Reply
New Member
Posts: 9
Registered: a week ago
Solutions: 1
Accepted Solution

EdgeRouterX - Block all incoming traffic - all of it

Just stood this up.  default rules.  Ran both port scanner and zenmap on it.  They STILL report UDP port 21 as OPEN.  I do not want this responding to anything.  What do I have to do to drop all (any) unintended traffic as well as to NOT repsond to either PING or any other port - or to have it come up on ANY scan let alone UDP port 21 ?


Accepted Solutions
New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Here is the output:

 

GRC Port Authority Report created on UTC: 2018-10-13 at 06:58:05 Results from scan of ports: 0-1055 0 Ports Open 0 Ports Closed 1056 Ports Stealth --------------------- 1056 Ports Tested ALL PORTS tested were found to be: STEALTH. TruStealth: PASSED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received..

 

View solution in original post


All Replies
Senior Member
Posts: 3,858
Registered: ‎05-15-2014
Kudos: 1372
Solutions: 264

Re: EdgeRouterX - Block all incoming traffic - all of it

Default rules block everything on WAN. Are you sure the scan result is not from your ISP provided modem? Do you have public IP on your ER-X WAN interface?

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Scanned from 3 different public networks back into it (not from home) and a fourth from my apple IPhone hot spot - same result - on both active port scanner and zenmap UDP port 21 shows on both.  I am looking to have no ports show at all on any scan nor have it respond to ping - nothing external (outside-to-wan-to-internal).  Also, updated to latest firmware trying to make this port not shown. Added two rules ahead of default block/drop TCP and UDP port 21 spcifically and it is stil showing - help.

Emerging Member
Posts: 53
Registered: ‎04-15-2018
Kudos: 9
Solutions: 3

Re: EdgeRouterX - Block all incoming traffic - all of it

[ Edited ]

Ensure that your modem is in bridge mode and your Edgerouter is getting a public IP on the WAN interface.

Senior Member
Posts: 3,858
Registered: ‎05-15-2014
Kudos: 1372
Solutions: 264

Re: EdgeRouterX - Block all incoming traffic - all of it

@kjoines post output from show interfaces

Highlighted
Senior Member
Posts: 2,832
Registered: ‎08-06-2015
Kudos: 1197
Solutions: 165

Re: EdgeRouterX - Block all incoming traffic - all of it

21/udp is not any particular standard port.  21/tcp would be ftp, but you noted this was udp.

 

I strongly suspect this is something your provider has "open" before it even reaches your router.

 

Via CLI on your ER, if you do "sudo netstat -uanlp | egrep ':21'" does it show any listeners or connections to local port 21?  If not then there is nothing on your router itself that would do this.

 

That leaves either your provider or a forwarded port.  Note that 'port forward' rules and UPNP both apply before your firewall rules, so if you have either of those configured you may want to temporarily disable those to see if anything changes when you do a scan.

 

Finally, you can run 'sudo tcpdump -i eth0 udp port 21', where eth0 would be your WAN interface (change as appropriate).  Then while that is running perform another external scan.  The tcpdump on a physical interface will capture traffic before any processing such as NAT and/or firewall so you can see if the test on this port actually gets through.  If the scan indicates the port is "open" but you don't see any traffic captured by the tcpdump you've shown this is indeed something your ISP has open on their side.

 

 

 

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

OK, my mistake.  It IS TCP/21 that is showing up.  I am re-running ip scanner and zenmap to get a full picture.  If you can message me privately I can provide my WAN IP and you can see for yourself - just doesn't seem logical.  OH!  took the UBI edge routerX out and placed another firewall in front of it all ports blocked and it DID come back as "dead - no ports found".  I really like the routerX and want it to work but for me need it literally to block any and all ports on the WAN as it should.

Senior Member
Posts: 5,231
Registered: ‎01-04-2017
Kudos: 730
Solutions: 262

Re: EdgeRouterX - Block all incoming traffic - all of it

[ Edited ]

Let's all take a step back, you guys always overlook step #1.

Step #1 #Post your conf
"Show configuration | cat"

So we can see what your doing wrong

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Complete dump.  IP's masked only inside.

 

 

ubnt@ubnt:~$ show configuration
firewall {
    all-ping disable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action drop
            description drop_ftp
            destination {
                port 21
            }
            log disable
            p2p {
                all
            }
            protocol tcp_udp
            state {
                established enable
:
firewall {
    all-ping disable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action drop
            description drop_ftp
            destination {
                port 21
            }
            log disable
            p2p {
                all
            }
            protocol tcp_udp
            state {
                established enable
                invalid enable
                new enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 30 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects disable
    source-validation strict
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address xxx.xxx.xxx.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet xxx.xxx.xxx.0/24 {
                default-router xxx.xxx.xxx.0.1
                dns-server xxx.xxx.xxx.1
                lease 86400
                start xxx.xxx.xxx.xxx {
                    stop xxx.xxx.xxx.xxx
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
    }
    unms {
        disable
    }
}
system {
    host-name ubnt
    login {
        user ubnt {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
    traffic-analysis {
        dpi enable
        export enable
    }
}

Senior Member
Posts: 2,832
Registered: ‎08-06-2015
Kudos: 1197
Solutions: 165

Re: EdgeRouterX - Block all incoming traffic - all of it


@smyers119 wrote:

Let's all take a step back, you guys always overlook step #1.

Step #1 #Post your conf
"Show configuration | cat"

So we can see what your doing wrong


Didn't forget - the first step was to try to identify if it is the router or something upstream (on the provider side) that is responding.

 

I wanted to see the output from the tcpdump I requested first.  If there is no traffic to port 21 then posting a configuration is only a waste.  Still waiting to see the results of that tcpdump.  In fact the output of one packet/datagram with '-vv' option to tcpdump might be helpful.  This would also help clarify the confusion of whether or not it is tcp or udp.

 

If there is traffic to/from port 21 then indeed the next step would be to request a sanitized configuration.  There is nothing in the configuration posted to indicate there is a problem there.

 

Still didn't see any confirmation on whether or not there is anything on the router itself that is listening on port 21.  The '-u' option should be removed from the netstat if it is not known that the L4 is udp.  This would help identify if it is the router listening or if it could be traffic being forwarded.

 

 

 

 

Regular Member
Posts: 522
Registered: ‎01-06-2017
Kudos: 111
Solutions: 43

Re: EdgeRouterX - Block all incoming traffic - all of it

 

I would start by removing rule 10 on the WAN_IN firewall.  It references port 21, serves no purpose, and references ptp matching, which UBNT has reported as outdated and maybe not working properly.

Senior Member
Posts: 2,832
Registered: ‎08-06-2015
Kudos: 1197
Solutions: 165

Re: EdgeRouterX - Block all incoming traffic - all of it


@stshaw wrote:

 

I would start by removing rule 10 on the WAN_IN firewall.  It references port 21, serves no purpose, and references ptp matching, which UBNT has reported as outdated and maybe not working properly.


The OP noted this rule was only added afterward - IE: the problem was occurring without this rule already.

 

Still - the first step should be to identify whether port 21 is being responded to upstream or by the router.  A tcpdump run on the WAN interface will do this definitively.

 

Next, there seems to be confusion over whether this is UDP or TCP.  Again, the tcpdump will clarify this.

 

By default there is no ftpd running on the router so there would be no process listening on 21/tcp by default that would respond, even if there is no firewall policy in place.  21/udp is not a standard port and by default does not have any listener either.

 

From the OP, the port is identified as OPEN, not CLOSED.  That indicates there is an active listener on the port that is responding.  That in itself, even without a firewall, would be an by default.

 

A netstat as I noted earlier will definitively identify if there is anything on the router listening on port 21, and if so the output will identify the actual process involved.

 

In this case the firewall configuration is not necessarily the first place to look.

 

If there is no listener on the router on port 21 (neither tcp nor udp) and traffic is seen to/from port 21 on the router, the next step would be to confirm there are no port forwards nor NAT rules.  The configuration has ruled that out partly.  

 

The next step would be to confirm the traffic is actually being forwarded and to where the traffic is being forwarded.  Another tcpdump can help there:  'tcpdump -vv -i any port 21' will show all interfaces with such traffic.

 

Additionally the actual netfilter (iptables) rules should be verified to match the EdgeOS configuration if traffic is seen to be forwarded.  Both the nat and filter tables should be reviewed here but this is getting a little far out.

 

Really - the first two steps should be to confirm traffic is actually entering and leaving the router wan port (port 21 on the router) and verify whether the router has an unexpected listener itself.

 

 

Senior Member
Posts: 3,858
Registered: ‎05-15-2014
Kudos: 1372
Solutions: 264

Re: EdgeRouterX - Block all incoming traffic - all of it

Post output from show interfaces to make sure you have public IP on WAN interface.

Senior Member
Posts: 5,231
Registered: ‎01-04-2017
Kudos: 730
Solutions: 262

Re: EdgeRouterX - Block all incoming traffic - all of it

[ Edited ]

@waterside wrote:

@smyers119 wrote:

Let's all take a step back, you guys always overlook step #1.

Step #1 #Post your conf
"Show configuration | cat"

So we can see what your doing wrong


Didn't forget - the first step was to try to identify if it is the router or something upstream (on the provider side) that is responding.

 

I wanted to see the output from the tcpdump I requested first.  If there is no traffic to port 21 then posting a configuration is only a waste.  Still waiting to see the results of that tcpdump.  In fact the output of one packet/datagram with '-vv' option to tcpdump might be helpful.  This would also help clarify the confusion of whether or not it is tcp or udp.

 

If there is traffic to/from port 21 then indeed the next step would be to request a sanitized configuration.  There is nothing in the configuration posted to indicate there is a problem there.

 

Still didn't see any confirmation on whether or not there is anything on the router itself that is listening on port 21.  The '-u' option should be removed from the netstat if it is not known that the L4 is udp.  This would help identify if it is the router listening or if it could be traffic being forwarded.

 

 

 

 


Yes I agree thats would be good step if he actually responded to you, but for whatever reason he has been ignoring all reasonable troubleshooting requests (accept mine), which shows it's not a edgerouter issue.

 

Without him answering anyone else, as far as I am concerned, Bye Felicia

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Hello - I am not ignoring you.  Why this posting style/language which hints of passive aggressive?  Not doing ANYTHING remotely in the negative - looking to you all folks for a hand and you have been great so far !   I am just asking for a hand and you have all been wonderful.  As I said I have had this for 4 days - this is day 4.  Brand new to me so please be a bit patient -just getting the commands down.  Will getthe things you ask. Will "flatten" the router and reset it just BEFORE doing the dumps. Then redo the scans again to see where we are at.

Senior Member
Posts: 2,832
Registered: ‎08-06-2015
Kudos: 1197
Solutions: 165

Re: EdgeRouterX - Block all incoming traffic - all of it

I gave the exact commands above that you can essentially cut-and-paste - very simple.  If you are not clear about what is being requested then please ask for clarification.

 

Those are intended to help troubleshoot your existing environment and take only a few seconds to collect.

 

If you do that collection then immediately perform a factory reset then the data collected will not be helpful since you'll no longer have the same environment.  We will only ask you to re-run those if you still have the same issue.

 

If you have questions about what is being collected then please do so rather than simply posting additional followups while ignoring the requests.

 

We really can't do anything or offer any help until the requested detail is provided.

Senior Member
Posts: 3,858
Registered: ‎05-15-2014
Kudos: 1372
Solutions: 264

Re: EdgeRouterX - Block all incoming traffic - all of it

@kjoines you have still not confirmed that you have public IP on ER WAN interface. If you don't have public IP and are behind NAT then all other investigation here is moot. Let's start with your WAN IP confirmation.

Senior Member
Posts: 2,832
Registered: ‎08-06-2015
Kudos: 1197
Solutions: 165

Re: EdgeRouterX - Block all incoming traffic - all of it


@BranoB wrote:

@kjoines you have still not confirmed that you have public IP on ER WAN interface. If you don't have public IP and are behind NAT then all other investigation here is moot. Let's start with your WAN IP confirmation.


This is the reason I was looking for the tcpdump output - more generically to definitively confirm whether or not the scans are actually reaching the OP router.  There are lots of suggestions being posted but we still don't know the answer to that one fundamental question.

 

If the traffic doesn't reach the ER then it would be upstream that is responding - that upstream could be from another NAT device or something else.  In the end if the traffic is not actually reaching the ER it really doesn't matter.  If the traffic is reaching the ER then it also doesn't matter what is upstream but we know that there is more to investigate on the ER.

 

If the noted traffic is reaching the router then we continue to find why there is a response, but if traffic is not reaching the router then there is nothing else to do here.

 

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Absolutely 100% confimed.  If you want the IP to test youself it is:

 

72.179.5.17

 

Please do whatever you can to verify what I am seeing also externally.

New Member
Posts: 9
Registered: a week ago
Solutions: 1

Re: EdgeRouterX - Block all incoming traffic - all of it

Reply