Need help on security/firewall: Seems that all ports are open

I have an Archer C7 running 18.06.1 and my setup is 'basic': ISP Modem (FTTH ONT as bridge) -> openwrt.

I was checking if a portforward was open through canyouseeme.org and almost every port I tried was open. I checked then GRC ShieldsUP and got the following result, while the test through speedguide.net gave me 45 open ports.

grc

The weird thing is that the 'dummy' ports are open, while the service ones like 53, 445 and 25 are filtered (this in speedguide).

Am I doing something wrong with my settings? This is my firewall config.


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option network 'wan wan6 modem'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'DROP'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Block-Outbound-TFTP'
	option src 'lan'
	option dest 'wan'
	option dest_port '69'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-Syslog'
	option src 'lan'
	option dest 'wan'
	option dest_port '514'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SNMP'
	option src 'lan'
	option dest 'wan'
	option dest_port '161 162'
	option proto 'udp'
	option family 'any'
	option target 'REJECT'

config rule
	option name 'Block-Outbound-SMB'
	option src 'lan'
	option dest 'wan'
	option dest_port '135 137 138 139 445'
	option proto 'tcpudp'
	option family 'any'
	option target 'REJECT'

config rule
	option proto 'tcp'
	option dest_port '22'
	option family 'ipv4'
	option dest 'wan'
	option target 'REJECT'
	option name 'Block SSH from lan'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '21'
	option dest_ip '192.168.1.1'
	option dest_port '21'
	option name 'ftp'
	option enabled '0'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option dest_ip '192.168.1.1'
	option dest_port '51413'
	option name 'transmission'

Thanks in advance!!

Try this first. For Config zone for 'wan' change the following option to Drop.

option input 'DROP'

Then retest with shields up, and see what you get.

2 Likes

I have Archer C7 V2 and I'm running 18.06.01 as well, with the default firewall config. I did a quick check on the ports now and it looks OK.

Why might this make a difference? REJECT shouldn't give a false positive, I think.

1 Like

A reject basically just tells the other end that the port isn't available vs. a drop which is used when you don't want the other end to see that port at all (No response).

When going for "stealth" drop is the way to go.

4 Likes

Understood. But it doesn't explain why he gets results that show open ports even though it's set to REJECT.

2 Likes
uci set firewall.@redirect[-1].src_dport="51413"
uci commit firewall
service firewall restart
4 Likes

Like vgaetera implies, this rule allows all incoming traffic and forwards it to the router. You have mixed src_dport and dest_port.

3 Likes

Yes, I noticed it earlier and replicated it but it didn't seem to replicate the problem. But I guess it was probably that port number 51413 that's not open on the router from the LAN side. I tried again with a destination port of 11 instead, and the problem was replicated.

I don't wish to hijack the post, but this is probably related enough: how to check what ports are open from the LAN side?

1 Like

Thanks a lot for all the answers! I’m at work so I’ll be able to test it only tonight, but nonetheless I’ve already learned that I messed up with the port forwarding...

To do port scanning yourself, you may use nmap.

In addition, there are some Android apps, with name similar to 'network tools', which can do port scanning as t.

2 Likes

BINGO!!!

Suddenly, look how my GRC ShieldsUP looks like :smile:

grc2

I've also have interest being the most stealth possible, so I changed also the wan input setting to DROP as davidc502 suggested and got a full green square result @ GRC test.

Many thanks to you and everyone else here who helped!

2 Likes

Doesn't blue mean they are not stealth, but rather closed?

Yup, just edited the post and didn't saw your reply. I changed the input to DROP and now its all green

Now I noticed that I didn't get a full passed because of the text below, and I assume it should be also something like the REJECT

Unsolicited Packets: RECEIVED (FAILED) — Your system's personal security countermeasures unwisely attempted to probe us in response to our probes. While some users believe that "tracking down" the source of Internet probes is useful, experience indicates that there is little to gain and potentially much to lose. The wisest course of action is to simulate nonexistence — which your system has failed to do. Your counter-probes immediately reveal your system's presence and location on the Internet.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.