quite a while here ... BUT ... i ran into the same curiosity ...
despite i have a fw-rule which blocks all ports for the INPUT chain on the gateway interface, nmap shows open ports which have NEVER been opened, used, forwarded etc.
nmap -sT -sU -T4 -v -v -F -Pn [my host's wan ip from ISP]
Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-09 17:27 CET
Initiating Parallel DNS resolution of 1 host. at 17:27
Completed Parallel DNS resolution of 1 host. at 17:27, 0.00s elapsed
Initiating UDP Scan at 17:27
Scanning home.[myDomainName].at (178.xxx.xx.xxx) [100 ports]
Completed UDP Scan at 17:27, 11.13s elapsed (100 total ports)
Initiating Connect Scan at 17:27
Scanning home.[myDomainName].at (178.xxx.xx.xxx) [100 ports]
Discovered open port 995/tcp on 178.xxx.xx.xxx
Discovered open port 993/tcp on 178.xxx.xx.xxx
Discovered open port 443/tcp on 178.xxx.xx.xxx
Discovered open port 80/tcp on 178.xxx.xx.xxx
Discovered open port 110/tcp on 178.xxx.xx.xxx
Discovered open port 143/tcp on 178.xxx.xx.xxx
Discovered open port 22/tcp on 178.xxx.xx.xxx
Completed Connect Scan at 17:27, 2.36s elapsed (100 total ports)
Nmap scan report for home.[myDomainName].at (178.xxx.xx.xxx)
Host is up, received user-set (0.022s latency).
rDNS record for 178.xxx.xx.xxx: 178.xxx.xx.xxx.wireless.dyn.drei.com
Scanned at 2016-02-09 17:27:03 CET for 13s
Not shown: 100 open|filtered ports, 93 filtered ports
Reason: 193 no-responses
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
110/tcp open pop3 syn-ack
143/tcp open imap syn-ack
443/tcp open https syn-ack
993/tcp open imaps syn-ack
995/tcp open pop3s syn-ack
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 14.33 seconds
Raw packets sent: 200 (7.156KB) | Rcvd: 36 (5.102KB)
and here is my firewall setup:
Address Lists (some permanently blocked "china-nets" are not pasted)
[spippan@Cerberus] /ip firewall address-list> print where !dynamic
Flags: X - disabled, D - dynamic
# LIST ADDRESS TIMEOUT
13 ;;; LAN sp-private
whitelist 192.168.1.0/24
14 ;;; VPN net Cerberus
whitelist 10.20.30.0/24
17 ;;; daniLAN
whitelist 192.168.3.0/24
18 X whitelist 62.218.xxx.xxx/31
21 ;;; VPN net sp-private
whitelist 10.20.31.0/24
filter rules (sensitive data has been altered)
[spippan@Cerberus] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 chain=input action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
2 chain=input action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
3 chain=forward action=drop protocol=udp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
4 chain=forward action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 log=no log-prefix=""
5 ;;; ADMIN Blocked via ACL "admin_block"
chain=forward action=drop src-address-list=admin_block log=no log-prefix=""
6 ;;; ADMIN Blocked via ACL "admin_block"
chain=input action=drop src-address-list=admin_block log=yes log-prefix=""
7 ;;; accept WHITELIST ACL input
chain=input action=accept src-address-list=whitelist log=no log-prefix=""
8 ;;; ***allow OpenVPN port
chain=input action=accept connection-state=new protocol=tcp dst-port=1194 log=no log-prefix=""
9 ;;; ***allow WINBOX
chain=input action=accept protocol=tcp src-address-list=whitelist dst-port=8291 log=no log-prefix="WINBOX_IN"
10 ;;; ***allow WINBOX
chain=input action=accept protocol=tcp src-address=62.218.xxx.xxx/27 dst-port=8291 log=no log-prefix="WINBOX_IN"
11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=5d dst-port=22 log=no log-prefix=""
12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix=""
13 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix=""
14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""
15 ;;; ***allow SSH Port
chain=input action=accept protocol=tcp src-address-list=!ssh_blacklist dst-port=22 log=yes log-prefix="SSH_IN"
16 ;;; EST./REL.
chain=input action=accept connection-state=established,related log=no log-prefix=""
17 chain=forward action=fasttrack-connection connection-state=established,related src-address=10.20.30.0/24 log=no log-prefix=""
18 chain=forward action=accept src-address=10.20.30.0/24 log=no log-prefix=""
19 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
20 chain=forward action=accept connection-state=established,related log=no log-prefix=""
21 chain=forward action=accept in-interface=LAN-bridge log=no log-prefix=""
22 chain=forward action=drop connection-state=!established,related log=no log-prefix=""
23 chain=input action=accept protocol=icmp limit=1,5:packet log=no log-prefix=""
24 ;;; DRP invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
25 ;;; DRP if not allowed above
chain=input action=drop log=no log-prefix=""