Hello
NMAP launched to TOS 5.1.8 shows filtered ports only: 25, 139, 445, 465, 587, 3306, 5432.
All other ports as open.
How is this possible?
Are you testing “from outside”, i.e. from a device in the internet and outside your LAN?
Of course, from the outside (from the internet).
I didn’t change anything in the firewall, factory default.
Okay, can you share your /etc/config/firewall and /etc/config/network… maybe somebody will figure out something… But this definitely isn’t a standard behavior.
This is weird 
The scan run from the computer gives the results as I wrote in the first post.
But scans run from online scanners (for example https://hackertarget.com/nmap-online-port-scanner/ or https://www.itexperst.at/online-portscanner-nmap or https://nmap.online) show ports closed or filtered (that is properly).
WTF?
1 Like
VPN? Forgotten Wifi? DMZ?
This looks like a false positive.
Log in to your Turris Omnia via the CLI, and enter ss -tulpn | grep "listen". The output shows all listening services. Lines with 127.0.0.1 or [::1] are local services without an open port. All services with 0.0.0.0 or * should have open ports.
On my Turris, there are 22/tcp (SSH), 53/tcp (kresd DNS), 80/tcp (Lighttpd Webmanagement HTTP) and 443/tcp (Lighttpd Webmanagement via HTTPS).
One thing is having a running service listening on an open port, and the other is blocking access to the port from WAN. These are two separate things and I think what this thread is about is the latter…
1 Like
are you sure the others are open, not closed?
Nmap scan report for xxx (yyy)
Host is up (0.24s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
179/tcp filtered bgp
443/tcp open https
587/tcp open submission
646/tcp filtered ldp
711/tcp filtered cisco-tdp
2525/tcp open ms-v-worlds
On my TO, this command gives the answer: Cannot open netlink socket: Protocol not supported
Yes - open.
But I noticed a strange behavior of nmap, or I don’t understand how it works:
Command: nmap -p 23 -Pn myIP or nmap -sT -p 23 -Pn myIP
PORT STATE SERVICE
23 / tcp open telnet
Command: nmap -sA -p 23 -Pn myIP
PORT STATE SERVICE
23 / tcp unfiltered telnet
Command: nmap -sF -p 23 -Pn myIP
PORT STATE SERVICE
23 / tcp open|filtered telnet
Is there anyone here who understands nmap well?
You can use this site, it is usually not too bad
https://www.grc.com/intro.htm
The result of nmap are sometime weird for home network because operator use plenty of gateways.
You can give us your public IP, like this we can compare our result …
tcp/23 is apparently open because of sentinel honeypots, thus, port 23 is not valid for checking.
from nmap manual page
For example, a SYN scan considers no-response
to indicate a filtered port, while a FIN scan treats the same as
open|filtered.I don’t have Sentinel running.
(because it wasn’t behaving steadily: dynfw_client didn’t start randomly).
This is not a good idea 
In private Message of course 
And I will give you mine, like this you can follow the logs.
But I fully understand, if your are not confortable with that …
it’s a turris, it should be safe.
what do you see when telnetting to port 23 from outside?
If you have a doubt, unplug your WAN access and put a laptop in it and restart your scan. And if you have open port try to use it. You can also plug a small hub on your WAN port like this you can scan your internet access in real time. Beware all the plug in this hub will be not protected by the firewall. And by the way what is the result of ShieldsUP! at https://www.grc.com ?
You give the IP to all “sites” you visit. I can’t see a significant risk, though you perhaps don’t want to post it publicly.
Well, if you’re in the middle of an investigation whether all your ports aren’t mistakenly open to the world, I think giving out the IP address is really not the best idea =)
1 Like