tcp/554 and tcp/555 open, why?

n4p · Mon Nov 13, 2017 2:10 pm

Hi there,
i successfuly configurated my firewall settings at the rb2011. After that i wanna made a check with an extern connection pointed to my ip adress and used nmap.
The confiusing thing is, that nmap everytime shows port 554/tcp and port 555/tcp is open.

So i add a new rule to the firewall and row it as first:
input tcp port 555-556 -> action drop

After that i run nmap again and those ports still open? And the much more confuisung thing is that the firewall didn't show any traffic on the firewall rule adapted before.

So what i am doing wrong here?

Just for information, i am connected to the internet trough pppoe.

Thanks for answer!

Steveocee · Tue Nov 14, 2017 5:03 pm

Allow through only what you need.
Drop everything else.
-Security by obscurity.

blingblouw · Tue Nov 14, 2017 7:32 pm

Allow through only what you need.
Drop everything else.
-Security by obscurity.

?

How is that security by obscurity? In this analogy allow everything through and open every port would be security by obscurity.

Anyway, non of my mikrotik show this. Paste your firewall rules?

Steveocee · Wed Nov 15, 2017 11:05 am

?
How is that security by obscurity? In this analogy allow everything through and open every port would be security by obscurity.
Anyway, non of my mikrotik show this. Paste your firewall rules?

So the OP has a problem. 2 ports are showing as open from the web and he has created a firewall rule to try and drop them, this sounds not to have worked and as such they still show open.
As a general well intended comment, I posted allow only what you want, drop everything else. That in itself is obscuring the outside world. I held back a monger rambled version of changing port numbers as that is off the topic of this thread.

OP please do an export of your firewall rules so we can try to help.

n4p · Wed Nov 15, 2017 5:34 pm

Hi Steve,
here is the prefered output from the firewall rule-set.

/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" in-interface=vDSL-Telematika src-address-list="port scanners"
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=accept chain=input comment=IP-Sec connection-state=new in-interface=vDSL-Telematika protocol=ipsec-esp
add action=accept chain=input comment=IP-Sec connection-state=new dst-port=500,1701,4500 in-interface=vDSL-Telematika protocol=udp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related in-interface=vDSL-Telematika
add action=accept chain=forward connection-state="" in-interface=bridge
add action=accept chain=forward connection-state="" in-interface=vlan_WLAN_Manuel
add action=accept chain=forward connection-state="" in-interface=vlan_WLAN_Renate
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid in-interface=vDSL-Telematika
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local in-interface=vDSL-Telematika
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" in-interface=vDSL-Telematika src-address-type=!unicast
add action=drop chain=input comment="Alles von WAN verwerfen" in-interface=vDSL-Telematika

n4p · Thu Nov 16, 2017 4:11 pm

Hm,
nobody got an idea why those ports are open? It looks really confiusing because with the drop-rules in the firewall set, everythink else instead of ipsec and icmp should be locked out. So why open?

nickerpick · Fri Nov 17, 2017 12:21 am

Check if you have rules for dstnat. I think the NAT table is beeing read before the filter table and if you don't drop per default this Traffic ist allowed. A Client in your LAN is than answering the TCP Syn requests.

Gesendet von meinem Moto G (4) mit Tapatalk

n4p · Fri Nov 17, 2017 10:35 am

Yes,
there are only two dst-nat rules. But those have nothing to do with port 554 & port 555.
Its currently not possible to make an export from the nat rules, but there is only port 443 & and a special port 55372.

So that can't be the fault.

blingblouw · Fri Nov 17, 2017 5:36 pm

Well to be sure what you can do is to take a different interface (one not used) give it an IP and then nmap that IP . Once you see the port is not open you can start looking elsewhere

k6ccc · Fri Nov 17, 2017 6:01 pm

A couple things. In your first post you said you added specific drop rules in the INPUT chain for ports 544 and 555. Those are not shown in the filter export you posted a few posts later, so I assume you later deleted that. You were surprised that the drop rule showed no traffic when doing your NMAP scan. Try putting those rules back as the first rule in the FORWARD chain and try again. If the scan traffic is not showing up in the counters in the INPUT chain, than it should be showing up in the FORWARD chain. That should also help identify how it's getting through. Also take a look at the connections list. You could have something inside your firewall that is sending out traffic requesting it come back on those ports - therefore, traffic on those ports would be coming through the "established and related" filter.
Last suggestion. You have your different filter chains all mixed up. Makes it FAR easier to read if you have all of one chain together. For example, all INPUT chain, then all FORWARD chain, then whatever other chains you have created. The last rule in both the forward and input chains should be a drop everything:
add action=drop chain=input comment="Drop any other input packets that get this far."
add action=drop chain=forward comment="Drop any other forward packets that get this far."

n4p · Fri Nov 17, 2017 7:22 pm

Hi k6ccc,
yes up there you can see my default firewall setup.
As descripted in the frist post i made a scan with just only this rules and see port 554 & 555 as open. After that i tried to add an input rule with matches these ports and drop them, but nothing happens and the ports still open.

Between the nmap scan was running i had an opened teamviewer session to an extern host, but i can't believe that this is the issue or?

kind regards

tcp/554 and tcp/555 open, why?

tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Re: tcp/554 and tcp/555 open, why?

Who is online