Firewall Identification

Someone mentioned that any random person on the internet who knows my IP address, can tell what kind of firewall software I’m using.

Is this true? If so, how does this work?

From just your IP, if you don’t have any services running or ports open, etc., then no. But if you do have something running, such as a VPN server, then you might be leaking information to anyone that just comes up and says hello. PPTP for example will tell anyone who asks not only the vendor but also the hostname! A good resource for this is shodan.io, they use a large number of servers to scan through the whole internet and they have a lot of protocol-specific scanners. Just put in your IP and see what they’ve already found out about you.

1 Like

Generally speaking, no.

If you forward ports to any servers or services behind the firewall, you can’t either. But these services can be found of course.

If you are running services on the firewall itself that are reachable from the outside, like a VPN or a reverse proxy, it depends on the respective service, what it exactly “announces” to the outside. Depending on the implemetation It might be possible to draw at least conclusions on what platform / firewall software it is running.

PPTP has been considered an obsolete protocol for the past 10 years. It has many security issues and should definitely no longer be used in 2022.

And yet if you search PPTP on Shodan….

This is useful information, thanks so much.
So from what you’re saying, if a residential IP is not running any servers, and only is connecting as a client to an external VPN server. Obviously the VPN company can get a lot of information and the ISP can clearly see what VPN you have and see a random MAC address.

But the ISP can’t tell what model of firewall router or what kind of firewall software is being used from what you are telling me. Since everything is being blocked except that VPN’s port.

well, the ISP will know your WAN port MAC address, which unless you’ve changed it (depending on capability) will at least tell them the manufacturer of the NIC. My preffered site to look up OUI’s (first six digits of the MAC) is http://search.deepmac.org/. But anyone other than your ISP, which is what I assumed you were asking about originally, won’t be able to see your WAN port physical MAC.

I am confused. Why do I have to use a MAC associated with the same manufacturer as the real firewall? Can’t random numbers be entered? Or use an old router’s MAC, so it’s tricking the ISP into thinking its the old router?

I said “unless you’ve changed it”. By default, as required by the IEEE, the MAC address of the firewall will be from a range assigned to the manufacturer, which is the main method by which we make sure there will never be duplicate MAC addresses. The MAC is burned into ROM inside or connected to the NIC at the factory. But you can change it as needed, on most firewall/router products. So if you wanted to make it random, or clone an old router, sure go ahead.

Gotcha, thanks for the info. So I changed the MAC in the pfSense Wizard setup. But now it’s not showing up in the web GUI. I am not sure if it is spoofed or not. I think I have to assign it to the parent interface or something? Do you know where I can find how to do this?

I have not tried to change the WAN interface MAC on PFSense and have no suggestions for you other than to ask on their forums.

Have actualy tried to google your MAC address or search for it on a site like https://macvendors.com/ or http://search.deepmac.org/, before you turned up your paranoia to 11 and started this most likely unnecessary hassle of changing the MAC address :wink: In most cases there is no direct colleration between the MAC address and the software you are running on a device.

If you are using a pfSense box from Netgate, I guess it depends on the exact modell, but most likely the MAC address will only get you the the manufacturer of the NIC. If you have pfSense installed on white box e.g. a desktop PC, it will get you the manufacturer of the computer or the mainboard and If you are using PCI addon cards it gives you the manufacturer of the card. In none of these cases, except maybe for some of the geniune Netgate boxes, would there be a way to know what software you are running, based on the MAC address.

1 Like

What you are saying is very reasonable but I can’t google my MAC until I can find it. So how do I even view my own MAC address through the pfSense interface? Because when I go to the Interface → WAN page, there is nothing. I entered a MAC during the setup wizard, but I don’t see it anywhere.

You can find the MAC address of each network port under Interfaces → Assignments → Interface Assignments

Not for PPoE WAN connection, it only pops up for DHCP. I need to use a “parent” interface and do it. But I find this confusing.

What exactly is a parent interface? The concept of an interface is confusing because you’d think it’s the physical ports but then a VPN covering the entire thing is an interface?

Under Interfaces → Assignments → Interface Assignments you can see all the physical interfaces and their respective MAC adresses in the pull down menus, regardless if they are assigned to something or not. Or you could use the CLI: https://www.cyberciti.biz/faq/how-do-i-find-out-the-mac-address-of-my-linux-or-freebsd-system/

If you are in doubt which interface is assigned to what or if it’s actually a physical interface, check them all. I highly doubt that you will find anything that allows conclusions to be drawn, whether you are using pfSense or not.

An interface is anything that can be assigned an IP address, whether physical or virtual. Or to put it another way, it is anything that exists on Layers 1 and 2 of the OSI model and can be used for Layer 3. For virtual interfaces, their Layer 1 might actually be Layer 2 or Layer 3 of another interface. For example, a VLAN interface’s Layer 2 is just handling the VLAN tag, and then its Layer 1 is Layer 2 of a physical interface which adds the rest of the ethernet frame.

PPPoE means to create a virtual interface for running PPP, and then send the PPP traffic “over Ethernet” using a parent physical interface (Layer 3 is PPP instead of IP, Layer 2 is a bit of framing for PPPoE, Layer 1 is Layer 2 of the parent interface). Regular PPP is used on either T1/E1 or DSL interfaces (Layer 3 is PPP, Layer 2 is the T1/E1 or DSL framing, Layer 1 is a T1/E1 or DSL modem)

ok, so does this mean each “parent” interface is one layer above the virtual one?

bb77,
Are you sure these MACs are right under Interface → Assignments → Interface Assignments? Because I thought I spoofed this alternate one, and it isn’t showing my spoof here. But if I click on it, it has the spoof MAC in the text box for me to edit.

Yes that’s correct. It always shows the physical MAC address in this particular menu, not the one you added (spoofed) in the interface settings.

The point that @bb77 is making is before worrying about spoofing your MAC to something else, take a look at what it is from the factory. Even if you are using a Netgate device, the MAC vendor might show up as Intel, or the factory that Netgate contracted to make the system, which would also make other similar router products. The risk around someone knowing your firewall from your MAC really applies when you’re using a more heavily integrated product, Like Cisco / Juniper / Sonicwall / Watchguard, or any regular router (Netgear / TPLink / Asus) when you are using the stock firmware.

1 Like