I've got public IP from ISP and currently it's assigned on my openwrt on wanb (lan1) interface, so I started wondering if firewall is set up correctly and it seems like it's not. The only open port should be 1194/udp for openvpn server - that works from internet as I tested it, but nmap does not show it open, instead it shows these port as open, why?
53/tcp
80/tcp
443/tcp
53/udp
Here's my /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wanb'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Block-Public-DNS'
option src 'lan'
option dest 'wan'
option target 'REJECT'
list proto 'tcp'
list proto 'udp'
option dest_port '53'
option family 'ipv4'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest_port '53'
option name 'Force DNS'
option src_dport '53'
option target 'DNAT'
option src 'lan'
option dest 'lan'
option dest_ip '10.0.0.1'
config redirect
option target 'DNAT'
option name 'vpn_nas'
list proto 'udp'
option src 'wan'
option src_dport '1194'
option dest 'lan'
option dest_ip '10.0.0.100'
option dest_port '1194'
Yeah, you got a point, I ran it from LAN, but my outgoing connection goes via wan, not wanb (public ip), so I thought it's okay, but it wasn't. I connected my laptop via mobile internet to do a scan again and output is different, but still doesn't look as expected. Nothing except 1194/udp should be opened, why does it not show as open and other ports are? I used "nmap -sS -sU -T4 -A -v publicipadress"
Not shown: 998 closed tcp ports (reset), 984 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
1720/tcp open h323q931?
67/udp open|filtered dhcps
767/udp open|filtered phonebook
1031/udp open|filtered iad2
1719/udp open|filtered h323gatestat
2222/udp open|filtered msantipiracy
3052/udp open|filtered apc-3052
6050/udp open|filtered x11
17207/udp open|filtered unknown
17888/udp open|filtered unknown
18980/udp open|filtered unknown
19096/udp open|filtered unknown
34125/udp open|filtered unknown
41702/udp open|filtered unknown
42313/udp open|filtered unknown
48078/udp open|filtered unknown
49194/udp open|filtered unknown
Nmap has its own big manual and a known weakness/feature according to their own manual that makes it sniffing 360° on every device it goes trough and report false results all the way to the target.
This is mostly because the actual hardware from everywhere responds to the actual sniffing since sniffing isn’t IP controlled but broadcast all over the data line.
The only way to minimize this is to connect the sniffing computer directly to the port of the device you want to sniff.
It would also make sense to check that your network configuration is correct.
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Well, it might be related as the second wan is actually a copy of mobile sim in a router. My friend tried to do the same scan from his house and result was that NONE of the ports were open, neither openvpn port..
I thought nmap is one of the best scanners out there. So there's no way to scan using nmap to see if 1194 port is opened? I know it's opened, because I connected via vpn from different house/isp. Is there any better software/service to use or a specific nmap option in order to show it opened?
Well nmap is actually little of a hype when you read the actual manual and many expect more and nicer looking result than it actually deliver.
It does ping and check what comes back, but it doesn’t know from where the answer came since the answer has no ID mark. It is only yes, no, maybe little or maybe more. Little like thunder alongside mountains, one lightning gives a lot of different booms from different mountains that reflects the first boom sound wave.
As like all other measuring systems it has its pros and cons but the technician measuring is responsible to know everything about measuring what he/she want to measure before measuring or else the measurement isn’t scientific.
Then it is just a value of some sort.
1194 is a port you have opened highly probable for OpenVPN, does it work or not?
If you want to know if it is closed you can turn on firewall logging on wan because then the scan robots looking for companies with OpenVPN to DoS with filtered registered port 1194 will be trapped.
And if you have the server running and port open you will sooner or later get errors from attempts to log in to the tunnel in the OpenVPN log.
I recommend right now to use another random choosed port other than 1194 that isn’t already used by the online scan robots. They know of all registered communications port already so choose a not registered port number.
I would say the wan firewall log is better than nmap because then you see how much shit is trying to come inside. What to look out for is bots trying high port numbers because cheap firewalls doesn’t necessarily block high port numbers. But OpenWRT does that.
What exactly are you trying to find out? You want a scanner to tell you if a port (which you already know is open because it's being used) is open? Why?
To know if the network is secure. I know 1194 is opened, but i can’t verify that using nmap, so I am not 100% sure it works in each case as intended. This weird behaviour might be limited to udp scanning only:
“Table 5.3, “How Nmap interprets responses to a UDP probe” shows that the open|filtered state occurs when Nmap fails to receive any responses from its UDP probes to a particular port. Yet it also shows that, on rare occasions, the UDP service listening on a port will respond in kind, proving that the port is open. The reason these services don't respond often is that the empty packets Nmap sends are considered invalid.”
Is there any reason you suspect it wouldn't be? Have you disabled any of the default firewall rules or added traffic rules/port forwards that you don't need?
