Page 1 of 1

what ports are exposed on wan side

Posted: Sat Mar 21, 2020 5:06 pm
by coits
Hi guys,

Just want to confirm with you guys, are these ports normally exposed on the wan side (external ip) of your router?

just want to ask, what port are exposed on your router?

PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https

Thanks

Re: what ports are exposed on wan side

Posted: Sat Mar 21, 2020 5:30 pm
by RomanHK
By default, no port is open from the WAN (only the PING (ICMP) port is allowed) - other settings in the firewall do not allow this.

Information from the WAN side can be confused because by default it responds to all ports by the "REJECT" command following the RFC standard.

The big guess is about setting up REJECT or DROP - the OpenWrt community (Gargoyle) strictly adheres to RFC standards and is therefore selected by default in the REJECT firewall.

Re: what ports are exposed on wan side

Posted: Sat Mar 21, 2020 9:17 pm
by coits
I have tried to add this rule on my firewall and restart it.

But, when I run nmap <wan ip> still showing port 22 as open.

Can someone please advise what am I missing here?

config rule
option name 'block ssh wan port'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'DROP'

-------------------------------
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
-------------------------------

Thanks

Re: what ports are exposed on wan side

Posted: Sat Mar 21, 2020 10:49 pm
by RomanHK
It seems to me that nmap is a program and you run it from the LAN. If you run a program to test the WAN IP address, the result will always be biased because NAT Loopback is performed. The test must always be performed from the outside.

Try it through these pages (sorry, they are only in Czech): http://test.bezpecnosti.cz/

The result must be yellow or best green. But if the result is red, something is wrong.

Or something similar here (already English): https://www.yougetsignal.com/tools/open-ports/ or https://www.ipfingerprints.com/portscan.php

Re: what ports are exposed on wan side

Posted: Sat Mar 21, 2020 11:15 pm
by coits
Hi RomanHK,

I used this link below and all ports are closed based on the results.

https://www.yougetsignal.com/tools/open-ports/

Thanks for the link and the quick response.

Re: what ports are exposed on wan side

Posted: Sun Mar 22, 2020 12:35 am
by Lantis
By default, they are all closed.
I've tested a fresh install of Gargoyle and confirm this is the case.

If they're open, you likely have services or settings opening them.