Ports Filtered regardless of firewall rules

tristanbolton · September 27, 2018, 3:09am

Hello,

We've noticed since upgrading to 6.42.6 and newer, NMAP is responding with ports being filtered (see output below).

There are no rules in NAT or filter that would permit this. Even expressly blocking them under /ip filter does not stop it from responding as filtered.

Anyone seen this before?

nmap -sV xxx.xxx.xxx.xxx

Starting Nmap 6.40 ( http://nmap.org ) at 2018-09-26 22:37 EDT
Nmap scan report for
Host is up (0.018s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1080/tcp filtered socks
1433/tcp filtered ms-sql-s
1434/tcp filtered ms-sql-m
1723/tcp open pptp MikroTik (Firmware: 1)
8291/tcp filtered unknown

ip firewall filter export

sep/26/2018 01:47:58 by RouterOS 6.42.6

software id = V4K8-KD7D

model = 2011UiAS-2HnD

serial number = 80DF07DBD8D8

/ip firewall filter
add action=drop chain=forward comment="Public Wifi cannnot access Private IPv4" dst-address-list="Private IPv4" in-interface=
"Public Wifi VLAN"
add action=drop chain=input comment="Drop DNS requests from Public IP" dst-port=53 protocol=udp src-address-list="!Private IPv4"
add action=drop chain=forward comment="drop ssh brute forcers" src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list="!Private IPv4"
add action=drop chain=input comment="Winbox Management for BSI" dst-port=8291 protocol=tcp src-address-list="!BSI Management"

ip firewall nat export

sep/26/2018 01:49:06 by RouterOS 6.42.6

software id = V4K8-KD7D

model = 2011UiAS-2HnD

serial number = 80DF07DBD8D8

/ip firewall nat
add action=accept chain=srcnat comment="Exclude phones from NAT" dst-address=10.250.254.0/24 src-address=10.200.0.0/16
add action=masquerade chain=srcnat comment="NAT for Outbound Traffic" out-interface=pppoe-out1

R1CH · September 27, 2018, 11:23am

If you’re testing from outside your own LAN, this is almost certainly done by your ISP as those are commonly abused ports.