WAN Input traffic not rejected


I just scanned my home firewall with nmap and to my surprise I found out that incoming traffic isn't being filtered fully.

I'm on 22.03.2 r19803-9a599fee93 on an x86 machine.

This is my wan interface:

config interface "wan"
        option device "eth0"
        option proto "pppoe"
        # PPPoE config
        option ipv6 "auto"
        option username "secret"
        option password "secret"
config interface "wan6"
        option device "@wan"
        option proto "dhcpv6"
        # DHCPv6 client config
        option reqaddress "try"
        option reqprefix "48"

Those are the relevant firewall sections:

config defaults 'defaults'
        option forward 'REJECT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option drop_invalid '1'
        option input 'ACCEPT'

config zone
        option name 'WAN'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'ACCEPT'
        option log '1'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

This is an excerpt of the resulting nft ruleset:

table inet fw4 {
        chain input {
                iifname "pppoe-wan" jump input_WAN comment "!fw4: Handle WAN IPv4/IPv6 input traffic"
                jump handle_reject
        chain input_WAN {
                icmp type echo-request counter packets 21 bytes 2016 accept comment "!fw4: Allow-Ping WAN to firewall"
                meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP WAN to firewall"
                ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter packets 6 bytes 1440 accept comment "!fw4: Allow-DHCPv6 WAN"
                ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route  } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD WAN"
                meta l4proto tcp counter packets 2614 bytes 166961 accept comment "!fw4: wireguard_dn42"
                meta l4proto udp counter packets 3 bytes 559 accept comment "!fw4: wireguard_dn42"
                tcp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
                udp dport 51821 counter packets 0 bytes 0 accept comment "!fw4: rxforelle_wireguard_service"
                ip6 saddr { 2001:abc:abc::/48, 2a00:abc:cab::/48 } counter packets 0 bytes 0 accept comment "!fw4: admin_accept wan"
                ct status dnat accept comment "!fw4: Accept port redirections"
                jump reject_from_WAN

As the default rule for the zone for input is REJECT I would expect everything to be rejected, as long as there is no specific rule, that would allow.

Yet when I scan from an external machine on the internet IPv4 incoming as well as IPv6 is being accepted to my surprise.

nmap <<public IP or public IPv6>>
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-11 11:39 CET
Nmap scan report for hostname (<<ip address>>)
Host is up (0.015s latency).
Not shown: 996 closed ports
22/tcp   open  ssh
53/tcp   open  domain
443/tcp  open  https
8888/tcp open  sun-answerbook

What's going on here?

It‘s most likely your ISP accepting on your behalf. For example port 8888 is not used by default OpenWrt at all.

Maybe try connecting to https://yourextip/ to see what‘s up there. I‘d bet that it is not LuCI responding

No, that is not it. I'm running tinyproxy on 8888. It is actually the OpenWrt device accepting the traffic. I verified it by coming from another host in the internet, which can ssh into my device and open LUCI.

You appear to have a rule called „wireguard_dn42“ which is accepting all traffic on wan. Double check it‘s definition, maybe it’s missing a dest port/ip or protocol selector.

1 Like

You are right, how can I have overlooked this? Thank you so much.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.