I installed it, got a WAN ip using DHCP from my ISP.
Then I did an nmap scan to check open/vulnerable ports.
I was a bit shocked to see that three ports were open 22,53 and 80.
My understanding was that the WAN side should have no ports open at all.
There is a difference on the ports when connected through the WAN or LAN, but i dont want the ports to show up as open at all !
I managed to close the port 22 by turning SSH off and on again ( no idea what happpened ).
Then I disabled the web interface(/etc/init.d/uhttpd stop)
Now the last open port is port 53, I cant figure out how to close this one for incomming traffic on the WAN, or is this nessesary for the DNS in some strange way?
Are you sure that you're not scanning to the LAN ip and not the WAN ip? (Internal vs. external)? Try a tool like this one for port scanning to the external IP: https://www.grc.com/shieldsup
@wrtfan - Exactly as @darksky said, you are probably probing the LAN, as those ports are ssh, dns, and http (ssh and http are for you to be able to log in and configure your router, dns is a more-or-less universal thing to need).
Going one step further than @darksky, try probing your network from a device that is not connected to your network (go to work/school/library/friend, etc. or you can use your mobile phone with wifi disabled so that it uses cellular data). The reason this is important is that some of the port scanning websites will use an app embedded in the page that runs locally on your machine to do the probing, and therefore if it is running on a device from within the network, it may report LAN side open ports).
OpenWrt firewall is based on a zone model.
Zone assignment relies on the network interface, which receives/sends traffic.
So when you test open ports from LAN, it uses LAN-zone policy, and IP-address doesn't matter.
netstat -anl or the like doesn't show what the firewall allows, only what sockets are listening. It is not surprising that an application open a listener on all interfaces' IP addresses, or on the wildcard address. For many services, listening on all interfaces is the default configuration. In cases where the service should not be provided to a given topological domain, access to the listener can be blocked by the firewall.
Many applications allow the listeners to be specified in config. How this is done will vary by application and may not be available through LuCI, or even through the OpenWrt UCI configuration files.
If you @wrtfan want to limit the interfaces that SSH, HTTP, and NS listen to, you can fine tune it in the configuration of each service.
For SSH in /etc/config/dropbear you add the line
option Interface 'lan'
under config dropbear
For HTTP in /etc/config/uhttpd add the lines
list listen_http '192.168.1.1:80'
list listen_https '[fe80:...::1]:443'
under config uhttpd main
And for DNS in /etc/config/dhcp you add the lines
option nonwildcard '1'
list notinterface 'pppoe-wan'
or you can allow interfaces, under config dnsmasq
Interface names and IP addresses are examples, you should adjust them to yours.
Even if you use the WAN address, when you test from the LAN you test the LAN interface, not the WAN interface; you need to test from an external computer.