How to block ports effectively?

mur · March 24, 2020, 1:39pm

Hi everyone,
By running Nmap on my Lubuntu distro in VM and targeting my Windows desktop PC, it seems that a few ports are open. They seem to be related to Windows services mostly, and some crappy things I haven’t identified yet. I’d want now to block them.
Would a rule like this work for example?

ip firewall filter add chain=forward in-interface=bridge out-interface-list=WAN protocol=tcp dst-port=445 action=drop

Thanks

anav · March 24, 2020, 2:07pm

Even destination ports are visible but CLOSED when doing port scans from the internet.
Why ports are showing as OPEN is very weird, perhaps if you allow ICMP??

mur · March 24, 2020, 2:13pm

I did port scan from my LAN (Lubuntu is on a VM in my own LAN although on “Host mode” in Vmware workstation pro)

I allow ICMP in input chain

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

Thanks

anav · March 24, 2020, 2:17pm

try grc.com and their shields up tool to see what is visible from the internet.

mur · March 24, 2020, 3:15pm

Ok, but I would like to drop requests from my LAN to Internet too, and understand if my rule above would be ok
Thanks

anav · March 24, 2020, 3:18pm

How can I make that determination without seeing your config…

mur · March 24, 2020, 4:50pm

I’d like to know whether my rule above is correct to just give it a try.
Thanks

Zacharias · March 24, 2020, 5:18pm

The fact that you allow ICMP (1) in the input chain has nothing to do with the ports that appear as open…
Also, the rule in your first post, blocks what comes from inside your Lan and tries to go out to the internet with destination port TCP 445… So, it does not protect you from reaching that device through the internet.. you have to reverse the rule…

ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop

mkx · March 24, 2020, 5:20pm

No, it wouldn’t work. bridge interface is typically originating interface for traffic generated by router itself. Which contradicts with chain=forward. But then, if you’re filtering using out-interface-list (right thing to do), then most of the time that’s enough (no need to use in-interface). The rest of rule seems OK to me.

mur · March 24, 2020, 5:38pm

Ok, I won’t make any change to it.

Also, the rule in your first post, blocks what comes from inside your Lan and tries to go out to the internet with destination port TCP 445… So, it does not protect you from reaching that device through the internet.. you have to reverse the rule…

ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop

>

Blocking what tries to go out to internet would be my goal too.
To make a long story short, I don't want that service to communicate with outside, maybe a microsoft server.
I don't want it to reach my pc either. So, do I need to set two rules for that? Yours and mine?
Thanks

mur · March 24, 2020, 5:39pm

So, should I delete “in-interface=bridge”?
Thanks

Zacharias · March 24, 2020, 5:40pm

i would use these two rules…

ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=445 action=drop

or you can simply not specify interface, so with one rule it will be dropped either coming from the Internet or going to the Internet…

mur · March 24, 2020, 6:08pm

i would use these two rules…
ip firewall filter add chain=forward in-interface-list=WAN protocol=tcp dst-port=445 action=drop
ip firewall filter add chain=forward out-interface-list=WAN protocol=tcp dst-port=445 action=drop
or you can simply not specify interface, so with one rule it will be dropped either coming from the Internet or going to the Internet…

good, thanks!

anav · March 24, 2020, 7:09pm

Without a full config, its hard to say.

mur · March 25, 2020, 8:06am

ok

/ip firewall filter
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward dst-address-list=WAN src-address-list=LAN
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
    established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=accept chain=input comment="permetti OpenVPN" dst-port=1194 protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
    established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop all else" disabled=yes

Thanks

Zacharias · March 25, 2020, 8:17am

@mur do you know tht the Firewall rules (and not only) are checked sequentially ?
Please place the rules in a correct order, the wiki and some search will help you on that…
Or you can just reset to default and let the firewall as is and only add carefully…

mur · March 25, 2020, 8:38am

I changed them. Are they ok now?
thanks