as I have configured a firewall for my PPoE DSL connection I did some research on them with nmap. There were some opcisco-en ports:
ssh
cisco-sccp
http
and two others which I don’t remember at the moment.
To my astonishment the ssh and http port seem to correlate with enabling/disabling the “ip - services”. After disabling the ssh service the open port was also gone from the outside.
Can anybody explain this behaviour to me? Does it mean there is always an open port to the WAN side if I enable some of the ip services? There is another thing which I cannot explain, my ip - services are all bound to LAN ip address ranges. Why is there an open port to the WAN? Is this port open by default and later then get’s filtered?
As the moment I see a security problme
Well, normally a mikrotik router does not have any filters in the firewall activated, although lately in the default configuration there are some, but I don’t like the default configuration so I always delete it. This means it is up to you to secure your router and what level of security you want to apply.
I suggest you have a look at the wiki about how to secure your router, port-knocking, dropping attack etc.: http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
you say you did configure your firewall, so I assume you know how it works and what it’s for. That also menas you know what to do under this circumstances, right?
As an admin it’s always on you to secure your network. You should never assume that a device secures itself magically. You’re the priest and it’s on you to apply the voodoo.
Yes you are right I am responsible for the firewall. This is the reason why I want to learn this behaviour with IP services…
What’s the use of those settings in IP Services when the ports are visible nevertheless?! I did allow access on the IP services only from the local lan, but nmap shows me the opposite?
How do the IP Service settings and firewalling belong together?
Well, the services are there to access the router, so yes the ports are open. They are listening for any incoming connection. If the connection is not valid they will drop it.
But if you want to close the ports, you should do that via firewall filter. Be careful though not to let yourself out of the router. For example:
the rules above would allow incoming connections on port 80 on interface ether1 from source address 2.2.2.2, and will drop all the rest on port 80. Notice the chain=input, which is used only for requests to the router not through the router.
Meanwhile I did another research on this topic. Even if I drop all packets on th input and forward chain on this specific pppoe interface, the ports are still open?!
What’s wrong here
There is an source nat setup on this port but that should not matter..
.