How to hide an open port from scanning from the net?

Hi all !
I blocked on the branch
raw_prerouting

iifname "eth0.2" ip protocol icmp icmp type echo-request drop

It partially helped, but I want the open port not to be visible at all
what else to block, maybe specifically one of the tcp packets ?

blocked the TCP-ACK packet, did not help

What tcp or icmp packet does the scanner send when scanning for open ports?

The default firewall specifically allows the wan to receive (and reply to) conventional pings (ICMP Echo). Note that pings do not have a port number. If you don't want to respond to pings, remove that rule.

TCP does use a port number however the default firewall does not allow any TCP ports.

Use the firewall abstraction in /etc/config/firewall, don't write iptable / nftable rules yourself.

I'm interested in exactly which package and I block it on a specific port.
I have an open port and I scanned myself and the port is visible from outside

Which port is reported open? Are you intentionally offering a service? If you offer a service to the public, the port has to be open for them.

A scan for open TCP ports involves sending connect requests to each port number. They are exactly the same packets that someone legitimately trying to use the service would send.

the port should be open to a select few, not to everyone )

Then only allow those list of SRC IPs with an IP set and a firewall rule.

I would suggest setting up a Wireguard VPN and registering the public keys of those few into your configuration. Once they connect to the VPN they can then access the service through the tunnel. All others will be ignored.

So I thought about what packet the scanner is sending and I want to block this packet
temporary solution, I blocked everyone by IP ))

As I said, the packet the scanner sends is exactly the same (other than source IP) as the one that a legitimate user would send.

It's good, I'll try to block
Which package ?

Change wan interface default action from reset to drop.

I changed it a year ago, but it doesn’t work on an open port
if the port is open and the program is enabled, then it is visible from outside

and I'm just wondering which packet to block that the scanner sends

How? What program?

what difference does it make as a program, it has nothing to do with the port scanner.
blocking packets at random takes a long time, I thought maybe someone would know better

How a program opens a port on its own via firewall?
If you want to block particular scanner you can make p0f signatures for all scan modes and block it. Does nit prevent adversary to p€rturb parameters to slip through.

that's why I want to try to block a certain package, the only question is which one

Start here:

Methods here:
https://man.openbsd.org/pf.os

we are not moral compas or parental whip, but for what it is worth at least note whether it is gaming or p2p related.....

This is normal and expected behavior. There are two options:

  1. As mentioned above, make an allow list of external IP addresses that are permitted to use the port-forward. This way the port will remain effectively closed to all addresses not on that list. At that point, you can drop (silent) or reject (active) probe packets from scanners and other sources.
  2. Modify the behavior of the service (that is running on a host behind your OpenWrt router) to do the above. In other words, if the source IP is in the allowlist, respond; otherwise don't answer or reject.

I also second the suggestion that @mk24 made -- use WireGuard instead of just opening a port. WireGuard is not chatty -- it doesn't respond at all unless the cryptographic keys are correct. This means that it inherently drops all traffic not allowed, so it does not appear as an open port.

oh well then, I’ll launch wireshark and see for myself what packages the scanner uses.
as always there are a lot of questions and not a single answer