Internet provider notify me (when a solution of another problem) to opened open port 53 DNS … It is so very easy to use You for a DDOS attack.
Is my problem-that is, caused by my hands, or is it the default FW error?
They asked you to open port 53 on your router ? Or you have port 53 opened to the web ?
No , they ask nothing. The router has open a port 53 to the Internet.
My IP is 93.91.50.207, you can check it.
Is this standard FW setup ready ?
You have more than 53 open towards net…
Scanning buchtik.inet4.cz (93.91.50.207) [1024 ports]
Discovered open port 22/tcp on 93.91.50.207
Discovered open port 80/tcp on 93.91.50.207
Discovered open port 443/tcp on 93.91.50.207
Discovered open port 53/tcp on 93.91.50.207
Increasing send delay for 93.91.50.207 from 0 to 5 due to 53 out of 132 dropped probes since last increase.
Completed SYN Stealth Scan at 15:58, 33.46s elapsed (1024 total ports)
Initiating Service scan at 15:58
Scanning 4 services on buchtik.inet4.cz (93.91.50.207)
Completed Service scan at 15:58, 6.65s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against buchtik.inet4.cz (93.91.50.207)
Retrying OS detection (try #2) against buchtik.inet4.cz (93.91.50.207)
Initiating Traceroute at 15:58
Completed Traceroute at 15:58, 2.05s elapsed
NSE: Script scanning 93.91.50.207.
Initiating NSE at 15:58
Completed NSE at 15:58, 1.64s elapsed
[+] Nmap scan report for buchtik.inet4.cz (93.91.50.207)
Host is up (0.078s latency).
Not shown: 846 closed ports, 174 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u4 (protocol 2.0)
53/tcp open tcpwrapped
80/tcp open http lighttpd 1.4.42
443/tcp open http nginx
Your whole omnia setting page and ssh is open towards net = very very bad idea in my opinion !
If this is not deliberate, something gone wrong with firewall rules.
I have also 53 open since I specified the port in LuCi setting, but I think its not accepting request from outside of NW ( at least I think so 
)
Port 22 is knowingly opened and forwarded to other port to honeypot.
viz https://www.turris.cz/doc/cs/howto/ssh_honeypot
My problem is port 53 … Why is open in standard firewall rule ?
And do you really see it in your firewall rules? because its not default configuration I guess.
Could it be that you have also configured a honeypot for port 53?
Port 53 I certainly wouldn’t change. Therefore, I am putting this question.
Certainly not.
===============================
Please read the question on the top and the answer only just this question!
Then you already have an answer. Please, see pgotze’s post.
Port 53 is DNS and it si open. Port 22 is forwarded to other port to honeypot. My question is not solved.
The answer is that it is not the default. First check that your Internet cable is connected to WAN port. After that check that you have not changed port or bridging settings. Then check the firewall settings and finally check that the firewall rules are applied.
Here are the default firewall settings:
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config include
option path '/usr/share/firewall/turris'
option reload '1'
config include
option path '/etc/firewall.d/with_reload/firewall.include.sh'
option reload '1'
config include
option path '/etc/firewall.d/without_reload/firewall.include.sh'
option reload '0'
config rule
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
You should compare them to what you have in /etc/config/firewall file.
You can check that the firewall rules are applied by giving command “iptables -v -L”. It will print out the kernel’s active firewall rules. There should be a lots of lines.
Thanks for command 
# iptables -v -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8693 1040K delegate_input all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2903 889K delegate_forward all -- any any anywhere anywhere
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
8862 1147K delegate_output all -- any any anywhere anywhere
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain accept (14 references)
pkts bytes target prot opt in out source destination
2308 186K turris all -- any any anywhere anywhere
2315 186K ACCEPT all -- any any anywhere anywhere
Chain delegate_forward (1 references)
pkts bytes target prot opt in out source destination
2903 889K forwarding_rule all -- any any anywhere anywhere /* user chain for forwarding */
2865 887K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
34 2052 zone_lan_forward all -- br-lan any anywhere anywhere
4 192 zone_wan_forward all -- eth1 any anywhere anywhere
0 0 reject all -- any any anywhere anywhere
Chain delegate_input (1 references)
pkts bytes target prot opt in out source destination
6213 716K ACCEPT all -- lo any anywhere anywhere
2480 324K input_rule all -- any any anywhere anywhere /* user chain for input */
2392 318K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
58 2616 syn_flood tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
85 5572 ucollect_fake_accept all -- any any anywhere anywhere
22 1689 zone_lan_input all -- br-lan any anywhere anywhere
66 4027 zone_wan_input all -- eth1 any anywhere anywhere
0 0 accept all -- any any anywhere anywhere
Chain delegate_output (1 references)
pkts bytes target prot opt in out source destination
6213 716K ACCEPT all -- any lo anywhere anywhere
2649 430K output_rule all -- any any anywhere anywhere /* user chain for output */
454 252K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 zone_lan_output all -- any br-lan anywhere anywhere
2195 179K zone_wan_output all -- any eth1 anywhere anywhere
0 0 accept all -- any any anywhere anywhere
Chain drop (0 references)
pkts bytes target prot opt in out source destination
0 0 turris-log-incoming all -- eth1 any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
3362K 2089M turris-nflog all -- any any anywhere anywhere
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
1438K 124M turris-nflog all -- any any anywhere anywhere
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
2129K 154M turris-nflog all -- any any anywhere anywhere
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (3 references)
pkts bytes target prot opt in out source destination
0 0 turris-log-incoming all -- eth1 any anywhere anywhere
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
58 2616 RETURN tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
0 0 DROP all -- any any anywhere anywhere
Chain turris (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00005E11_l_a_4_X dst LOG level debug prefix "turris-00005E11: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00005E11_l_a_4_X src LOG level debug prefix "turris-00005E11: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00415B11_l_a_4_X dst LOG level debug prefix "turris-00415B11: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00415B11_l_a_4_X src LOG level debug prefix "turris-00415B11: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00557B71_l_ap_4_X dst,dst LOG level debug prefix "turris-00557B71: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00557B71_l_ap_4_X src,src LOG level debug prefix "turris-00557B71: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_007E0511_l_a_4_X dst LOG level debug prefix "turris-007E0511: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_007E0511_l_a_4_X src LOG level debug prefix "turris-007E0511: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_009A7E41_l_a_4_X dst LOG level debug prefix "turris-009A7E41: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_009A7E41_l_a_4_X src LOG level debug prefix "turris-009A7E41: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00A704A1_l_a_4_X dst LOG level debug prefix "turris-00A704A1: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00A704A1_l_a_4_X src LOG level debug prefix "turris-00A704A1: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00CE6701_l_a_4_X dst LOG level debug prefix "turris-00CE6701: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00CE6701_l_a_4_X src LOG level debug prefix "turris-00CE6701: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00D05711_l_a_4_X dst LOG level debug prefix "turris-00D05711: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00D05711_l_a_4_X src LOG level debug prefix "turris-00D05711: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEAD51_l_a_4_X dst LOG level debug prefix "turris-00DEAD51: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEAD51_l_a_4_X src LOG level debug prefix "turris-00DEAD51: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEB060_lb_a_4_X dst LOG level debug prefix "turris-00DEB060: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEB060_lb_a_4_X src LOG level debug prefix "turris-00DEB060: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00FE0D01_l_a_4_X dst LOG level debug prefix "turris-00FE0D01: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00FE0D01_l_a_4_X src LOG level debug prefix "turris-00FE0D01: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_047C0DE1_l_a_4_X dst LOG level debug prefix "turris-047C0DE1: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_047C0DE1_l_a_4_X src LOG level debug prefix "turris-047C0DE1: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_06E7E701_l_a_4_X dst LOG level debug prefix "turris-06E7E701: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_06E7E701_l_a_4_X src LOG level debug prefix "turris-06E7E701: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_07E7E411_l_a_4_X dst LOG level debug prefix "turris-07E7E411: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_07E7E411_l_a_4_X src LOG level debug prefix "turris-07E7E411: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A566041_l_ap_4_X dst,dst LOG level debug prefix "turris-0A566041: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A566041_l_ap_4_X src,src LOG level debug prefix "turris-0A566041: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A7D7011_l_a_4_X dst LOG level debug prefix "turris-0A7D7011: "
0 0 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A7D7011_l_a_4_X src LOG level debug prefix "turris-0A7D7011: "
0 0 LOG all -- any eth1 anywhere anywhere limit: avg 1/sec burst 5 match-set turris_100FA4E0_lb_a_4_X dst LOG level debug prefix "turris-100FA4E0: "
6 340 LOG all -- eth1 any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_100FA4E0_lb_a_4_X src LOG level debug prefix "turris-100FA4E0: "
0 0 DROP all -- any eth1 anywhere anywhere match-set turris_00DEB060_lb_a_4_X dst
0 0 DROP all -- eth1 any anywhere anywhere match-set turris_00DEB060_lb_a_4_X src
0 0 DROP all -- any eth1 anywhere anywhere match-set turris_100FA4E0_lb_a_4_X dst
6 340 DROP all -- eth1 any anywhere anywhere match-set turris_100FA4E0_lb_a_4_X src
Chain turris-log-incoming (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00005E11_l_a_4_X src LOG level debug prefix "turris-00005E11: "
0 0 ucollect_fake all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00415B11_l_a_4_X src LOG level debug prefix "turris-00415B11: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00557B71_l_ap_4_X src,src LOG level debug prefix "turris-00557B71: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_007E0511_l_a_4_X src LOG level debug prefix "turris-007E0511: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_009A7E41_l_a_4_X src LOG level debug prefix "turris-009A7E41: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00A704A1_l_a_4_X src LOG level debug prefix "turris-00A704A1: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00CE6701_l_a_4_X src LOG level debug prefix "turris-00CE6701: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00D05711_l_a_4_X src LOG level debug prefix "turris-00D05711: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEAD51_l_a_4_X src LOG level debug prefix "turris-00DEAD51: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00DEB060_lb_a_4_X src LOG level debug prefix "turris-00DEB060: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_00FE0D01_l_a_4_X src LOG level debug prefix "turris-00FE0D01: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_047C0DE1_l_a_4_X src LOG level debug prefix "turris-047C0DE1: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_06E7E701_l_a_4_X src LOG level debug prefix "turris-06E7E701: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_07E7E411_l_a_4_X src LOG level debug prefix "turris-07E7E411: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A566041_l_ap_4_X src,src LOG level debug prefix "turris-0A566041: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_0A7D7011_l_a_4_X src LOG level debug prefix "turris-0A7D7011: "
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 match-set turris_100FA4E0_lb_a_4_X src LOG level debug prefix "turris-100FA4E0: "
0 0 RETURN all -- any any anywhere anywhere match-set turris_00005E11_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00415B11_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00557B71_l_ap_4_X src,src
0 0 RETURN all -- any any anywhere anywhere match-set turris_007E0511_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_009A7E41_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00A704A1_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00CE6701_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00D05711_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00DEAD51_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00DEB060_lb_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_00FE0D01_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_047C0DE1_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_06E7E701_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_07E7E411_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_0A566041_l_ap_4_X src,src
0 0 RETURN all -- any any anywhere anywhere match-set turris_0A7D7011_l_a_4_X src
0 0 RETURN all -- any any anywhere anywhere match-set turris_100FA4E0_lb_a_4_X src
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 500 LOG level debug prefix "turris-00000000: "
Chain turris-nflog (3 references)
pkts bytes target prot opt in out source destination
Chain ucollect_fake (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere mark match 0x80000/0xc0000 limit: avg 100/sec burst 200 LOG level debug prefix "ucollect-fake-open-inet: "
0 0 DROP all -- any any anywhere anywhere mark match 0x80000/0xc0000
Chain ucollect_fake_accept (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:3692 mark match 0xc0000/0xc0000
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1392 mark match 0xc0000/0xc0000
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:1449 mark match 0xc0000/0xc0000
Chain zone_lan_dest_accept (4 references)
pkts bytes target prot opt in out source destination
0 0 accept all -- any br-lan anywhere anywhere
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
34 2052 forwarding_lan_rule all -- any any anywhere anywhere /* user chain for forwarding */
14 728 zone_wan_dest_accept tcp -- any any anywhere anywhere /* @rule[10] */
20 1324 zone_wan_dest_accept udp -- any any anywhere anywhere /* @rule[10] */
0 0 zone_wan_dest_accept all -- any any anywhere anywhere /* forwarding lan -> wan */
0 0 accept all -- any any anywhere anywhere ctstate DNAT /* Accept port forwards */
0 0 zone_lan_dest_accept all -- any any anywhere anywhere
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
22 1689 input_lan_rule all -- any any anywhere anywhere /* user chain for input */
0 0 accept all -- any any anywhere anywhere ctstate DNAT /* Accept port redirections */
22 1689 zone_lan_src_accept all -- any any anywhere anywhere
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_lan_rule all -- any any anywhere anywhere /* user chain for output */
0 0 zone_lan_dest_accept all -- any any anywhere anywhere
Chain zone_lan_src_accept (1 references)
pkts bytes target prot opt in out source destination
22 1689 accept all -- br-lan any anywhere anywhere
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- any eth1 anywhere anywhere
Chain zone_wan_dest_accept (4 references)
pkts bytes target prot opt in out source destination
2229 181K accept all -- any eth1 anywhere anywhere
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
4 192 MINIUPNPD all -- any any anywhere anywhere
4 192 forwarding_wan_rule all -- any any anywhere anywhere /* user chain for forwarding */
0 0 zone_lan_dest_accept esp -- any any anywhere anywhere /* @rule[7] */
0 0 zone_lan_dest_accept udp -- any any anywhere anywhere udp dpt:isakmp /* @rule[8] */
4 192 accept all -- any any anywhere anywhere ctstate DNAT /* Accept port forwards */
0 0 zone_wan_dest_REJECT all -- any any anywhere anywhere
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
66 4027 input_wan_rule all -- any any anywhere anywhere /* user chain for input */
0 0 accept udp -- any any anywhere anywhere udp dpt:bootpc /* Allow-DHCP-Renew */
1 128 accept icmp -- any any anywhere anywhere icmp echo-request /* Allow-Ping */
6 168 accept igmp -- any any anywhere anywhere /* Allow-IGMP */
48 2096 accept tcp -- any any anywhere anywhere /* @rule[9] */
11 1635 accept udp -- any any anywhere anywhere /* @rule[9] */
0 0 accept all -- any any anywhere anywhere ctstate DNAT /* Accept port redirections */
0 0 zone_wan_src_REJECT all -- any any anywhere anywhere
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
2195 179K output_wan_rule all -- any any anywhere anywhere /* user chain for output */
2195 179K zone_wan_dest_accept all -- any any anywhere anywhere
Chain zone_wan_src_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 reject all -- eth1 any anywhere anywhere
There should not be those two rules in the chain zone_wan_input.
No understand - this text - I can`t it found. Do you think these lines ?
===
I do it, but ports 22, 80, 53 and 443 are open - port 53 is not close.
Port 53 DNS port is to be opened in the default ?
AHA-it’s up to the next rule !
Port 22 open, port80 stealth, port 443 open
It is ready ? Can I all three line disable ? On what is the the esp protokol ? First two line is for VPN ?
ESP and IKE are for IPSec, which is one way for implementing VPN.
And you should be able to check what is rule 9 by giving command “uci show ‘firewall.@rule[9]’” via SSH.
It is sufficient to simply disable just the last rule of three on picture - yes ?