0

I am running a CODA4680 in bridge mode connected to my pfsense 1100 (and yes it is getting a true public ip). I set it up the standard way, didn't touch the rules.

I performed an NMAP scan from my laptop tethered to my LTE hotspot from my phone and I see

Port/protocol Status Service
21/tcp open ftp
80/tcp open http
135/tcp closed msrpc
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
646/tcp closed ldp
711/tcp closed cisco-tdp

I'm thinking there's maybe something with the LTE? Some device in my phone carrier's setup? Could the router in bridge mode have ports open? That would seem strange to me.

My firewall is not cisco, i don't understand why there would be ANY microsoft stuff on it so it's just weird

Even weirder is when I go on another (non-LTE) network and run the same command with the same target IP i get:

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn 
Nmap done: 1 IP address (0 hosts up)

So it's something on the LTE network that's doing something strange?

(Also yes, I made sure I'm running the scan on the same IP, it's not a DNS issue)

Improve this question
2
  • Did you try what nmap actually suggested and run the scanner using the -Pn flag?
    – zyked
    Commented Mar 31, 2023 at 23:23
  • yessir! still i got nothing from that scan
    – Philimel
    Commented Apr 1, 2023 at 5:32

1 Answer 1

Reset to default
1

So it's something on the LTE network that's doing something strange?? What. The. Heck?

It is a practice that ISP including mobile ISP might block certain ports in order to protect customers or in order to limit the impact of compromised customer machines. For example from at&t network practices:

... For example, as described in more detail below, we block certain ports that transfer malicious or disruptive traffic (such as Ports 25, 135, 139, 445, and 1900).

And it describes some ports in detail, like

Port 135/TCP: NetBIOS is a network file sharing protocol and is also known as Common Internet File System or LanManager. Blocking protects customers from exposing files unintentionally, worms, and viruses.

Interesting is also a report from the Broadband Internet Technical Advisory Group where they describe in detail why one should or should block certain ports.

But why are certain ports showing open like 21 and 80?

As for open port 21: it could be some transparent FTP helper which is needed to pass FTP traffic through NAT/CG-NAT networks and mobile ISP usually do CG-NAT. And for open port 80: maybe the ISP uses a transparent caching proxy there and/or they do HTTP header enrichment.

Improve this answer
3
  • Thank you for the answer! But why are certain ports showing open like 21 and 80?
    – Philimel
    Commented Apr 1, 2023 at 5:34
  • Also I should add that I scanned another network I own with a regular old router and I found similar results: nmap from LTE(same phone and laptop): ports 21 and 80 were open with 50001 open nmap from other network (non LTE): Note: Host seems down. If it is really up, but blocking our ping probes, try -PnNmap done: 1 IP address (0 hosts up) Then I used -Pn and found that port 50001 was open but not 80 and 21 (aka the ones that showed up open on my first network) Anyway this all is making me think that somehow the LTE network is showing that 21 and 80 are open when they aren't really.
    – Philimel
    Commented Apr 1, 2023 at 5:54
  • @Philimel: I've interpreted your question in that you focused on the ports unexpectedly shown as closed. As for open port 21: it could be some transparent FTP helper which is needed to pass FTP traffic through NAT networks. And for port 80 - maybe they have a transparent caching proxy there.
    – Steffen Ullrich
    Commented Apr 1, 2023 at 7:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .