How to close port

that's not your IPv4 IP.

you're scanning something further upstream.

1 Like
root@OpenWrt:~# cat /etc/config/firewall 
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

Try scanning the IPv6 address. You're behind a specific type of CGNAT for IPv4, so when you're doing a port scan you're actually scanning one of the upstream routers. So most likely it's the upstream that has opened port 1024 (which it shouldn't according to RFC 6335 but wouldn't be the first time ISPs didn't adhere to RFCs).

How do i even scan this? if i try searching for 2001:9e8:6022:758b:157c:40c5:2344:697f/64 on shodan.io it cant even find anything

That's expected since OpenWrt doesn't open any port by default except the ones absolutely necessary to connect to the Internet. Are you saying that Shodan can't even find the router?

Try pinging that address from the Internet, and then try using this port scanner from that same site. Do not add the /64 suffix, just paste the IP address part before the slash.

Also I don't see anything out of the ordinary with the /etc/config/firewall contents you've posted. So I'm confident in saying your OpenWrt device hasn't opened port 1024 and what you scanned is actually your ISP's upstream router instead.

1 Like

Yeah shodan couldnt even find anything under that ipv6..

but i could using https://search.censys.io/hosts/2001:9e8:6022:758b:157c:40c5:2344:697f

Using my mobile carrier right? or could i also just do it from behind my router? I did using my mobile data and ping worked and port 1024 timed-out

This method is correct, and you got the result I would expect from a default OpenWrt install. IMO, based on this result and the contents of your firewall configuration, nothing's wrong with your OpenWrt device as far as the port situation is concerned.

1 Like

all sites that do it for you, you can initiate from within your LAN, tools you execute on your own clients have to go via the mobile carrier.

1 Like

ah yeah, that makes sense. when using a website they check on their end outside from my lan but when using a tool i check for myself so i have to use it outside of my lan.

correct, to make the starting point (the internet side of your WAN port) the same for both scans.

Should i contact my ISP and ask them to close port 1024😀?

It could also benefit my security if my ISP is more secured right?

I dont want my ISP to get hacked..

no idea how often Shodan make the scan on each IP, but technically, it is closed since three weeks.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.