I decided to nmap my external IP today to see how my firewall is doing. I was surprised to see that TCP 1720 is wide open to the Internet, and I was confirmed being able to telnet to the port and stay connected as long as I want. I have firewall rules that specifically drop new inbound connections from the Internet as well as a default deny rule, so this doesn't make sense to me. Just in case my firewall rules are broken, I created this additional rule and put it at the top of the order:

/ip firewall filter add action=drop chain=input comment="testing inbound drops" connection-state="" dst-port=1720 log=yes log-prefix=drop_input_test protocol=tcp

After testing again, I see the rule fired four times like so:

message: drop_input_test input: in:ether1 out:(unknown 0), src-mac redacted, proto TCP (SYN), external_ip2:2590->my_external_ip:1720, len 64

But the router allowed the connection to be established anyway and never dropped it, so the rule did nothing. I tried various other firewall rules (on the output chain, raw prerouting rules, etc.) with the same results. This router did have the ppp package installed, so even though no servers were configured I tried disabling and then uninstalling with reboots in between, but the port is still open. I also tried to close the port by disabling all the service ports in /ip firewall service-ports just in case it was an H.323 thing, but no change. I also noticed that the port is properly filtered on the router's internal IPs. None of my other devices are doing this. Has anyone else seen this behavior? This is an RB450Gx4 on 6.42.7.

Did you check if socks are enabled? Use command /ip socks print to verify.

Same counts for UPnP.

No, luckily socks is still disabled and no UPnP either. I don't have any reason to believe that the router is compromised, everything looks the way I set it. But I'm concerned that there's no way to stop a compromise if someone can figure out a way to exploit that open port. I can't close it, or drop traffic to it either. Curious whether this is just me, or if this is known behavior somehow.

What kind of connection do you have? Certain modems apparently open upnp to WAN, so you're actually connecting to the modem, not the router.

R1CH, I think you're exactly right. I own my own cable modem, and I just unplugged it from the router and was still able to access TCP port 1720 externally. I feel stupid/relieved. Thanks.

@mt99 I am glad you created this topic, I was doing the same thing a couple of weeks ago!!!! This makes sense now for me too, cable modem that can do phone as well. Ugh too funny