Hi
I search Security Audit / Scan services to check if I made errors with OpenWRT
I only know heise.
What do you use/recommend? Open Source prefered
- Could you please provide an actual URL; and/or
- Use an English translation (e.g. https://translate.google.com/)
Please. Thanks.
- Könnten Sie bitte eine tatsächliche URL angeben? und / oder
- Verwenden Sie eine englische Ăśbersetzung (z. B. https://translate.google.com/)
Bitte. Vielen Dank.
There's GRC's Shields Up, for firewall testing. If you want to do penetration testing, I think it's better to spin up e.g. Kali Linux and start testing your firewall (with Kali Linux on the outside, of course).
3 Likes
Also:
- http://www.ipv6scanner.com/
- https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
Software:
- https://www.advanced-port-scanner.com/
- Foundstone (McAfee) SuperScan (I'm not sure they make this available for download anymore, I won't post any shareware links)
1 Like
https://www.heise.de/security/dienste/portscan/test/go.shtml?scanart=1
thanks
Not good: I wish to have all incoming ports "FILTERED".
How to do that? There is no need for an INCOMING internet connection (expect Bittorrent)
I have no money
It's fine. Your firewall is doing exactly what it's supposed to be doing.
3 Likes
I am pretty sure that the difference between filtered and closed is simply about reject vs drop. In both cases, no traffic is allowed in.
To make an analogy - imagine knocking on someone’s door with the intention of talking to the person who answers...
Drop would be the equivalent of nobody answering the door. You’ve got nobody to talk to, even if they are home - you don’t know If they’re there or not.
Reject would be that they come to the door and immediately scream “go away.” This tune you know they are home, but you still cannot talk to them.
4 Likes
These sort of tests are often inaccurate and use click-bait tricks to pull money out of you.
They typically provide neither guarantee nor responsibility for the result.
I wouldn't blindly trust them especially when it is related to security.
The best what you can do is personally scanning your own WAN interface with Nmap or the like.
9 Likes
In addition, I surmise those "Filtered" ports are done by your ISP. I assume you're aware that the official/registered protocols for those ports are only used commonly on LANs - and rarely across WANs.
As noted, to show Filtered, change your default rules to DROP. @psherman explained why this is so.
4 Likes
What am I reviewing?
Everything still says "Reject"...except the general input rule. You didn't make the changes.
now better?
what I wish
- route all traffic to
wireguard, expect AppleTV - block all incoming connections, expect Torrent
???
I thought YOU wanted a method to "security audit/scan from outside"...How is that related?
(Perhaps, you want to make a new thread?)
- Regarding Wireguard: How does routing relate to the firewall image?
- Regarding the AppleTV:
- Are you saying that you don't understand the concept of the DROP/REJECT setting on WAN?
- The page you show doesn't show the "except Torrent" part - I assume you created a correctly configured Port Forward firewall rule?
1 Like
By default, OpenWrt blocks all incoming connections on WAN.
3 Likes
You can use http://nmap.online-domain-tools.com/ if you need an NMAP scan from outside your network.
2 Likes
As others have suggested, nmap would be good to check ports but if you have a service exposed and want to check for vulnerabilities on a specific service you can check out OWASP ZAProxy. Works like a charm.