I check through the LanSpy utility for open ports in br-lan and I would like to close some of them, but I don’t know how.
Internet search did not give positive results. Tell me please, can anyone know?
br-lan is your LAN side network, it's not firewalled.
Which ports would you like to close/did the tool report as open ?
Did the tool scan your whole LAN, or just the router?
It also appears to be a 18 years old tool.
I would like to close many ports, for example 137, 138, 1900 and the like. I scanned the router itself from lan. I do not want traffic to go through them in the lan network. Maybe there is a package that needs to be installed for configuration?
Then disallow all traffic to the router but the required port for dhcp, dns and surf, and what ever else you need.
137 138 are for Windows file sharing, are you using it?
Do you have ksmbd or samba installed, and running?
And the traffic isn't going through them, unless it's intended for the router.
It means something is listening on the port, just as the router admin interface, on port 80 and 443.
1 Like
In the old days you could use ebtables (todat try ebtables-nft) to allow filtering on bridge devices, but for a hardware switch this requires to essentially disable the L2 switch and pass all packets to the CPU for filtering, this can become quite costly quickly and ill likely have a noticeable influence on your aggregate LAN-to-LAN throughput.
Please clarify what you would really like to do - the two answers by @frollic and @moeller0 are both covering different interpretations of your questions. I'm not sure what you would like to do:
- Disallow traffic from your network devices to the router (on specific ports)
- Disallow traffic between your network devices (on specific ports)
The first case was covered by @frollic, the second case by @moeller0.
3 Likes
Disallow traffic from your network devices to the router (on specific ports)
Just create a traffic rule in the firewall with a source zone 'lan' and action REJECT or DROP for the ports you wish to block. These will only affect the ability for lan devices to connect to services on the router itself. It will not affect lan > wan connections, nor will it affect lan > lan connections. Be careful, though -- DHCP and DNS are often needed (although not strictly required), so blocking those ports may render your network broken.
I'm going to ask a bigger question -- If you are trying to block access to these services from the (nominally trusted) lan, why are they running in the first place? Why not turn those services off?
3 Likes
Closed blocking icmp and igmp.
The trusted lan zone cannot be trusted, since such devices are connected to it, for example, as a phone, which do not inspire confidence 
Everybody is different, but many people probably consider their phones among the most trusted devices they own given how much of our lives reside on these devices. If you don't consider your phone to be trusted, I'm guessing you don't use it for anything 'sensitive' like email or apps for services you need including banking.
Anyway, that said, you could create a management network that has normal/full administrative access to your router... that can be tied to specific a ethernet port and/or wifi SSID such that you would need to explicitly connect a trusted device to that network when you need to actually adjust the router's settings... then all of your other devices can be on a network (lan or otherwise) that explicitly forbid access to the router itself.
You probably won’t believe it, I generally don’t connect my phone to the Internet, since it’s not under my control, but I’m trying to protect the network from other devices that I don’t control
Unlike the rest of the internet, which is under your control?
SCNR
Not saying anything about your mobile phone policy (your devices your decision), but I would stop treating your home network as any less hostile than the open internet...