/ip service
set telnet address=192.168.168.0/30
set ssh address=10.8.0.0/22,Y.Y.Y.Y/32,192.168.168.0/30,192.168.170.0/30,172.16.0.0/12,X.X.X/32
some public ip’s in there to allow me to ssh in.
but when I do a nmap scan of the box its not showing filtered. its showing open
nmap -T4 -Pn Z.Z.Z.Z
Starting Nmap 7.80 ( https://nmap.org ) at 2024-10-01 15:04 UTC
Nmap scan report for Z.Z.Z.Z
Host is up (0.048s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
should the be showing up as filtered vrs open?
But the question why are these open in nmap vrs filtered?
And the correct path forward would be a firewall ACL I assume.
My guessing: when you have list of allowed source IP addresses set in service definition, then access from any other IP address will be rejected on service level. Which means that some alien, trying to connect to ssh (TCP port 22), will perform the initial 3-way TCP handshake … and after that SSH service on ROS will reject user.
But the way some port scanners work is not that way. Typically they don’t do the 3-way TCP handshake, they are happy to receive initial response from “the victim” (telling them that TCP port is available for connection). Or they receive some ICMP reply telling them that port is not available (I guess this translates to “closed”) … or time out if packet is simply dropped (and I guess this translate to “filtered”). Nmap largely relies on ICMP responses when classifying UDP port statuses.
So my strategy is always to use firewall (filter) to control access to router’s services (chain=input rules) and I don’t bother doing it in service definitions.