OpenWrt Forum Archive

Topic: [Resolved] Filtered ports on Wan side ?

The content of this topic has been archived on 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I was doing some tests to openwrt from the Wan side , and i notice a few filtered ports discovered by nmap .
How do i close these ports ?

4005 pxc-pin
4899 radmin
6566 sane-port
55555 unknow

image from nmap :
http://s29.postimg.org/yt8hc3u2f/openwrt.png

(Last edited by pedropt on 16 Jun 2015, 19:44)

Neither of these ports are listening by default. I'm going out on a limb and say that they
a) have been opened before by by the router or by a machine from the inside and are still listening, or
b) are opened by a device that sits before the router (another router/modem? other infrastructure on the ISP's side?)

There was not another router or computer ahead on lan ports on the device  on openwrt .
but even if it had some other device (witch it hadn`t) then openwrt should not forward filtered ports automatic on some specific device without a firewall rule for that .
The modem where openwrt is connected have some ports opened but none of them are showed , if ido the scan to the modem gateway then i get different ports .
This scan was pointed specifically to openwrt .

(Last edited by pedropt on 20 May 2015, 07:07)

pedropt wrote:

openwrt should not forward filtered ports automatic on some specific device without a firewall rule for that

I agree. And it doesn't.

I assume it's your ISP. The ports you mention have a troubled history, so your ISP may be filtering them on your behalf.

This openwrt device is not a modem/router , this device is just a router .
And if you think is my isp then i give you all my ip right now so you all can scan and keep your doubts out .
actually i am scanning my actual ip address from other isp provider .
my ip is 81.193.178.29 .
Don't worry because i have dynamic ip address and i can change it when i restart the router .

I give you all authorization to scan if you want .

Note : I changed the default configuration from my isp modem in order to not open any port to internet and don't respond to scans  it i

(Last edited by pedropt on 20 May 2015, 18:49)

pedropt wrote:

This openwrt device is not a modem/router , this device is just a router . (...)
Note : I changed the default configuration from my isp modem in order to not open any port to internet and don't respond to scans  it i

You need to be more clear about your setup then. How is your OpenWrt router connected to the "ISP modem"? If it's connected to it through DHCP, then the OpenWrt's WAN is only facing that "modem". It's your "modem" that's facing the internet, which is then actually a router itself and doing the filtering/blocking you witness.

(Edit: reworded)

(Last edited by metai on 20 May 2015, 19:11)

It's simply your ISP filtering the ports, it's quite common. OpenWrt has a reject policy on WAN, so any filtering of those ports is done at the ISP.

You need to be more clear about your setup then. How is your OpenWrt router connected to the "ISP modem"? If it's connected to it through DHCP, then the OpenWrt's WAN is only facing that "modem". It's your "modem" that's facing the internet, which is then actually a router itself and doing the filtering/blocking you witness.

Ok , lets get this straight .
I have my isp modem witch provides internet to openwrt router , openwrt have a static ip address from isp modem because i have in my isp modem dhcp disabled .
Since my isp modem have 4 lan ports , i have the openwrt router connected to one port (witch is my wireless network) , and i have my firewall also connected to my isp modem witch protects my internal cable network .
2 ports left right .
my linux connects to one of those left ports and i scan the ip that openwrt have assigned as static from isp modem , witch is 192.168.blá blá  , so , when i scan that specific ip address from lan to lan , my isp modem have nothing to do with it because i am not scanning the modem itself , it is like i am doing a scanning to a computer over the network .

Now , i can do another scan on openwrt wan port from isp modem , just to check again .
I can put here the nmap command to you check out your routers in your network , because my nmap does not only scan ports as also inject some scripts to test specific ports for vulnerabilities .
What is bothers me most is that those ports are dangerous ports , specially the remote administrator port , because it is filtered it does not mean that that port can not be opened with the appropriate tool .

just look at these ports :
4005 pxc-pin
4899 radmin
6566 sane-port
55555 unknow

is this for real or what !!!!

i will check it out with another scan and i will post the results again .

Note : take out of your mind the idea that this is an isp port opened , because i am scanning a router from internal lan and not a modem from outside from the net .

This is even more confusing then.

A first thing to clear up: Your "ISP modem" is a router, whether it does DHCP or not. It serves an internal private network (192.168.x.x) to its LAN ports and does NAT between that internal network and your WAN address (81.193.x.x).

A second thing to clear up:

actually i am scanning my actual ip address from other isp provider

In this case you are really scanning your "ISP modem"/router. OpenWrt has no part of this, none of the scans will even reach the OpenWrt device.

That being said, "filtered" ports are not "open" ports. And a "filtered" port certainly does not mean it can be opened. If you set your firewall to DROP packets instead of actively REJECTing them (which would be the OpenWrt standard IIRC), they show up as "filtered" in nmap -- simply because nmap doesn't get a response and can only assume that something is "filtering" there (a closed port would actually reply "I'm closed", a "filtered" port just doesn't reply). This is perfectly normal and in no way an indication of a security flaw.

It would be really interesting if, when you if repeat the scan from inside your network (ideally directly connecting your scanning machine to the OpenWrt WAN port), those are the only ports that show up "filtered". Or if there's a thousand more ports that are "filtered" and your first scan just looked at selected obvious target ports.

(Last edited by metai on 21 May 2015, 03:30)

"It would be really interesting if, when you if repeat the scan from inside your network (ideally directly connecting your scanning machine to the OpenWrt WAN port), those are the only ports that show up "filtered". Or if there's a thousand more ports that are "filtered" and your first scan just looked at selected obvious target ports."

i will do that when i get home .

"In this case you are really scanning your "ISP modem"/router. OpenWrt has no part of this, none of the scans will even reach the OpenWrt device."

i did that just to test if my modem had some open/closed or filtered ports to the web , and that may cause the confusion around here .
But it have none , basically from outside my modem is not detectable as active device on the web by a remote port scan .

Note : i still have the same ip on my modem , i did not restart my router yet to change it , in case anyone wants to check it , and actually it would be very appriciated if someone and somehow get some results on my isp modem and post them here .

well , i had some issues here configuring my linux to start a dhcp server on eth0 port in order for openwrt get an ip address on the wan side , and then to make the port scan with my laptop .
Also the "gang" here was in need for wifi working , and i was unable to reconfigure everything again on openwrt like i did before , openwrt was unable to communicate with my modem on the wan port , and i lost my patience on this issue today .
I flashed other firmware to the router and after everything configured i did a port scan exactly the same way i did before with openwrt .
The result from this scan with a different firmware was 65535 ports closed on the wan side .
here it is the screencapture from nmap scan .
http://s15.postimg.org/phy010bmz/Zenmap_051.png

on the weekend i have more time to deal with openwrt again , and i will re-flash firmware again and i will do the scan .
However  , the process i used in this new firmware for port scanning was exactly the same process i did with openwrt firmware , and as you all may see i have everything closed on wan side .

Note : I already changed my internet address .

(Last edited by pedropt on 21 May 2015, 23:00)

I had this weekend  a problem with my previous firmware (not openwrt) , so i updated my router with the openwrt again .
This time i was checking every configuration and firewall rules to see if everything stays right like i want .
For final i made a portscan like i did in previous posts with nmap , and the result was 65535 ports closed from the wan side (like i wanted) .

here it is the result :
http://s21.postimg.org/ezs3qhbuv/Zenmap_069.png

pedropt wrote:

This time i was checking every configuration and firewall rules to see if everything stays right like i want .

"everything stays" of course meaning you didn't change things you don't understand. And suddenly, by sheer coincidence/luck/magic/magnetism, it does what it is supposed to do.

(Last edited by metai on 14 Jun 2015, 17:16)

lets understand one thing here .
By default , any router dont leave open ports on wan side , except if user wants remote access to it .
telnet , ssh or even http cann be opened on wan side if user decides to do it , but by default it should not be opened .
What made me worried on this case was the specific ports that i found , witch was :
4005 pxc-pin
4899 radmin
6566 sane-port
55555 unknow

these ports are not well know , and i don't know any router model that by default have any of these ports opened on wan side .
Only ISP modems can have 1 or 2 of these ports opened for isp maintenance .
The configuration i made on openwrt this time that i did not last time was just :
Removing ipv6
establishing rules in the firewalls for dos attacks
and configuring the wan side for not reply on pings .

So , as you can see , the configuration was nothing from outside this world .

Anyway , everything is working perfect as i wanted , and that is all that matters .

pedropt wrote:

By default , any router dont leave open ports on wan side , except if user wants remote access to it .
telnet , ssh or even http cann be opened on wan side if user decides to do it , but by default it should not be opened .

That's exactly how OpenWrt's firewall comes in its default configuration.

What made me worried on this case was the specific ports that i found , witch was :

Yeah, so you keep repeating -- always with the slight accusation that OpenWrt is to blame.

The configuration i made on openwrt this time that i did not last time was just :
Removing ipv6

IPv6 does not open the ports you mention.

establishing rules in the firewalls for dos attacks

Whatever that means.

and configuring the wan side for not reply on pings .

Congratulations, you now pointlessly violate RFC 1122.

To summarize: You use a fresh installation of OpenWrt and did nothing to close the ports you previously saw open, and yet they are closed. What does that tell you?

Anyway , everything is working perfect as i wanted , and that is all that matters .

Well then, good luck with your future forays into network security.

(Last edited by metai on 15 Jun 2015, 23:52)

OP is ignoring the correct answer, which of course is that his ISP is doing the filtering and those ports are _not_ "opened" in any way by default in OpenWrt. If you don't care to learn what is the point of starting threads here?

whatever it will make you all happy .
Note : I by default never use the original firmwares on my network devices , i always use (when is available) and open source firmware .
Openwrt is not my first experience , i just did an nmap scan and i found strange that fact of those ports , and that is why i posted here in the forum for answers .
If somebody here had told me that by default openwrt had those ports opened then i probably never had installed again the firmware .
I dont went here to blame anything or anyone , i went here to point a fact that was happening with one of my network devices with openwrt .
I was not yet unable to found why that nmap result happened that time and that some of you keep insisting that is the ISP port filtering .
Well , this open wrt device is not a modem , this device is installed on my subnet , so doing a wan scan on it will not reveal any ISP ports filtered on my external ip address .

You are plain wrong, that is a fact.

Ok .
Topic closed

The discussion might have continued from here.