Community discussions

MUM Europe 2020
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

tcp/554 and tcp/555 open, why?

Mon Nov 13, 2017 2:10 pm

Hi there,
i successfuly configurated my firewall settings at the rb2011. After that i wanna made a check with an extern connection pointed to my ip adress and used nmap.
The confiusing thing is, that nmap everytime shows port 554/tcp and port 555/tcp is open.

So i add a new rule to the firewall and row it as first:
input tcp port 555-556 -> action drop

After that i run nmap again and those ports still open? And the much more confuisung thing is that the firewall didn't show any traffic on the firewall rule adapted before.

So what i am doing wrong here?

Just for information, i am connected to the internet trough pppoe.

Thanks for answer!
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: tcp/554 and tcp/555 open, why?

Tue Nov 14, 2017 5:03 pm

Allow through only what you need.
Drop everything else.
-Security by obscurity.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
blingblouw
Member Candidate
Member Candidate
Posts: 278
Joined: Wed Aug 25, 2010 9:43 am

Re: tcp/554 and tcp/555 open, why?

Tue Nov 14, 2017 7:32 pm

Allow through only what you need.
Drop everything else.
-Security by obscurity.
?

How is that security by obscurity? In this analogy allow everything through and open every port would be security by obscurity.

Anyway, non of my mikrotik show this. Paste your firewall rules?
 
User avatar
Steveocee
Forum Guru
Forum Guru
Posts: 1110
Joined: Tue Jul 21, 2015 10:09 pm
Location: UK
Contact:

Re: tcp/554 and tcp/555 open, why?

Wed Nov 15, 2017 11:05 am

?
How is that security by obscurity? In this analogy allow everything through and open every port would be security by obscurity.
Anyway, non of my mikrotik show this. Paste your firewall rules?
So the OP has a problem. 2 ports are showing as open from the web and he has created a firewall rule to try and drop them, this sounds not to have worked and as such they still show open.
As a general well intended comment, I posted allow only what you want, drop everything else. That in itself is obscuring the outside world. I held back a monger rambled version of changing port numbers as that is off the topic of this thread.

OP please do an export of your firewall rules so we can try to help.
Steve "Steveocee" Carter
PC Gamer, Airsofter, MikroTik Nerd
My Website - My MikroTik Tutorials
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: tcp/554 and tcp/555 open, why?

Wed Nov 15, 2017 5:34 pm

Hi Steve,
here is the prefered output from the firewall rule-set.
/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" in-interface=vDSL-Telematika src-address-list="port scanners"
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=accept chain=input comment=IP-Sec connection-state=new in-interface=vDSL-Telematika protocol=ipsec-esp
add action=accept chain=input comment=IP-Sec connection-state=new dst-port=500,1701,4500 in-interface=vDSL-Telematika protocol=udp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related in-interface=vDSL-Telematika
add action=accept chain=forward connection-state="" in-interface=bridge
add action=accept chain=forward connection-state="" in-interface=vlan_WLAN_Manuel
add action=accept chain=forward connection-state="" in-interface=vlan_WLAN_Renate
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid in-interface=vDSL-Telematika
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local in-interface=vDSL-Telematika
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" in-interface=vDSL-Telematika src-address-type=!unicast
add action=drop chain=input comment="Alles von WAN verwerfen" in-interface=vDSL-Telematika
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: tcp/554 and tcp/555 open, why?

Thu Nov 16, 2017 4:11 pm

Hm,
nobody got an idea why those ports are open? It looks really confiusing because with the drop-rules in the firewall set, everythink else instead of ipsec and icmp should be locked out. So why open?
 
nickerpick
just joined
Posts: 4
Joined: Fri Dec 05, 2014 3:19 pm

Re: tcp/554 and tcp/555 open, why?

Fri Nov 17, 2017 12:21 am

Check if you have rules for dstnat. I think the NAT table is beeing read before the filter table and if you don't drop per default this Traffic ist allowed. A Client in your LAN is than answering the TCP Syn requests.

Gesendet von meinem Moto G (4) mit Tapatalk
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: tcp/554 and tcp/555 open, why?

Fri Nov 17, 2017 10:35 am

Yes,
there are only two dst-nat rules. But those have nothing to do with port 554 & port 555.
Its currently not possible to make an export from the nat rules, but there is only port 443 & and a special port 55372.

So that can't be the fault.
 
blingblouw
Member Candidate
Member Candidate
Posts: 278
Joined: Wed Aug 25, 2010 9:43 am

Re: tcp/554 and tcp/555 open, why?

Fri Nov 17, 2017 5:36 pm

Well to be sure what you can do is to take a different interface (one not used) give it an IP and then nmap that IP . Once you see the port is not open you can start looking elsewhere
 
User avatar
k6ccc
Member
Member
Posts: 481
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: tcp/554 and tcp/555 open, why?

Fri Nov 17, 2017 6:01 pm

A couple things. In your first post you said you added specific drop rules in the INPUT chain for ports 544 and 555. Those are not shown in the filter export you posted a few posts later, so I assume you later deleted that. You were surprised that the drop rule showed no traffic when doing your NMAP scan. Try putting those rules back as the first rule in the FORWARD chain and try again. If the scan traffic is not showing up in the counters in the INPUT chain, than it should be showing up in the FORWARD chain. That should also help identify how it's getting through. Also take a look at the connections list. You could have something inside your firewall that is sending out traffic requesting it come back on those ports - therefore, traffic on those ports would be coming through the "established and related" filter.
Last suggestion. You have your different filter chains all mixed up. Makes it FAR easier to read if you have all of one chain together. For example, all INPUT chain, then all FORWARD chain, then whatever other chains you have created. The last rule in both the forward and input chains should be a drop everything:
add action=drop chain=input comment="Drop any other input packets that get this far."
add action=drop chain=forward comment="Drop any other forward packets that get this far."
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
n4p
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Wed Nov 25, 2015 9:54 pm

Re: tcp/554 and tcp/555 open, why?

Fri Nov 17, 2017 7:22 pm

Hi k6ccc,
yes up there you can see my default firewall setup.
As descripted in the frist post i made a scan with just only this rules and see port 554 & 555 as open. After that i tried to add an input rule with matches these ports and drop them, but nothing happens and the ports still open.

Between the nmap scan was running i had an opened teamviewer session to an extern host, but i can't believe that this is the issue or?

kind regards

Who is online

Users browsing this forum: Google [Bot] and 31 guests