1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ports 135 and 445 visible to outside - Shibby 1.09

Discussion in 'Tomato Firmware' started by gawd0wns, Jun 2, 2013.

  1. gawd0wns

    gawd0wns LI Guru Member

    Ports 135 and 445 are showing as 'closed' when running a simple portscan using GRC Sheild's Up! on myself. Which services are running on Tomato which would be running on these ports? I don't have CIFS enabled, nor do I have any port forwarding rules/UPNP enabled.

    In the past, these ports have shown up as "invisible" to the port scan - they have not responded to external requests. I don't know which version of tomato this started happening on, since I haven't run a WAN side port scan in a very long time. I would prefer to keep these ports "invisible". Strangely, I can't see anything running on these ports (see below) What should I enable/change in the configuration?

    Thanks,

    Output from ps:

    PID USER VSZ STAT COMMAND
    1 root 1256 S /sbin/init noinitrd
    2 root 0 SW< [kthreadd]
    3 root 0 SW< [ksoftirqd/0]
    4 root 0 SW< [events/0]
    5 root 0 SW< [khelper]
    18 root 0 SW< [kblockd/0]
    44 root 0 SW [pdflush]
    45 root 0 SW [pdflush]
    46 root 0 SW< [kswapd0]
    47 root 0 SW< [aio/0]
    89 root 0 SW< [mtdblockd]
    281 root 612 S hotplug2 --persistent --no-coldplug
    321 root 1240 S buttons
    322 root 1208 S console
    323 root 1560 S /bin/sh
    325 root 1552 S syslogd -L -s 50 -b 1
    327 root 1552 S klogd
    338 root 0 SW< [khubd]
    488 root 1056 S dropbear -p 22 -a
    491 root 944 S eapd
    494 root 1048 S nas
    531 root 1564 S crond -l 9
    537 root 888 S rstats
    548 nobody 996 S dnsmasq -c 1500 --log-async
    561 root 1200 S dnscrypt-proxy -d -P 40
    909 root 2776 S httpd
    934 root 1568 S udhcpc -i vlan2 -b -s dhcpc-event -H unknown -m
    1327 root 1120 R dropbear -p 22 -a
    1328 root 1564 S -sh
    1506 root 2840 S httpd
    1507 root 2840 S httpd
    1508 root 1556 R ps

    netstat -nl:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 127.0.0.1:40 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 192.168.7.3:443 0.0.0.0:* LISTEN
    tcp 0 0 :::53 :::* LISTEN
    tcp 0 0 :::22 :::* LISTEN
    udp 0 0 127.0.0.1:38032 0.0.0.0:*
    udp 0 0 127.0.0.1:40 0.0.0.0:*
    udp 0 0 0.0.0.0:52271 0.0.0.0:*
    udp 0 0 0.0.0.0:53 0.0.0.0:*
    udp 0 0 0.0.0.0:67 0.0.0.0:*
    udp 0 0 0.0.0.0:38000 0.0.0.0:*
    udp 0 0 :::53 :::*
    raw 0 0 0.0.0.0:255 0.0.0.0:* 255
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags Type State I-Node Path
     
  2. gawd0wns

    gawd0wns LI Guru Member

    Forgot to mention, I'm using the K26RT-N VPN version for ASUS RT N-16.
     
  3. xorglub

    xorglub Addicted to LI Member

    Doesn't show up on mine (109 AIO). These ports are used by Samba (smbd / nmbd) which is not running on your router anyway.
    iptables output ?
     
  4. gawd0wns

    gawd0wns LI Guru Member

    Here is the complete output:

    root@router:/tmp/home/root# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp dpt:webcache
    DROP all -- anywhere anywhere state INVALID
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    shlimit tcp -- anywhere anywhere tcp dpt:ssh state NEW
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    DROP all -- anywhere anywhere state INVALID
    TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    wanin all -- anywhere anywhere
    wanout all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain shlimit (1 references)
    target prot opt source destination
    all -- anywhere anywhere recent: SET name: shlimit side: source
    DROP all -- anywhere anywhere recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source

    Chain wanin (1 references) --My custom port forwarding rules--
    target prot opt source destination
    ACCEPT udp -- anywhere klaw udp dpt:20000
    ACCEPT tcp -- anywhere klaw tcp dpt:500
    ACCEPT udp -- anywhere klaw udp dpt:500
    ACCEPT tcp -- anywhere klaw tcp dpt:4500
    ACCEPT udp -- anywhere klaw udp dpt:4500

    Chain wanout (1 references)
    target prot opt source destination
     
  5. koitsu

    koitsu Network Guru Member

    There isn't an issue -- you're worried over something (probably your ISP's routers -- meaning you never actually get the packet) returning ICMP port-unreach as a response, rather than just dropping the packet.

    Your router's INPUT chain clearly shows the default policy as DROP. So, ICMP port-unreachable is not coming from your router, it's coming from your ISP.

    If you really absolutely want to make sure, install Entware, opkg install tcpdump, tcpdump -p -i vlan2 -l -n "port 135 or port 445", then initiate the scan using Snake Oil Gibson's site, then look to see if tcpdump saw any matched packets (I can assure you it won't). The router cannot respond to packets it never receives.

    I look forward to hearing how your conversation with your ISP goes over this. "I'm really scared that your routers return ICMP responses for filtered ports. It concerns me greatly." Just because something was one way "in the past" doesn't mean that it's that way today. (Yeah, I'm being a bit of a dick here, but step back for a moment and think about the situation from a more neutral standpoint and you'll see you're worried about something that you have no control over.)
     
  6. Toastman

    Toastman Super Moderator Staff Member Member

    You made my day :D

    Welcome back !
     

Share This Page