I just did a port scan of my router running LEDE 17.01.4:
nmap -sS -O
...
Not shown: 997 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
Device type: WAP
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3.18 cpe:/o:linux:linux_kernel:4.1
OS details: OpenWrt Chaos Calmer 15.05 (Linux 3.18) or Designated Driver (Linux 4.1)
This seems like too much. I don't need 80 and 443 open because I won't be running a web server. Port 53 is probably necessary for DynamicDNS, but I don't know why I would want to advertise any of my OS details.
So now I want to close 80 and 443 and hide these OS details. Truth be told, I want to have a minimal presence:
Unless one has specifically specified rules in either /etc/config/firewall or /etc/firewall.user, all WAN ports are closed by default. The default /etc/config/firewall does come with some default rules, although most can safely remove them, as they're not required for most use cases.
53, 80, 443 are showing open because they are open... on the LAN side, not the WAN side. The default behavior of fw3 is to reject all inbound and forwarded WAN traffic, allowing only outbound WAN requests from LAN.
Closing 80 & 443 LAN side will prevent access to LuCI
Closing 53 LAN side will prevent internet access, since all domain name requests to the internet will be blocked.
Yes, that makes sense. I was running nmap against my Dynamic DNS hostname from within my own LAN. So it was, well, you get the idea.
Now I'm running the same nmap command through my cellphone's hotspot and again I get surprising results:
25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 2.6.18-8.el5 (Red Hat Enterprise Linux 5) (92%), Linux 2.6.20 (92%), Linux 2.6.20 (Ubuntu, x86_64) (92%), Linux 2.6.22 (92%), Linux 2.6.22 (Ubuntu, x86) (92%), Linux 2.6.27 (Ubuntu 8.10) (92%), Peplink Balance 380 router (91%), Buffalo TeraStation Pro II NAS device (89%), Linux 2.4.35 (89%), Linux 2.6.18 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops
"Filtered ports do not respond to a portscan at all, they don't appear to exist. This is the best security level for your ports, as it provides no information about your system or its existence (a.k.a. black hole)."
You're not "advertising" any OS details, nmap is guessing the OS through a technique called TCP/IP stack fingerprinting. I suppose you could hide it by changing the default input policy of your wan to DROP instead of REJECT.
seems I too was running port scan on my public ip from my own LAN and port 80, 443 appeared open.
when i used external network to scan my public, all ports was closed.