[SOLVED] HE.net: Same IPv6, different nmap query, different results

ffries · August 20, 2020, 3:07pm

Dear all,

I am connecting to IPv6 using an HE.,net tunnel in OpenWRT.
I did various IPv6 test on Internet, everything is OK.

One thing is curious:

If I connect from an Internet server and run:
nmap -6 myIPv6

Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-20 17:01 CEST
Not shown: 985 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
311/tcp   filtered asip-webadmin
898/tcp   filtered sun-manageconsole
1047/tcp  filtered neod1
1300/tcp  filtered h323hostcallsc
5825/tcp  filtered unknown
6156/tcp  filtered unknown
6666/tcp  filtered irc
6667/tcp  filtered irc
6668/tcp  filtered irc
6669/tcp  filtered irc
7000/tcp  filtered afs3-fileserver
9999/tcp  filtered abyss
32783/tcp filtered unknown
44501/tcp filtered unknown

Now if I run the same nmap test locally, it results in:

nmap -6 myIPv6

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 17:06 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds

What the hell is that?
Am I running a botnet?

ffries · August 20, 2020, 3:21pm

Now if I try the same with the OpenWRT router IPv6 address:

From the local network only LuCi tcp port is open:
nmap -6 router

Host is up (0.0011s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
443/tcp open  https

From the Internet:
nmap -6 router

Host is up (0.019s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
7000/tcp filtered afs3-fileserver
9999/tcp filtered abyss

Could be a feature of HE.net; please confirm.

krazeh · August 20, 2020, 3:23pm

Is it actually causing an issue?

ffries · August 20, 2020, 3:25pm

Not at all, I am only concerned that I cannot see the same ports, which is what happens when you are hacked. On local network, only LuCi port is open. I should see nothing from the Internet.

Can someone with HE.net confirm you have the same ports visible from the Internet.

krazeh · August 20, 2020, 3:28pm

HE.net block SMTP and IRC by default. Which is what the nmap result is showing you. Even if they didn't the result you've got is not an issue. Having blocked ports visible from the internet just demonstrates a firewall somewhere is doing it's job.

ffries · August 20, 2020, 3:30pm

Thanks. Could you modify the title to indicate Solved, I've reached the max number of edits.

system · August 30, 2020, 3:30pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.