Pi hole uses ports it should not?

Morris_Daddel · August 20, 2020, 10:45am

another day another problem...

today i created firewall rules for my network. so i had to specifically leve a port open if something needs it.
i left the ports 53, 80 and 443 open so the pi should be fine.

first of all the pi is working!
it does what it should do as far as i see. but my firewall makes me crasy becaucse the pi tryes to use any port between 81 and 442 wich are forbidden. i get alerts over and over from my firewall...

so did i missed a port the pi uses or is this behavour false? how can i stop the pi from using forbidden ports?

and yes im shure that the pi is 192.168.11.3!

[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:15:32
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:15:22
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:15:11
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:15:01
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:51
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:41
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:30
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:20
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:10
[service blocked: 80 bis 443] from source 192.168.11.3, Thursday, August 20, 2020 12:14:00

deHakkelaar · August 20, 2020, 11:21am

Did you read below section when creating this thread ?

#### Please follow the below template, it will help us to help you!

### *If you are Experiencing issues with a Pi-hole install that has non-standard elements (e.g you are using `nginx` instead of `lighttpd`, or there is some other aspect of your install that is customised) - please use the [Community Help](https://discourse.pi-hole.net/c/bugs-problems-issues/community-help/36) category.*

## Expected Behaviour:
_[Replace this text with what you think should be happening. Please include as much detail as possible including, but not limited to:
 -operating system
-hardware]_

## Actual Behaviour:
_[replace this text with what is actually happening]_

## Debug Token:
_[Replace this text with the debug token provided from running `pihole -d` (or running the debug script through the web interface]_

Bucking_Horn · August 20, 2020, 11:22am

Are you referring to managing firewall rules on the Pi-hole machine itself or on a different machine, e.g your router or a dedicated firewall device?

For Pi-hole to work correctly, it is mandatory that the firewall on the Pi-hole machine allows for the ports as listed in Pi-hole's prerequisites.

It is commonly not necessary at all to adopt firewall rules on your router for Pi-hole.
In particular, you should not open port 53 for outside traffic, as that would mean you'd expose your network to public access and run the risk to operate Pi-hole as an open resolver.

A standard Pi-hole will only ever send requests to its upstream DNS servers via port 53 and HTTP/HTTPS requests for updates; it will receive port 80 HTTP requests for its web UI, and you may see DHCP traffic on associated ports (68 and 547).if PI-hole's DHCP server was enabled.
Ports 4711+ for pihole-FTL's API are only used locally.

Your firewall reports are for the Pi-hole machine.

But Pi-hole is not the only software on your Pi-hole machine that's making network requests, e.g. OS may reach out to NTP time servers.
Any additional software on your Pi-hole machine may add to this.

Morris_Daddel · August 20, 2020, 8:27pm

Thanks for your Reply! Yes i thought the same… may it is something else than pi hole… but what can it be? I use a pi Zero with a Ethernet Sideboard, WiFi is not in use.

As host System i took:

“Raspberry Pi OS (32-bit) Lite

Minimal image based on Debian Buster“

This Debian buster should use port 80 and port 443 as well… so am i may infectet with something? I have a spare sd Card may i throw the thing on the second card for testing.

Ill let you know what i find. So if reinstalling solves it im fine if not i would like some help with that Debian… see what ports are opened… im really not a unix man… under Windows i would use something like netstat -o

Gesendet von Mail für Windows 10

Morris_Daddel · August 20, 2020, 9:37pm

Ok Figured it out! during new install it could not update and showed wiered times. that got me in the right direction. it is the ntp server wich uses port 123/UDP 123/TCP

so may not the pi hole itself but the host system pi os needs port 123 tcp/udp to update.

to summ it up:
ports needed for pi hole on debian based pi zero:

pihole-FTL 53 (DNS) TCP/UDP
pihole-FTL 67 (DHCP) IPv4 UDP
lighttpd 80 (HTTP) TCP
debian ntp 123 (NTP) TCP/UDP
pihole-FTL 547 (DHCPv6)TPv6 UDP
pihole-FTL 4711-4720 TCP

ceers Morris

Morris_Daddel · August 20, 2020, 9:39pm

that was the sollution thanks alot! <3

Morris_Daddel · August 20, 2020, 9:48pm

next time i will stick to the script i promise!

jfb · August 20, 2020, 10:42pm

debian ntp 123 (NTP) TCP/UDP

This is an OS-level port, not a port used by Pi-hole.

DanSchaper · August 20, 2020, 11:48pm

Just allow all ports outbound from the Raspberry Pi, you don't need to block outbound traffic.

Morris_Daddel · August 21, 2020, 4:16am

usually i would agree but my network got infiltrated recently thats why im a bit hyperfocused on controlling every aspect of it. for example there is a ip adress that is hounting me... it is a usual portscanner like manny out there but this thing is way to persistant and follows me no matter what i do. it looks like a rootkit controll unit is looking for its client... all that non of your consern... but may you understand now why i try to controll everery single port in use or reachable. and i think you know more than me about crosstracking and stuff like this. only when i exactly know what device is doing this or that i can find out the device that is giving my ip information away.

funny sidenote... after my last posts here (different topic) where i mentioned that i could give one of you access to my pi hole to investigate yourself... i got a secnificantly high amount of blocked connetion attempts over port 22 in my router logg. usually it is 5 attempts per week and yesterday it was more than 300 attempts. after a good old reboot and a new ip it stopped and fall back to the usual background noise.

DanSchaper · August 21, 2020, 4:21am

If you are making any kind of insinuation that the handful of people that can see your IP are involved then you need to find another place to be, this isn't it.

Morris_Daddel · August 21, 2020, 10:37am

definately not! i think you got me wrong there! i would never assume that you or other developers are not trustworthy! would i think that way i would never offer to let you direct acces my pi. it was more to support my point about the crostracking, spoofing and countless other attack methodes out there. i got hacked not long ago and to prevent that from happening again i needed to change my securtity behavour from "just allow all ports outbound" to know and observe what is happening... for example one of my motherboards was pinging a specific ip adress during boot (bios) and later another ip tryed to acces from outside same port because it was treiggered and under windows vournable. once i flashed all my mainboards these attacks stopped... so even outbound traffic is harmfull someimes because it can tell the wrong person under what ip im surfing right now.

deHakkelaar · August 21, 2020, 12:04pm

Its pretty clear to me, allot is still very new for you.
Things you write are hard to understand like is it inbound or outbound traffic, DST or SRC ports etc.
I think below Einstein quotes apply here:

If you can't explain it simply, you don't understand it well enough.

We cannot solve our problems with the same thinking we used when we created them.

It's not that I'm so smart, it's just that I stay with problems longer.

It will come when persist and read more about the subjects.
And never ever give someone you don't know your SSH login !

Below are the services that break when block destination ports 80 to 443 (notice NTP is UDP only):

pi@ph5:~ $ cat /etc/services
[..]
http            80/tcp          www             # WorldWideWeb HTTP
link            87/tcp          ttylink
kerberos        88/tcp          kerberos5 krb5 kerberos-sec     # Kerberos v5
kerberos        88/udp          kerberos5 krb5 kerberos-sec     # Kerberos v5
iso-tsap        102/tcp         tsap            # part of ISODE
acr-nema        104/tcp         dicom           # Digital Imag. & Comm. 300
pop3            110/tcp         pop-3           # POP version 3
sunrpc          111/tcp         portmapper      # RPC 4.0 portmapper
sunrpc          111/udp         portmapper
auth            113/tcp         authentication tap ident
sftp            115/tcp
nntp            119/tcp         readnews untp   # USENET News Transfer Protocol
ntp             123/udp                         # Network Time Protocol
epmap           135/tcp         loc-srv         # DCE endpoint resolution
epmap           135/udp         loc-srv
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp
netbios-dgm     138/tcp                         # NETBIOS Datagram Service
netbios-dgm     138/udp
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp
imap2           143/tcp         imap            # Interim Mail Access P 2 and 4
snmp            161/tcp                         # Simple Net Mgmt Protocol
snmp            161/udp
snmp-trap       162/tcp         snmptrap        # Traps for SNMP
snmp-trap       162/udp         snmptrap
cmip-man        163/tcp                         # ISO mgmt over IP (CMOT)
cmip-man        163/udp
cmip-agent      164/tcp
cmip-agent      164/udp
mailq           174/tcp                 # Mailer transport queue for Zmailer
mailq           174/udp
xdmcp           177/tcp                         # X Display Mgr. Control Proto
xdmcp           177/udp
nextstep        178/tcp         NeXTStep NextStep       # NeXTStep window
nextstep        178/udp         NeXTStep NextStep       #  server
bgp             179/tcp                         # Border Gateway Protocol
irc             194/tcp                         # Internet Relay Chat
irc             194/udp
smux            199/tcp                         # SNMP Unix Multiplexer
smux            199/udp
at-rtmp         201/tcp                         # AppleTalk routing
at-rtmp         201/udp
at-nbp          202/tcp                         # AppleTalk name binding
at-nbp          202/udp
at-echo         204/tcp                         # AppleTalk echo
at-echo         204/udp
at-zis          206/tcp                         # AppleTalk zone information
at-zis          206/udp
qmtp            209/tcp                         # Quick Mail Transfer Protocol
qmtp            209/udp
z3950           210/tcp         wais            # NISO Z39.50 database
z3950           210/udp         wais
ipx             213/tcp                         # IPX
ipx             213/udp
ptp-event       319/udp
ptp-general     320/udp
pawserv         345/tcp                         # Perf Analysis Workbench
pawserv         345/udp
zserv           346/tcp                         # Zebra server
zserv           346/udp
fatserv         347/tcp                         # Fatmen Server
fatserv         347/udp
rpc2portmap     369/tcp
rpc2portmap     369/udp                         # Coda portmapper
codaauth2       370/tcp
codaauth2       370/udp                         # Coda authentication server
clearcase       371/tcp         Clearcase
clearcase       371/udp         Clearcase
ulistserv       372/tcp                         # UNIX Listserv
ulistserv       372/udp
ldap            389/tcp                 # Lightweight Directory Access Protocol
ldap            389/udp
imsp            406/tcp                 # Interactive Mail Support Protocol
imsp            406/udp
svrloc          427/tcp                         # Server Location
svrloc          427/udp
https           443/tcp                         # http protocol over TLS/SSL
[..]

DL6ER · August 21, 2020, 2:12pm

It comes down to: You cannot (easily (enough)).

You may block outbound access to some (maybe most) ports. However, you leave open some ports like 53, 80, etc. A sufficiently sophisticated software can send whatever they want over whatever port they like to. It is simple to test which ports work and nothing prevents the malicious server on the other side from listening on all ports for incoming traffic.

This is not to scare you, it is more about raising awareness of how complex such a setup may be. If you really want to have control you don't limit ports but destinations. Like allow transmitting data only to servers you trust, regardless of over which ports traffic is sent/received.

DL6ER · August 21, 2020, 3:04pm

@Morris_Daddel Make sure to check out my recent additions/changes to the ports documentation:

Especially the parts about the firewall and the randomness of UDP ports.

DL6ER · August 21, 2020, 6:52pm

3 posts were split to a new topic: Documentation improvement suggestion

system · September 11, 2020, 6:52pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.