Issues with "open" ports, how to secure my OpenWrt device?

Hey friends.
I got my system running flawlessly now, one OpenWrt device running as a VM (Master), and the other one as a backup device on a Rpi4.
Unfortunately i have received some letters from my ISPs, saying, i have some open ports or services exposed to the internet.
Unfortunately i don't know how to troubleshoot that, because i don't see any related port forwardings, or traffic rules, on my OpenWrt devices.

Does someone have any suggestion?
That's the nmap i did, from an external device, outside of my network.

Thanks in advance!

Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-29 17:40 CEST
Nmap scan report for [omitted] ( [omitted])
Host is up (0.22s latency).
rDNS record for [omitted]:  [omitted]
Not shown: 993 closed ports
PORT    STATE    SERVICE
9/tcp   filtered discard
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
179/tcp filtered bgp
443/tcp open     https
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 140.97 seconds

Nmap can be tricky and give false readings.

Can you share your firewall config?

Do you have any services exposed to internet? Any DDoS bot as free guest in some system you have?
It would be nice if the ISP could be more specific with clear facts about actual port, times, actual activity and so on. These warnings usually doesn’t come from the ISP to begin with since they never really care. The ISP usually transfer these message from some government agency in charge of cyber crime or cyber security (like CERT if you are in EU) to you.

1 Like

By default, all ports should be closed - you'd have to explicitly change the firewall configuration to open them to the outside.

Reading about RPi4, one-armed routing via VLANs and a managed switch might easily lead to configuration errors.

2 Likes

Thanks a lot. These are my firewall rules, using uci show firewall

firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.lan.device='tun+'
firewall.lan.network='VMs' 'Storage' 'Management' 'CCTV' 'trusted_main' 'trusted' 'OSPF' 'Hub' 'bond0'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.input='REJECT'
firewall.wan.output='ACCEPT'
firewall.wan.forward='REJECT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.network='wan' 'wan6' 'wanb' 'wanb6'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].name='Allow-IPSec-ESP'
firewall.@rule[7].src='wan'
firewall.@rule[7].dest='lan'
firewall.@rule[7].proto='esp'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[8]=rule
firewall.@rule[8].name='Allow-ISAKMP'
firewall.@rule[8].src='wan'
firewall.@rule[8].dest='lan'
firewall.@rule[8].dest_port='500'
firewall.@rule[8].proto='udp'
firewall.@rule[8].target='ACCEPT'
firewall.@rule[9]=rule
firewall.@rule[9].name='Support-UDP-Traceroute'
firewall.@rule[9].src='wan'
firewall.@rule[9].dest_port='33434:33689'
firewall.@rule[9].proto='udp'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].target='REJECT'
firewall.@rule[9].enabled='0'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.guest=zone
firewall.guest.name='guest'
firewall.guest.input='REJECT'
firewall.guest.output='ACCEPT'
firewall.guest.forward='REJECT'
firewall.guest.network='guest' 'Guest' 'Hub'
firewall.guest_wan=forwarding
firewall.guest_wan.src='guest'
firewall.guest_wan.dest='wan'
firewall.guest_dns=rule
firewall.guest_dns.name='Allow-DNS-Guest'
firewall.guest_dns.src='guest'
firewall.guest_dns.dest_port='53'
firewall.guest_dns.proto='tcp udp'
firewall.guest_dns.target='ACCEPT'
firewall.guest_dhcp=rule
firewall.guest_dhcp.name='Allow-DHCP-Guest'
firewall.guest_dhcp.src='guest'
firewall.guest_dhcp.dest_port='67'
firewall.guest_dhcp.family='ipv4'
firewall.guest_dhcp.proto='udp'
firewall.guest_dhcp.target='ACCEPT'
firewall.lab=zone
firewall.lab.name='lab'
firewall.lab.input='REJECT'
firewall.lab.output='ACCEPT'
firewall.lab.forward='REJECT'
firewall.lab.network='lab' 'Lab'
firewall.lab_wan=forwarding
firewall.lab_wan.src='lab'
firewall.lab_wan.dest='wan'
firewall.lab_dns=rule
firewall.lab_dns.name='Allow-DNS-lab'
firewall.lab_dns.src='lab'
firewall.lab_dns.dest_port='53'
firewall.lab_dns.proto='tcp udp'
firewall.lab_dns.target='ACCEPT'
firewall.lab_dhcp=rule
firewall.lab_dhcp.name='Allow-DHCP-lab'
firewall.lab_dhcp.src='lab'
firewall.lab_dhcp.dest_port='67'
firewall.lab_dhcp.family='ipv4'
firewall.lab_dhcp.proto='udp'
firewall.lab_dhcp.target='ACCEPT'
firewall.cctv=zone
firewall.cctv.name='cctv'
firewall.cctv.input='REJECT'
firewall.cctv.output='ACCEPT'
firewall.cctv.forward='REJECT'
firewall.cctv.network='cctv'
firewall.cctv_wan=forwarding
firewall.cctv_wan.src='cctv'
firewall.cctv_wan.dest='wan'
firewall.cctv_dns=rule
firewall.cctv_dns.name='Allow-DNS-cctv'
firewall.cctv_dns.src='cctv'
firewall.cctv_dns.dest_port='53'
firewall.cctv_dns.proto='tcp udp'
firewall.cctv_dns.target='ACCEPT'
firewall.cctv_dhcp=rule
firewall.cctv_dhcp.name='Allow-DHCP-cctv'
firewall.cctv_dhcp.src='cctv'
firewall.cctv_dhcp.dest_port='67'
firewall.cctv_dhcp.family='ipv4'
firewall.cctv_dhcp.proto='udp'
firewall.cctv_dhcp.target='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].name='Teamspeak (Default)'
firewall.@redirect[0].proto='udp'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].src_dport='9987'
firewall.@redirect[0].dest_port='9987'
firewall.@redirect[0].dest_ip='192.168.200.31'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].name='Teamspeak (Filetransfer)'
firewall.@redirect[1].proto='tcp'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].src_dport='30033'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].dest_port='30033'
firewall.@redirect[1].dest_ip='192.168.200.31'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].name='Teamspeak (Serverquery)'
firewall.@redirect[2].proto='tcp'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].src_dport='10011'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].dest_port='10011'
firewall.@redirect[2].dest_ip='192.168.200.31'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].name='Teamspeak (DNS)'
firewall.@redirect[3].proto='tcp'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].src_dport='41144'
firewall.@redirect[3].dest='lan'
firewall.@redirect[3].dest_port='41144'
firewall.@redirect[3].dest_ip='192.168.200.31'
firewall.@redirect[4]=redirect
firewall.@redirect[4].target='DNAT'
firewall.@redirect[4].name='FreeNAS'
firewall.@redirect[4].proto='tcp'
firewall.@redirect[4].src='wan'
firewall.@redirect[4].src_dport='2343'
firewall.@redirect[4].dest='lan'
firewall.@redirect[4].dest_port='2343'
firewall.@redirect[4].dest_ip='192.168.200.79'
firewall.@redirect[4].enabled='0'
firewall.@redirect[5]=redirect
firewall.@redirect[5].target='DNAT'
firewall.@redirect[5].name='HTTP'
firewall.@redirect[5].proto='tcp'
firewall.@redirect[5].src='wan'
firewall.@redirect[5].src_dport='80'
firewall.@redirect[5].dest='lan'
firewall.@redirect[5].dest_port='80'
firewall.@redirect[5].dest_ip='192.168.200.113'
firewall.@redirect[6]=redirect
firewall.@redirect[6].target='DNAT'
firewall.@redirect[6].name='HTTPS'
firewall.@redirect[6].proto='tcp'
firewall.@redirect[6].src='wan'
firewall.@redirect[6].src_dport='443'
firewall.@redirect[6].dest='lan'
firewall.@redirect[6].dest_port='443'
firewall.@redirect[6].dest_ip='192.168.200.113'
firewall.@redirect[7]=redirect
firewall.@redirect[7].target='DNAT'
firewall.@redirect[7].name='Minecraft'
firewall.@redirect[7].proto='tcp'
firewall.@redirect[7].src='wan'
firewall.@redirect[7].src_dport='25565'
firewall.@redirect[7].dest='lan'
firewall.@redirect[7].dest_port='25565'
firewall.@redirect[7].dest_ip='192.168.200.136'
firewall.@redirect[8]=redirect
firewall.@redirect[8].target='DNAT'
firewall.@redirect[8].name='OpenVPN'
firewall.@redirect[8].proto='udp'
firewall.@redirect[8].src='wan'
firewall.@redirect[8].src_dport='1194'
firewall.@redirect[8].dest='lan'
firewall.@redirect[8].dest_port='1194'
firewall.@redirect[8].dest_ip='192.168.200.147'
firewall.@redirect[8].enabled='0'
firewall.@redirect[9]=redirect
firewall.@redirect[9].target='DNAT'
firewall.@redirect[9].name='Minecraft (Lyxx)'
firewall.@redirect[9].proto='tcp'
firewall.@redirect[9].src='wan'
firewall.@redirect[9].src_dport='25566'
firewall.@redirect[9].dest='lan'
firewall.@redirect[9].dest_port='25566'
firewall.@redirect[9].dest_ip='192.168.200.136'
firewall.@redirect[10]=redirect
firewall.@redirect[10].target='DNAT'
firewall.@redirect[10].name='Minecraft'
firewall.@redirect[10].proto='tcp'
firewall.@redirect[10].src='wan'
firewall.@redirect[10].src_dport='25566'
firewall.@redirect[10].dest='lan'
firewall.@redirect[10].dest_port='25566'
firewall.@redirect[10].dest_ip='192.168.200.60'
firewall.@redirect[11]=redirect
firewall.@redirect[11].target='DNAT'
firewall.@redirect[11].name='MTA Serverport'
firewall.@redirect[11].proto='udp'
firewall.@redirect[11].src='wan'
firewall.@redirect[11].src_dport='22003'
firewall.@redirect[11].dest='lan'
firewall.@redirect[11].dest_ip='192.168.3.54'
firewall.@redirect[11].dest_port='22003'
firewall.@redirect[12]=redirect
firewall.@redirect[12].target='DNAT'
firewall.@redirect[12].name='MTA HTTP'
firewall.@redirect[12].proto='tcp'
firewall.@redirect[12].src='wan'
firewall.@redirect[12].src_dport='22005'
firewall.@redirect[12].dest='lan'
firewall.@redirect[12].dest_ip='192.168.3.54'
firewall.@redirect[12].dest_port='22005'
firewall.@redirect[13]=redirect
firewall.@redirect[13].target='DNAT'
firewall.@redirect[13].name='MTA Serverlist'
firewall.@redirect[13].proto='udp'
firewall.@redirect[13].src='wan'
firewall.@redirect[13].src_dport='22126'
firewall.@redirect[13].dest='lan'
firewall.@redirect[13].dest_ip='192.168.3.54'
firewall.@redirect[13].dest_port='22126'
firewall.@redirect[14]=redirect
firewall.@redirect[14].target='DNAT'
firewall.@redirect[14].name='SA-MP (Server Test)'
firewall.@redirect[14].src='wan'
firewall.@redirect[14].src_dport='7780'
firewall.@redirect[14].dest='lan'
firewall.@redirect[14].dest_ip='192.168.3.84'
firewall.@redirect[14].dest_port='7780'
firewall.@redirect[15]=redirect
firewall.@redirect[15].target='DNAT'
firewall.@redirect[15].name='Olympia (SSH)'
firewall.@redirect[15].proto='tcp'
firewall.@redirect[15].src='wan'
firewall.@redirect[15].src_dport='31006'
firewall.@redirect[15].dest='lan'
firewall.@redirect[15].dest_ip='192.168.200.56'
firewall.@redirect[15].dest_port='31006'
firewall.@redirect[15].enabled='0'
firewall.@redirect[16]=redirect
firewall.@redirect[16].target='DNAT'
firewall.@redirect[16].name='Olympia (Minecraft)'
firewall.@redirect[16].proto='tcp'
firewall.@redirect[16].src='wan'
firewall.@redirect[16].src_dport='31007'
firewall.@redirect[16].dest='lan'
firewall.@redirect[16].dest_port='31007'
firewall.@redirect[16].dest_ip='172.20.64.135'
firewall.@redirect[17]=redirect
firewall.@redirect[17].target='DNAT'
firewall.@redirect[17].name='Olympia (Varo)'
firewall.@redirect[17].proto='tcp'
firewall.@redirect[17].src='wan'
firewall.@redirect[17].src_dport='31008'
firewall.@redirect[17].dest='lan'
firewall.@redirect[17].dest_port='31008'
firewall.@redirect[17].dest_ip='172.20.64.135'
firewall.@redirect[18]=redirect
firewall.@redirect[18].target='DNAT'
firewall.@redirect[18].name='Minecraft ATM3 (Olympia)'
firewall.@redirect[18].proto='tcp'
firewall.@redirect[18].src='wan'
firewall.@redirect[18].src_dport='25568'
firewall.@redirect[18].dest='lan'
firewall.@redirect[18].dest_port='25568'
firewall.@redirect[18].dest_ip='192.168.200.136'
firewall.nat6=include
firewall.nat6.path='/etc/firewall.nat6'
firewall.nat6.reload='1'
firewall.@redirect[19]=redirect
firewall.@redirect[19].target='DNAT'
firewall.@redirect[19].proto='tcp'
firewall.@redirect[19].src='wan'
firewall.@redirect[19].src_dport='25569'
firewall.@redirect[19].dest='lan'
firewall.@redirect[19].dest_port='25569'
firewall.@redirect[19].name='Minecraft (ATM6)'
firewall.@redirect[19].dest_ip='192.168.200.32'
firewall.@rule[16]=rule
firewall.@rule[16].name='Hurricane Electric'
firewall.@rule[16].family='ipv4'
firewall.@rule[16].src='wan'
firewall.@rule[16].target='ACCEPT'
firewall.@rule[16].src_ip='216.66.80.30'
firewall.@rule[17]=rule
firewall.@rule[17].name='Allow-protocol-59'
firewall.@rule[17].src='wan'
firewall.@rule[17].proto='59'
firewall.@rule[17].target='ACCEPT'
firewall.@rule[17].extra='-m length --length 40'
firewall.@rule[18]=rule
firewall.@rule[18].name='Allow-protocol-41'
firewall.@rule[18].src='wan'
firewall.@rule[18].proto='41'
firewall.@rule[18].target='ACCEPT'
firewall.@redirect[20]=redirect
firewall.@redirect[20].target='DNAT'
firewall.@redirect[20].name='Minecraft (Modded)'
firewall.@redirect[20].proto='tcp'
firewall.@redirect[20].src='wan'
firewall.@redirect[20].src_dport='25570'
firewall.@redirect[20].dest='lan'
firewall.@redirect[20].dest_port='25570'
firewall.@redirect[20].dest_ip='192.168.200.136'
firewall.@redirect[21]=redirect
firewall.@redirect[21].target='DNAT'
firewall.@redirect[21].name='Wireguard'
firewall.@redirect[21].proto='udp'
firewall.@redirect[21].src='wan'
firewall.@redirect[21].src_dport='51820'
firewall.@redirect[21].dest='lan'
firewall.@redirect[21].dest_ip='192.168.252.58'
firewall.@redirect[21].dest_port='51820'
firewall.@redirect[21].enabled='0'
firewall.@redirect[22]=redirect
firewall.@redirect[22].target='DNAT'
firewall.@redirect[22].name='GTA Online'
firewall.@redirect[22].proto='udp'
firewall.@redirect[22].src='wan'
firewall.@redirect[22].src_dport='6672'
firewall.@redirect[22].dest='lan'
firewall.@redirect[22].dest_ip='192.168.3.166'
firewall.@redirect[22].dest_port='6672'
firewall.@redirect[22].enabled='0'
firewall.@redirect[23]=redirect
firewall.@redirect[23].target='DNAT'
firewall.@redirect[23].name='GTA Online'
firewall.@redirect[23].proto='udp'
firewall.@redirect[23].src='wan'
firewall.@redirect[23].dest='lan'
firewall.@redirect[23].dest_ip='192.168.3.166'
firewall.@redirect[23].src_dport='61455-61458'
firewall.@redirect[23].dest_port='61455-61458'
firewall.@redirect[23].enabled='0'
firewall.@redirect[24]=redirect
firewall.@redirect[24].target='DNAT'
firewall.@redirect[24].name='Jerrez (ARK)'
firewall.@redirect[24].src='wan'
firewall.@redirect[24].src_dport='61009'
firewall.@redirect[24].dest='lan'
firewall.@redirect[24].dest_port='61009'
firewall.@redirect[24].dest_ip='192.168.200.30'
firewall.@redirect[25]=redirect
firewall.@redirect[25].target='DNAT'
firewall.@redirect[25].name='Ark'
firewall.@redirect[25].proto='tcp'
firewall.@redirect[25].src='wan'
firewall.@redirect[25].src_dport='25147'
firewall.@redirect[25].dest='lan'
firewall.@redirect[25].dest_port='25147'
firewall.@redirect[25].dest_ip='192.168.200.30'
firewall.@redirect[26]=redirect
firewall.@redirect[26].target='DNAT'
firewall.@redirect[26].name='Ark'
firewall.@redirect[26].proto='tcp'
firewall.@redirect[26].src='wan'
firewall.@redirect[26].src_dport='27015-27030'
firewall.@redirect[26].dest='lan'
firewall.@redirect[26].dest_port='27015-27030'
firewall.@redirect[26].dest_ip='192.168.200.30'
firewall.@redirect[27]=redirect
firewall.@redirect[27].target='DNAT'
firewall.@redirect[27].name='Ark'
firewall.@redirect[27].proto='tcp'
firewall.@redirect[27].src='wan'
firewall.@redirect[27].src_dport='27036-27037'
firewall.@redirect[27].dest='lan'
firewall.@redirect[27].dest_port='27036-27037'
firewall.@redirect[27].dest_ip='192.168.200.30'
firewall.@redirect[28]=redirect
firewall.@redirect[28].target='DNAT'
firewall.@redirect[28].name='Ark'
firewall.@redirect[28].proto='udp'
firewall.@redirect[28].src='wan'
firewall.@redirect[28].src_dport='4380'
firewall.@redirect[28].dest='lan'
firewall.@redirect[28].dest_port='4380'
firewall.@redirect[28].dest_ip='192.168.200.30'
firewall.@redirect[29]=redirect
firewall.@redirect[29].target='DNAT'
firewall.@redirect[29].name='Ark'
firewall.@redirect[29].proto='udp'
firewall.@redirect[29].src='wan'
firewall.@redirect[29].src_dport='7777-7778'
firewall.@redirect[29].dest='lan'
firewall.@redirect[29].dest_port='7777-7778'
firewall.@redirect[29].dest_ip='192.168.200.30'
firewall.@redirect[30]=redirect
firewall.@redirect[30].target='DNAT'
firewall.@redirect[30].name='Ark'
firewall.@redirect[30].proto='udp'
firewall.@redirect[30].src='wan'
firewall.@redirect[30].src_dport='25147'
firewall.@redirect[30].dest='lan'
firewall.@redirect[30].dest_port='25147'
firewall.@redirect[30].dest_ip='192.168.200.30'
firewall.@redirect[31]=redirect
firewall.@redirect[31].target='DNAT'
firewall.@redirect[31].name='Ark'
firewall.@redirect[31].proto='udp'
firewall.@redirect[31].src='wan'
firewall.@redirect[31].src_dport='27000-27031'
firewall.@redirect[31].dest='lan'
firewall.@redirect[31].dest_port='27000-27031'
firewall.@redirect[31].dest_ip='192.168.200.30'
firewall.@redirect[32]=redirect
firewall.@redirect[32].target='DNAT'
firewall.@redirect[32].name='Ark'
firewall.@redirect[32].proto='udp'
firewall.@redirect[32].src='wan'
firewall.@redirect[32].src_dport='27036'
firewall.@redirect[32].dest='lan'
firewall.@redirect[32].dest_port='27036'
firewall.@redirect[32].dest_ip='192.168.200.30'
firewall.wg=rule
firewall.wg.name='Allow-WireGuard'
firewall.wg.src='wan'
firewall.wg.dest_port='51820'
firewall.wg.proto='udp'
firewall.wg.target='ACCEPT'
firewall.@redirect[33]=redirect
firewall.@redirect[33].target='DNAT'
firewall.@redirect[33].name='Jerrez (Cockpit)'
firewall.@redirect[33].proto='tcp'
firewall.@redirect[33].src='wan'
firewall.@redirect[33].src_dport='61010'
firewall.@redirect[33].dest='lan'
firewall.@redirect[33].dest_port='9090'
firewall.@redirect[33].dest_ip='192.168.200.30'
firewall.@redirect[34]=redirect
firewall.@redirect[34].target='DNAT'
firewall.@redirect[34].name='Ark (RCON)'
firewall.@redirect[34].src='wan'
firewall.@redirect[34].src_dport='32330'
firewall.@redirect[34].dest='lan'
firewall.@redirect[34].dest_port='32330'
firewall.@redirect[34].dest_ip='192.168.200.30'
firewall.miniupnpd=include
firewall.miniupnpd.type='script'
firewall.miniupnpd.path='/usr/share/miniupnpd/firewall.include'
firewall.miniupnpd.family='any'
firewall.miniupnpd.reload='1'
firewall.@redirect[35]=redirect
firewall.@redirect[35].target='DNAT'
firewall.@redirect[35].name='Minecraft (Debian)'
firewall.@redirect[35].proto='tcp'
firewall.@redirect[35].src='wan'
firewall.@redirect[35].src_dport='25571'
firewall.@redirect[35].dest='lan'
firewall.@redirect[35].dest_ip='192.168.3.166'
firewall.@redirect[35].dest_port='25571'
firewall.@redirect[36]=redirect
firewall.@redirect[36].target='DNAT'
firewall.@redirect[36].name='Minecraft-Alt'
firewall.@redirect[36].proto='tcp'
firewall.@redirect[36].src='wan'
firewall.@redirect[36].src_dport='31010'
firewall.@redirect[36].dest='lan'
firewall.@redirect[36].dest_ip='192.168.200.32'
firewall.@redirect[36].dest_port='22'
firewall.@redirect[37]=redirect
firewall.@redirect[37].target='DNAT'
firewall.@redirect[37].name='Minecraft-Alt (Apache2)'
firewall.@redirect[37].proto='tcp'
firewall.@redirect[37].src='wan'
firewall.@redirect[37].src_dport='31011'
firewall.@redirect[37].dest='lan'
firewall.@redirect[37].dest_ip='192.168.200.32'
firewall.@redirect[37].dest_port='80'
firewall.ovpn=rule
firewall.ovpn.name='Allow-OpenVPN'
firewall.ovpn.src='wan'
firewall.ovpn.dest_port='1194'
firewall.ovpn.proto='udp'
firewall.ovpn.target='ACCEPT'
firewall.@rule[21]=rule
firewall.@rule[21].name='Allow-OpenVPN-Alt'
firewall.@rule[21].proto='udp'
firewall.@rule[21].src='wan'
firewall.@rule[21].dest_port='1195'
firewall.@rule[21].target='ACCEPT'

????
Below is the part regarding 80 and 443 which are "open". You have forwarded them to a web server.

3 Likes

You have a gigantic amount of open ports in your firewall with all these redirects.

I would almost say it is so bad that you don't have a active working firewall at all any longer.

3 Likes

Thanks, thats right, i got 443 and 80 forwarded to a web server.
The ports i am wondering about are:

135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Yes, CERT was the reporting authority, according to them i have an "Open DNS Resolver", and a "Portmapper" service running.

Is there a proper way to check for open ports? Any suggestions on how to structure the firewall port forwardings?

EDIT:
One more report is relating to a NetBIOS service, exposed to the internet.

I got the notices appended below.

Dear Customer,

there is a suspected security breach on your Internet connection - and 
without your knowledge, your connection could be misused to cause 
to harm other Internet users.  

We urge you to seek the advice of an expert and to take the appropriate 
and to take appropriate protective measures. 

Please note that if your connection is misused in the event of an actual attack, we are 
we are unfortunately forced to temporarily block your connection to protect other Internet users. 
temporarily block your connection to protect other Internet users.

For experts, we have compiled background information here:

Recently, attacks from the Internet have steadily increased. 
To improve security, various organizations are therefore monitoring 
network areas on the Internet. 

Anomalies that affect our network are then made available to us.
We have received information concerning your connection: The following has been reported 
a so-called open "NetBIOS interface" has been reported on your line. 

NetBIOS is a programming interface for communication between
programs over a local network. NetBIOS over TCP/IP is a
network protocol that allows programs based on the programming interface
NetBIOS programming interface over the TCP/IP network protocol. 
network protocol.

In recent months, systems that respond to NetBIOS name service requests from the Internet have been 
have been increasingly misused to carry out DDoS reflection/amplification attacks. 
abused.

Such an attack is known as "DDoS" - "distributed denial of service".

Since your connection can be used for such an attack, your 
configuration poses an acute danger to other Internet users.

Important for you: Please take the necessary protective measures in your own interest. 
protective measures in your own interest.  Should your connection come to light in an attack reported to us, 
we would be forced to block your account first.
If you repeatedly ignore this information about the aforementioned security vulnerability
your account will be blocked automatically. The security of your
of your connection, our infrastructure and other Internet users is paramount.


Translated with www.DeepL.com/Translator (free version)
Dear Customer,

There is a suspected security breach on your Internet connection 
security vulnerability - your connection could be misused to harm other 
could be misused to harm other Internet users.  

We urge you to seek the advice of an expert and to take appropriate 
and to take appropriate protective measures. 

Please note that if your connection is misused in the event of an actual 
attack, we will unfortunately be forced to temporarily shut down your connection to protect 
other Internet users, we will be forced to temporarily block your connection.

For experts, we have compiled background information here: 

Recently, attacks from the Internet have steadily increased. 
To improve security, various organizations are therefore monitoring 
network areas on the Internet. 

Anomalies that affect our network are then made available to us. 
We have received information concerning your connection: The following has been reported on 
a so-called open "DNS resolver" has been reported on your connection. 

In this case, a (relatively small) query to your DNS server can result in a quite 
response, which is then sent back to the (supposed) request client.
is sent back.

Since the origin of the request is not checked (UDP), it is possible, by making a 
DNS servers, it is possible to send the responses of all requested servers to a common "victim". 
servers to a common "victim". This flood of data usually leads to a 
overload of the data line and/or the affected computer. 

Such an attack is known as "DDoS" - "distributed denial of service", 
more precisely: "reflection attack".

Since your connection can be used for such an attack, your configuration poses an acute 
configuration poses an acute danger to other Internet users.

Important for you: Please take the necessary protective measures in your own interest. 
protective measures. We therefore urge you to secure your configuration in such a way that unauthorized 
that unauthorized persons cannot use your DNS resolver service.

If your connection should come to light in an attack reported to us, we would be
would be forced to block your account first.
If you repeatedly ignore this information about the aforementioned security vulnerability
your account will be blocked automatically. The security of your
of your connection, our infrastructure and other Internet users is paramount.

Translated with www.DeepL.com/Translator (free version)

But you also have some general grammar faults in the config in a couple of places.
Rules for example must always have the ‘@‘ and the ID number. Without this ‘@‘ and ID number the rule will be ignored as illigal, I doubt you even see the first rule in this example in Luci.
Have you written some of these config parts manually or is everything done through LuCi or script?

Because of the huge number of redirects and other things happening in your firewall (among other things potentially strangely configured), I'd argue the safest bet is as follows:

  1. backup your router.
  2. reset your router to defaults.
  3. configure your router with the settings you need -- obviously wifi and basic network configuration is first.
  4. Test to see what ports are reported as open by an external port scan.
  5. Configure your firewall rules (port forwarding, open ports on the router itself) one port (or port group) at a time -- don't add anything that you don't have specific reasons to add (this is a good time to re-evaluate each rule).
4 Likes

You are infected with one or more DDoS bots and port scanners. And your network is now a global treath.

They ether live in your router but they could also live in some computers inside your network.

You have two alternatives.

  1. Burn it out with wireshark and kill the devices infected.
  2. Turn every single device off forever and disconnect every cable. And reinstall every software and OS in every single device one at a time. But do not connect a “not reinstalled” device to the network because then you will have to start from scratch.

But there is no point actually with all these redirects all over the place. The bots will just sit and wait online for you to finnish and come back again once you start up the network again with all the redirects.

Thanks @flygarn12 , yes, everything was done through LuCI only. I dont know on how to deal with the firewall through the Cli

Also thanks to @psherman i think a factory reset will be a huge difficulty, due to a lot of different settings regarding high-availability, BGP and IS-IS routing as well as mwan3 stuff. Is there maybe some default config for that?

Due to the huge complexity of my router setup, i am using the same config for the past 3 stable releases. Do you think this issue is only firewall related?

@flygarn12 , running a Wireshark is no issue, but have you got some information on what to look for? Most of the OSes i use, are Linux OSes. There are only 2 Windows hosts in the network. Do you suspect some of them?

https://thehackernews.com/
The thing is that it doesn’t matter, cert has spotted the treat from you and everything in the network is a suspect. Linux or Windows doesn’t matter with these bots and malware.

But I think the fault lies in the devices that plays all the games in your redirects.
But it can also be a cctv, a termostat, your fridge etc…

The best thing is if they have a mac address from the device they have found.

Is it a DDoS bot it is really hard because every bot only sends a couple of packages but 1000000billion devices sending only 10packages each kills even google.

I recommended a backup so that you will have a reference. If you have a complex setup, you're going to have a very hard time finding where things are misconfigured -- you'll probably spend more time troubleshooting than you will rebuilding. And if there is an issue such as malware or some other vulnerability running on the router itself (I'm not saying that is the case, but it is plausible), you will be very hard pressed to eradicate that without a reset. So you will find yourself in one of these three positions:

  1. spend a ton of time troubleshooting a complex and potentially compromised router configuration.
  2. give up troubleshooting and live with the potential security issues
  3. reset and rebuild so that you can actually have confidence in how the device is configured.

Nope, no such thing as a default config for the stuff you're talking about. That stuff is is never one-size-fits-all, and always requires setting things manually.

This is not always a good idea, and may explain some of your issues. Syntax and other elements change from release to release. Most of the time they are compatible or migratable, but it is not perfect. This alone is a good enough reason to rebuild -- you can ensure that everything is setup properly and has the syntax and methods appropriate for the current version.

No idea. If you were running a simple home network type config (1 WAN, 1 LAN or maybe even VLANs) we could probably make some reasonable assumptions that it is just a firewall issue. but if you're using HA, BGP, and other non-standard routing, you could have issues lurking in multiple places. And, as noted earlier, it is plausible that something has compromised the router itself (again, not saying that it happened, but just that it could).

I would actually contact your country CERT department and ask for help and more information what they have found. I really think they will help you, at least cert in this country i live in are helpful if you ask.

Thanks a lot. Even though i will consider the full reset.
I was able to isolate the issue, it seems to be some setting on my Fritz! ISP router.
nmapping the WAN interface of the OpenWrt devices.

Nmap scan report for 192.168.178.4
Host is up (0.0027s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
179/tcp open  bgp
443/tcp open  https


And the Fritz! router, using the public IP.

9/tcp   filtered discard
80/tcp  open     http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
179/tcp filtered bgp
443/tcp open     https
445/tcp filtered microsoft-ds

Somehow i can use my domain to resolve DNS request.

nslookup google.de secret.org
Address:	secret#53

Non-authoritative answer:
Name:	google.de
Address: 142.250.185.163
Name:	google.de
Address: 2a00:1450:4001:811::2003

Now, things start to make sense.
So these ports, exposed by the Fritz! router, are related to the NetBIOS issue. Also the DNS Resolver issue seems to be related to the open port 53 on my OpenWrt device.

I think I am not getting something...

You have open lots of ports, consciously. Your ISP is warning you about those open ports, and now you need help to secure your router.

Well, you either close all those ports you opened, or you leave them open.