Security Audit / Scan (from outside)


I search Security Audit / Scan services to check if I made errors with OpenWRT

I only know heise.

What do you use/recommend? Open Source prefered

Please. Thanks.

Bitte. Vielen Dank.

There's GRC's Shields Up, for firewall testing. If you want to do penetration testing, I think it's better to spin up e.g. Kali Linux and start testing your firewall (with Kali Linux on the outside, of course).




1 Like


Not good: I wish to have all incoming ports "FILTERED".
How to do that? There is no need for an INCOMING internet connection (expect Bittorrent)

I have no money

It's fine. Your firewall is doing exactly what it's supposed to be doing.


I am pretty sure that the difference between filtered and closed is simply about reject vs drop. In both cases, no traffic is allowed in.

To make an analogy - imagine knocking on someone’s door with the intention of talking to the person who answers...
Drop would be the equivalent of nobody answering the door. You’ve got nobody to talk to, even if they are home - you don’t know If they’re there or not.
Reject would be that they come to the door and immediately scream “go away.” This tune you know they are home, but you still cannot talk to them.


These sort of tests are often inaccurate and use click-bait tricks to pull money out of you.
They typically provide neither guarantee nor responsibility for the result.
I wouldn't blindly trust them especially when it is related to security.
The best what you can do is personally scanning your own WAN interface with Nmap or the like.


In addition, I surmise those "Filtered" ports are done by your ISP. I assume you're aware that the official/registered protocols for those ports are only used commonly on LANs - and rarely across WANs.

As noted, to show Filtered, change your default rules to DROP. @psherman explained why this is so.


Please review


What am I reviewing?

Everything still says "Reject"...except the general input rule. You didn't make the changes.

now better?

what I wish

  • route all traffic to wireguard, expect AppleTV
  • block all incoming connections, expect Torrent


I thought YOU wanted a method to "security audit/scan from outside"...How is that related?

(Perhaps, you want to make a new thread?)

  • Regarding Wireguard: How does routing relate to the firewall image?
  • Regarding the AppleTV:
    • Are you saying that you don't understand the concept of the DROP/REJECT setting on WAN?
    • The page you show doesn't show the "except Torrent" part - I assume you created a correctly configured Port Forward firewall rule?
1 Like

By default, OpenWrt blocks all incoming connections on WAN.


You can use if you need an NMAP scan from outside your network.


You are correct.

As others have suggested, nmap would be good to check ports but if you have a service exposed and want to check for vulnerabilities on a specific service you can check out OWASP ZAProxy. Works like a charm.