Exposed ports on WAN - why?

[robmash]

Hi all,

I am running an RT-AC68U on 386.13 (latest available release). Recently I ran an external scan of the WAN interface and I found a number of ports publicly exposed.

Port 3394 - u2ec (USB printing?)
Port 5473 - u2ec
Port 7788 - cfg_server
Port 18017 - Asus wanduck (from what I have read, this is the service that gives you an error page when the wan link is down)

I can see all these services when I run netstat -a -p on the router, but when I look in iptables there are no rules to allow these ports from the WAN. Furthermore, I have turned off any services which may open ports - UPnP is disabled, and I have also confirmed that port forwarding, port triggers and DMZ are also disabled as well. I am running an openvpn server which exposes a port, and while that works it interestingly does not report as an open port in my scan.

There have been a few other posts over the years talking about something similar but nothing recently, and nothing definitive as to why this occurs. This looks like some sort of bug to me, but my first question is - can anyone else on the same version replicate this behaviour on the same firmware? My second question is - what is the potential risk from having these services exposed?

 

[ColinTaylor]

These ports are not exposed to the internet. You're only seeing that result because you're testing from inside your LAN. This has been discussed many times.

 

[robmash]

These ports are not exposed to the internet. You're only seeing that result because you're testing from inside your LAN. This has been discussed many times.

Hi Colin,

Thanks for your reply. These ports are definitely exposed to the WAN interface. The scan was run from my mobile phone with wifi turned off. When I run netstat -a after my port scan I can see the port in a CLOSE_WAIT state showing my phone's public ip address (which is in a completely different range to my home internet provider). When I run the scan from inside the LAN I see a whole lot more open ports - the router web interface, DNS & a whole lot more. I have also confirmed that these ports are open using ShieldsUp - a public port scanner.

So in other words, these ports are 100% exposed on the wan interface.

 

[ColinTaylor]

Hi Colin,

Thanks for your reply. These ports are definitely exposed to the WAN interface. The scan was run from my mobile phone with wifi turned off. When I run netstat -a after my port scan I can see the port in a CLOSE_WAIT state showing my phone's public ip address (which is in a completely different range to my home internet provider). When I run the scan from inside the LAN I see a whole lot more open ports - the router web interface, DNS & a whole lot more. I have also confirmed that these ports are open using ShieldsUp - a public port scanner.

So in other words, these ports are 100% exposed on the wan interface.

That makes no sense unless you have turned off the router's firewall. As you said yourself, there are no iptables rules that allow access to those ports from the internet.

 

[robmash]

That makes no sense unless you have turned off the router's firewall. As you said yourself, there are no iptables rules that allow access to those ports from the internet.

Thanks Colin. That was it - the firewall had somehow been turned off. After turning it back on they no longer show as open. It is interesting that the other services I can see on the inside interface were also not exposed. Perhaps the ISP is blocking common ports to prevent people making stupid mistakes like me

 

[ColinTaylor]

It is interesting that the other services I can see on the inside interface were also not exposed.

Some applications bind to all interfaces, other applications bind only to specific interfaces.