x,x

Discovered open port 32527/tcp on x,x,x,x

Discovered open port 26063/tcp on x,x,x,x

Discovered open port 59561/tcp on x,x,x,x

Discovered open port 4020/tcp on x,x,x,x

Discovered open port 33324/tcp on x,x,x,x

Discovered open port 22171/tcp on x,x,x,x

Discovered open port 20612/tcp on x,x,x,x

Discovered open port 26259/tcp on x,x,x,x

Discovered open port 18797/tcp on x,x,x,x

Discovered open port 35788/tcp on x,x,x,x

Discovered open port 7592/tcp on x,x,x,x

Discovered open port 46609/tcp on x,x,x,x

Discovered open port 27383/tcp on x,x,x,x

Discovered open port 42477/tcp on x,x,x,x

Discovered open port 26023/tcp on x,x,x,x

Discovered open port 682/tcp on x,x,x,x

Discovered open port 37600/tcp on x,x,x,x

Discovered open port 38665/tcp on x,x,x,x

Discovered open port 5931/tcp on x,x,x,x

Discovered open port 64309/tcp on x,x,x,x

Discovered open port 37538/tcp on x,x,x,x

Discovered open port 18760/tcp on x,x,x,x

Discovered open port 9003/tcp on x,x,x,x

Discovered open port 25708/tcp on x,x,x,x

Discovered open port 47336/tcp on x,x,x,x

Discovered open port 31849/tcp on x,x,x,x

Increasing send delay for x,x,x,x from 0 to 5 due to 27 out of 66 dropped probes since last increase.

Discovered open port 60371/tcp on x,x,x,x

Discovered open port 20198/tcp on x,x,x,x

Discovered open port 18399/tcp on x,x,x,x

Discovered open port 33600/tcp on x,x,x,x

Discovered open port 26375/tcp on x,x,x,x

Discovered open port 23707/tcp on x,x,x,x

Discovered open port 17873/tcp on x,x,x,x

Discovered open port 50028/tcp on x,x,x,x

Discovered open port 55577/tcp on x,x,x,x

Discovered open port 38335/tcp on x,x,x,x

Discovered open port 22207/tcp on x,x,x,x

Discovered open port 19727/tcp on x,x,x,x

Discovered open port 27837/tcp on x,x,x,x

Discovered open port 60781/tcp on x,x,x,x

Discovered open port 18485/tcp on x,x,x,x

Discovered open port 32491/tcp on x,x,x,x

Discovered open port 7453/tcp on x,x,x,x

Discovered open port 30930/tcp on x,x,x,x

Discovered open port 43184/tcp on x,x,x,x

Discovered open port 33142/tcp on x,x,x,x

Discovered open port 34954/tcp on x,x,x,x

Discovered open port 58709/tcp on x,x,x,x

Discovered open port 56355/tcp on x,x,x,x

Discovered open port 49605/tcp on x,x,x,x

Discovered open port 19359/tcp on x,x,x,x

Discovered open port 2727/tcp on x,x,x,x

Discovered open port 63795/tcp on x,x,x,x

Discovered open port 34368/tcp on x,x,x,x

Discovered open port 26414/tcp on x,x,x,x

Discovered open port 46582/tcp on x,x,x,x

Discovered open port 25675/tcp on x,x,x,x

Discovered open port 60853/tcp on x,x,x,x

Discovered open port 14987/tcp on x,x,x,x

Discovered open port 51985/tcp on x,x,x,x

Discovered open port 18933/tcp on x,x,x,x

Discovered open port 39436/tcp on x,x,x,x

Discovered open port 31571/tcp on x,x,x,x

Discovered open port 55237/tcp on x,x,x,x

Discovered open port 23499/tcp on x,x,x,x

Discovered open port 43344/tcp on x,x,x,x

Discovered open port 10454/tcp on x,x,x,x

Discovered open port 41698/tcp on x,x,x,x

Discovered open port 50131/tcp on x,x,x,x

Discovered open port 13514/tcp on x,x,x,x

Discovered open port 21803/tcp on x,x,x,x

Discovered open port 61544/tcp on x,x,x,x

Discovered open port 45630/tcp on x,x,x,x

Discovered open port 40051/tcp on x,x,x,x

Discovered open port 30802/tcp on x,x,x,x

Discovered open port 5626/tcp on x,x,x,x

Discovered open port 32495/tcp on x,x,x,x

Discovered open port 50295/tcp on x,x,x,x

Discovered open port 33963/tcp on x,x,x,x

Discovered open port 44861/tcp on x,x,x,x

Discovered open port 32630/tcp on x,x,x,x

Discovered open port 10331/tcp on x,x,x,x

Discovered open port 62881/tcp on x,x,x,x

Discovered open port 61/tcp on x,x,x,x

Discovered open port 21317/tcp on x,x,x,x

Discovered open port 55209/tcp on x,x,x,x

Discovered open port 24654/tcp on x,x,x,x

Discovered open port 48617/tcp on x,x,x,x

Discovered open port 49106/tcp on x,x,x,x

Discovered open port 44440/tcp on x,x,x,x

Discovered open port 2420/tcp on x,x,x,x

Discovered open port 32874/tcp on x,x,x,x

Discovered open port 31285/tcp on x,x,x,x

Discovered open port 28225/tcp on x,x,x,x

Discovered open port 24325/tcp on x,x,x,x

Discovered open port 23298/tcp on x,x,x,x

Discovered open port 50300/tcp on x,x,x,x

Discovered open port 53073/tcp on x,x,x,x

Discovered open port 59474/tcp on x,x,x,x

Discovered open port 63906/tcp on x,x,x,x

Discovered open port 58372/tcp on x,x,x,x

Discovered open port 51552/tcp on x,x,x,x

Discovered open port 12700/tcp on x,x,x,x

Discovered open port 52793/tcp on x,x,x,x

Discovered open port 31059/tcp on x,x,x,x

Discovered open port 14535/tcp on x,x,x,x

Discovered open port 19511/tcp on x,x,x,x

Discovered open port 12819/tcp on x,x,x,x

Discovered open port 34609/tcp on x,x,x,x

Discovered open port 17850/tcp on x,x,x,x

Discovered open port 43555/tcp on x,x,x,x

Discovered open port 39545/tcp on x,x,x,x

Discovered open port 30612/tcp on x,x,x,x

Discovered open port 29080/tcp on x,x,x,x

Discovered open port 12248/tcp on x,x,x,x

Discovered open port 31218/tcp on x,x,x,x

Discovered open port 26443/tcp on x,x,x,x

Discovered open port 61245/tcp on x,x,x,x

Discovered open port 52223/tcp on x,x,x,x

Discovered open port 49449/tcp on x,x,x,x

Discovered open port 25727/tcp on x,x,x,x

Discovered open port 17688/tcp on x,x,x,x

Discovered open port 65430/tcp on x,x,x,x

Discovered open port 48060/tcp on x,x,x,x

Discovered open port 39117/tcp on x,x,x,x

Discovered open port 50522/tcp on x,x,x,x

0
Comment
Question by:geekzinc
  • 4
  • 3
7 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 35153759
what i think nmap is interpreting as open is the sonicwall merely responding with a reset packet. because the sonicwall is responding, nmap thinks the port is open. review the KB below and enable stealth mode if you have not. then, run your scan again.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3859
0
 
LVL 33

Expert Comment

by:digitap
ID: 35153761
it's also possible that you've got a rule incorrectly set and they ARE open. post a screen shot of your WAN > LAN rules and we'll see if it's true.
0
 

Author Comment

by:geekzinc
ID: 35153798
Stealth mode didn't help.
Also ran same tests against another client with a sonic wall, similar rules, and it came back clean.
Rules image attached.
sonicwall-rules.bmp
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 33

Expert Comment

by:digitap
ID: 35153872
review each of those custom services that you have in the access rules list. see what services they allow.

also, you might consider my next suggestion to be a waste of time, but something i would consider. disable each access rule and run your test. see which one is causing it. one of those rules is leaving you open.
0
 

Author Comment

by:geekzinc
ID: 35153995
hmmmm.

disabling all but RDC (I am remote) and forcing NMAP with the -Pn switch, no problems.
But when I opened SMTP (or any service) these phantom ports open.

Does the Sonic Wall need a hard reset?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35156134
let's take one of the firewall rules apart unless you don't mind resetting the unit.

go to firewall the services. edit one of the services objects you created and review the mport range. if it is a single port, do you just have the singe port number?
0
 

Author Closing Comment

by:geekzinc
ID: 35186279
Turns out that a combination of resetting the rules and then the firewall solved the problem.
Thanks for the help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now