Help whith disable protocols

I’m scan my mikrotik by “nmap -sO” option
result is:

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-12-19 05:13 Финляндия (зима)

Nmap scan report 

Host is up (0.00s latency).

Not shown: 248 closed protocols

PROTOCOL STATE         SERVICE

1        open          icmp
2        open|filtered igmp
6        open          tcp
17       open          udp
47       open|filtered gre
103      open|filtered pim
136      open|filtered unknown
255      open|filtered unknown

I have read about the protocols igmp,gre,pim and #s 136, 255, and I think part of them should come with a routing package. But I don’t have it.

system package print 
Flags: X - disabled 
 #   NAME                     VERSION                     SCHEDULED              
 0   system                   5.0rc5                                             
 1   dhcp                     5.0rc5                                             
 2   user-manager             5.0rc5                                             
 3   routerboard              5.0rc5                                             
 4   security                 5.0rc5                                             
 5   ntp                      5.0rc5                                             
 6   advanced-tools           5.0rc5

I added a few rules in the firewall

 2   chain=input action=reject reject-with=icmp-protocol-unreachable  protocol=igmp 
 3   chain=input action=reject reject-with=icmp-protocol-unreachable protocol=gre
 4   chain=input action=reject reject-with=icmp-protocol-unreachable protocol=pim
 5   chain=input action=reject reject-with=icmp-protocol-unreachable protocol=13
 6   chain=input action=reject reject-with=icmp-protocol-unreachable protocol=25

After that nmap list is:

PROTOCOL STATE         SERVICE

1        open          icmp
6        open          tcp
17       open          udp
47       open|filtered gre

As we can see gre is still open.

The question is, why these protocols are open in the system and how disable it without a firewall?
Enable only icmp,tcp,udp.

I would be thank for any suggestions, manuals.
Sorry for my English.

have you some tunnels running on your router, doing on linux nmap -sS does not show GRE as open on router without tunnels.

No I havn’t any tunnels on my router. All lists of EoIP, IP, GRE tunnels are empty.

nmap -sS <my 192...address>
Not shown: 996 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
53/tcp   open  domain
81/tcp   open  hosts2-ns     (this is my web-proxy)
8291/tcp open  unknown

But GRE is a part of the problem, Why igmp,pim and 136, 255 protocols are open?
And they require special rules in the firewall. I don’t understand.

just RTFM

If no response is received after retransmissions, the protocol is marked open|filtered

so if router silently drops your packets - you will see “open|filtered”

open protocol is NOT an open port - it’s a bit different thing

Thank you, but i’m always known that)

Just show me where I spoke about the port?

I know the difference between the port and protocol and that is why I wrote above

chain=input action=reject reject-with=icmp-protocol-unreachable  protocol=igmp

reject-with=icmp-protocol-unreachable
This does not seem that I am familiar with a difference?

In this case, tell me why these protocols? But not 65,527 other?
Why exactly THIS protocols are open (no response) and require special rules in the firewall.
Why IPv6| SIP | RTP or others doesn’t drops packets?

maybe no tunnels active, but server is enabled and listening on the port? I would suggest to play around with reject-with message, maybe your tool is checking for specific response, but instead gets something different, it is know that if there is no response or wrong one, port/protocol is considered opened/filtered by these tools, as maybe from some other host this resource is available.