Stopping Unsolicited packets

Hello,

I am not sure if this is the best forum, but I thought I would start here.
I am trying to configure my RB-3011 to be pretty much invisible to others. I have used Shields Up from https://www.grc.com and it is showing the following:

Unsolicited Packets: RECEIVED (FAILED) — Your system’s personal security countermeasures unwisely attempted to probe us in response to our probes. While some users believe that “tracking down” the source of Internet probes is useful, experience indicates that there is little to gain and potentially much to lose. The wisest course of action is to simulate nonexistence — which your system has failed to do. Your counter-probes immediately reveal your system’s presence and location on the Internet.

. I have all common ports showing as “stealth” (dropping pings).

My configuration for the firewall is:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1_WAN protocol=icmp
add action=drop chain=forward icmp-options=8:0-255 in-interface=ether1_WAN protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: drop ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add action=accept chain=input comment="Accept established connections" connection-state=established
add action=accept chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="invalid connections" connection-state=invalid
add action=accept chain=input comment=UDP protocol=udp
add action=drop chain=forward comment="invalid connections" connection-state=invalid
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1m chain=block-ddos
add action=drop chain=input comment="ping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
/ip firewall nat
add action=dst-nat chain=dstnat comment=xxxx dst-port=### protocol=tcp to-addresses=192.xxx.xxx.xxx to-ports=###
add action=dst-nat chain=dstnat comment=xxxx dst-port=### protocol=tcp src-port=### to-addresses=192.xxx.xxx.xxx to-ports=###
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

I am not certain how to get the router to stop trying to find the address of the machine sending the pings.
Any assistance would be greatly appreciated

It doesn’t sound like anything RouterOS would do. Are you sure that it’s not done by internal device(s) where you forward some ports to?

And the whole idea of being paranoid, I don’t know… What’s the point of blocking port numbers just because some worm used the same port twenty years ago? Similar with ping, the evil hacker will know that the address is alive… so what? It’s not like they won’t test interesting ports anyway.

Messy set of rules…
Why not start from scratch default and test.
Then add rules that still are applicable and check to see which one(s) is are the culprit.
I dont have any virus chains or rules in my FW and dont see that advised or recommended anywhere???

Long-term blocking of malware based on port number is futile. What will you do when the next malware that uses dynamic ports 1025-65535 hits the 'net? Block 1025-65535? It’s hard to read with your rules so randomly organized. I’m guessing you’re probably already adversely affecting some small number of sessions due to them attempting to start on ports you’ve blocked. Sure, you can compensate with related/established rules perhaps, but it’s not worth the effort. If you aren’t forwarding the ports to inside hosts, there’s nothing to protect from ancient malware anyway.

Short-term, I can see reacting to certain outbreak by blocking a specific port, but not for very long.

Thank you all for the responses. I have pared down the ‘ip firewall filter’ to:

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input icmp-options=8:0-255 in-interface=ether1_WAN protocol=icmp
add action=drop chain=forward icmp-options=8:0-255 in-interface=ether1_WAN protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: drop ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

This has also stopped the router from sending the unsolicited packets. Just for my own piece of mind GRC now shows the router passing…

Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way.

I know it is not perfect but it makes my wife happy that the router is in “Stealth Mode” which of course makes it easier for me.

Thanks Again,

Kevin

You can delete these (last 4), they are duplicates as per your export:

add action=accept chain=input comment="defconf: drop ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related

I will also add these to the bottom of firewall rule list:

add action=drop chain=input comment="Default Drop Rule - Input Chain"
add action=drop chain=forward comment="Default Drop Rule - Forward Chain"