Hi,
I enabled www services only from my internal ip ranges, same goes for ssh and ftp.
I added a drop all Not from lan rule as the last Input rule.
There are no rules that accept connections from wan to these ports.
When I browse to Port 80 from external, no webpage is displayed.
But:
I ran a portscan from two different port scan Services and ports 80,21,22,23 are shown as open.
How can this be?
If you run portscan internally that’s expected try to access does services externally you won’t be able to open it does ports you have mentioned assuming your host-inbound firewall rule is correct
if your firewall rule is misconfigured you will be able to connect to does port from external but will drop later because you just allow certain ip/subnets to connect to it you will see denied message from the logs
Remember by default when you open a service like winbox or ssh it will listen or bind to all available interface, when you use limit from it doesn’t mean it will only open the ports from does ip address/subnet it will just allowed those subnet to connect but anyone still can connect thus you need a correct firewall rule for ingress traffic externally to DROP/REJECT the connection
I ran the portscans externally 
There were no explicit drop/reject rules in the defcon rules at the beginning, so I created a drop all rule at the end of Input chain.
But even with this, the ports appeared reachable from the outside…
Your last sentence would mean that the ip Services create hidden rules that circumvent the drop all rule when the Ports are not explicitly closed with a dedicated rule…
Do you mean with misconfigured that I did not explicitly close these ports with dedicated rules listing These Ports?
If you use the default firewall this will drop the connection regardless of the port that’s why you have to define your LAN subnet in the interface list that’s why you have to define what are the ports you want to open prior or before hitting this rule, factory default firewall rule of MT is sane and very restrictive and works out of the box, if I were you I will restore it from scratch then define properly your LAN in the interface list and open the ports you need and you are set
Yes, I had that Rule because I thought that too, but the portscan showed something different.
I have now explicitly closed the ports and the portscan now reports them as closed.
I know it sounds strange but test it yourself.
→ I will post a screenshot of my rules as soon as i can
That’s not the case on my end please see attached if you will notice before that rule I punch a hole in the firewall to explicitly open the ports i want because it was close by default
Evidence.
Post config
/export file=anynameyouwish ( minus router serial number, any public WANIP, keys )
Also, why do you need www and ftp internally?
Www for mikrotik gui
Yes, I could block more internally, but that would create unesseccary complexity for my Family in case of emergency
config.txt (5.95 KB)
No idea what you mean, if you have an emergency call 911!
The only emergency is the bloated crap load of rules you have…
And why are you port forwarding NTP to a subnet???
Finally, too many parts of the config are missing, I will move on to help someone else more cooperative, as i didnt ask for only part of the config.
@anav, as rude and irrelevant tantrums as ever 
I have seen your bad attitude again and again, so it is quite fun to experience you trolling my request with your rather childish behavior
For the other souls that stumble upon this thread, better block the Service ports with own rules.
If you use openvpn, you also have to block Port 53 tcp/udp specifically from wan and allow only from lan/ppp openvpn.
@loloski
I have to allow other ports too to punch a hole through the Firewall. That is why I was surprised that the external portscan showed 80, 21,22,23 as Open.
Perhaps it is my Firmware Version, I do Not know.
Fact is, when I do not explicitly block 80,21,22,23 incoming from wan, they are reachable (although they do Not Connect because the ip ranges defined in is->Service do Not match. Nevertheless, I can reproduce this.
Not trolling, just call it like I see it. Pushback rebuttal is directly proportional to the ego of the other.
Haven’t tested lately but ports being forwarded on a router used to show existing on port scans but closed ( not open )
If you add a source address or address list to a dstnat rule, the port is not visible on scans at all.
The only time a port shows as open is if its an input chain rule…which is totally expected.
Perhaps nmap shows all ports on a router as open/filtered if the protocol selected is UDP??
Perhaps the ISP provider is answering for you ??
What are your results of an offending port on the scan and running sniffer (matching on port ) on the router at the same time??
I agree that even if service ports are open to the LAN, one would have to also open an input chain rule for them to leak,
It would do me no good to create extra input chain block rules because my last rule is DROP ALL ELSE anyway!
If a bug, it would be a serious one for sure.
Then stop ignoring other people’s advice. You have a bloated firewall configuration with a lot of unnecessary rules. Fact is, with the defconf firewall, this
is simply incorrect. Either your port scan tool is bogus, or you have some other mis-configuration somewhere else (maybe your interface lists were not properly maintained). But we can’t see that because you refused to provide the full config export.