I decided to nmap my external IP today to see how my firewall is doing. I was surprised to see that TCP 1720 is wide open to the Internet, and I was confirmed being able to telnet to the port and stay connected as long as I want. I have firewall rules that specifically drop new inbound connections from the Internet as well as a default deny rule, so this doesn't make sense to me. Just in case my firewall rules are broken, I created this additional rule and put it at the top of the order:
/ip firewall filter add action=drop chain=input comment="testing inbound drops" connection-state="" dst-port=1720 log=yes log-prefix=drop_input_test protocol=tcp
After testing again, I see the rule fired four times like so:
message: drop_input_test input: in:ether1 out:(unknown 0), src-mac redacted, proto TCP (SYN), external_ip2:2590->my_external_ip:1720, len 64
But the router allowed the connection to be established anyway and never dropped it, so the rule did nothing. I tried various other firewall rules (on the output chain, raw prerouting rules, etc.) with the same results. This router did have the ppp package installed, so even though no servers were configured I tried disabling and then uninstalling with reboots in between, but the port is still open. I also tried to close the port by disabling all the service ports in /ip firewall service-ports just in case it was an H.323 thing, but no change. I also noticed that the port is properly filtered on the router's internal IPs. None of my other devices are doing this. Has anyone else seen this behavior? This is an RB450Gx4 on 6.42.7.