In short I have been a dd-wrt user for several years now. I flashed my two wrt54gl's router immediately when I got them from the store and I was happy with dd-wrt in fact. When I did a firewall test from the GRC website it passed easily. I just disabled the ping and that was that. Also set some restrictive firewall rules after that and I felt safe.

Now due to various circumstances dd-wrt was not any more working for me and I flashed both of them with openwrt. So now I have loads of questions. For one how come I can not pass the GRC's firewall test. Even when I manage to disable the ping on wan side with one router I still failed the firewall test and it was very odd since no specific ports were indicated to be open but it still detected some thing I guess. So that is my first question.

To pass grc test, you have to use DROP instead of reject on ping and avoid common ports, so if you use remote administration over ssh on wan, you should remap your ssh port to other-than-22, like 2222. I have one big mess in my firewall, so I won't post my full config to here, but one example for all from /etc/config/firewall:

config rule
    option name 'Allow-Ping'
    option src 'wan'
    option proto 'icmp'
    option icmp_type 'echo-request'
    option family 'ipv4'
    option target 'DROP'

How does this drop ping probes if the rule is, "allow-ping?" Also there are ports showing to be open for some reason that I have not opened so I have no idea what is going on at the moment.

You really have to run a portscan or whatever from OUTSIDE of your network.

I do not understand why there grc shields up test reports all these open ports. I have not opened them yet it detects ports: 135,137,138,139,161,445, and 593 each and every time I scan.

Allow-ping is just a rule name, it is there from openwrt default config, I didn't bother to change that so you can easier find the rule. Basically I just chnaged ping rule to reject and then passed the grc test

The ports you are reporting has nothing to do with openwrt. If you see them as open, you have either some ports forwarded to your windows machine, or you are behind some crazy NAT, which is done by some crazy windows machine, or the nat gateway has the ports forwarded to some windows machine. If you run ifconfig, does your wan ip adress match with whatismyip.com?

(Last edited by nozombian on 1 Apr 2014, 06:50)

Many ISPs also filter well known ports like SMB or FTP, so they appear as "filtered" when port scanning from the internet, even if the traffic never hits your router.

Today I did firstboot, so I hope my firewall is fresh I had to change all these rejects to drop to pass stealth test:

vi /etc/config/firewall
config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          DROP
# Uncomment this line to disable ipv6 rules
        option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            DROP
        option output           ACCEPT
        option forward          DROP
        option masq             1

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           DROP

Now I pass the grc test. But if your isp messes with incoming ports, you probably cannot stealth. I'm on cable with dynamic public ip and grc report is green and stealth test passed. But at work, where I'm on fibre, I don't have public IP and ISP's gateway (which is doing NAT) does not pass grc stealth test.

There are way too many assumptions here for my taste. For one there are no ports forwarded at the moment on my router and there are no crazy windows machines on our LAN. I for one am on linux and the rest are on windows but all protected by comodo firewall that I set up and I do not think that I did some thing crazy with any of those firewalls to do some thing like this. So here I really do not agree with you.

To answer your question I did the test and the wan IP does match with whatismyip.com. Were you wondering if there was some thing wrong with the openwrt installation or did you think that I was having trouble understanding these sort of things. The problem is not on my side believe me. I know what I am doing and I understand the basics of WAN, LAN, NAT,...

There is not router infront of my router. There is only openwrt between me and the internet.

Then it must be as jow said. If you have comodo configured correctly, you can try to directly connect just your machine. I think even windows 7 with default firewall set as connected to the public internet does not accept any connections, but I don't know if it rejects, or drops.

If you have openwrt, unless configured otherwise, the default is this: reject everything, accept ping. So edit /etc/config/firewall and change the rules REJECT to DROP & drop pings, then you will be stealth, or your ISP messes with ports, as jow said. I heard, that many cable companies block ports, even port 80.

You understand that the openwrt firewall will open ports for outgoing connections, right? The default config does this for both udp and tcp.

Ports 137,138,139,445 are all related to microsoft windows file sharing (aka SMB). The Windows PCs on your LAN are sending connect requests to outside machines. I don't know if you consider this a problem or not, but I think it's unwise.

I recommend you google the other port numbers, and decide whether to allow them or not.

I am pretty sure that is what every router now days does. You have told me nothing new here.

You must be missing something. I have tried with 1043nd v2 and wr841n too and passing grc stealth fine with openwrt, yet I have plenty of services running (on uncommon ports).

Try another build, do a firstboot to erase everything, reboot and change all rejects to drop in firewall. I have done this many times already when I messed something and firewall works as expected.

(Last edited by nozombian on 4 May 2014, 15:57)

You see the funny thing about this is that I have two wrt54gl routers. I have flashed both with the same openwrt build but neither pass the grc port scan test. Even the one that I use at the "office" with all sorts of crazy windows machines connected shows no open ports on the grc test and even when the ping is disabled it wont pass for some reason. It is really odd to me why that would be so but that does not bother me as much as to see open ports being detected when I know I have not done any thing to open/port foreward those ports and the ISP is not the offending party either.

I really cannot reproduce those mysterious open ports either. Whats reported exactly by GRC? Which port numbers are supposedly open?

wrt54gl?
Which version of OpenWRT are you running?
The forums assumes Attitude Adjustment or Trunk by default.

(Last edited by alphasparc on 7 May 2014, 16:31)

Well I am using Backfire 10.03.1 final since that is the one to use on wrt54gl routers. The ports are mentioned already above.

Are the ports reported open or stealth or what?

I know that my ISP filters a few ports (=blocks traffic to them by dropping packets, explained in Finnish here https://www.dna.fi/tuki-laajakaista ), so those ports are reported stealth for me.

Can you show your corresponding "text summary" from grc test?

GRC Port Authority Report created on UTC: 2014-05-07 at 17:34:31

Results from scan of ports: 0-1055

    0 Ports Open
 1049 Ports Closed
    7 Ports Stealth
---------------------
 1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 25, 135, 137, 138, 139, 445, 
                                593

Other than what is listed above, all ports are CLOSED.

(Last edited by hnyman on 7 May 2014, 18:35)

GRC Port Authority Report created on UTC: 2014-05-07 at 18:33:30

Results from scan of ports: 0-1055

    0 Ports Open
1049 Ports Closed
    7 Ports Stealth
---------------------
1056 Ports Tested

NO PORTS were found to be OPEN.

Ports found to be STEALTH were: 135, 137, 138, 139, 161, 445,
                                593

Other than what is listed above, all ports are CLOSED.

TruStealth: FAILED - NOT all tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.

I guess it must be my ISP then. It is odd because when I connect my laptop to the modem nothing like that comes up.

Why have you been talking about port being reported open?
No ports are reported open for you.

Stealth means dropped without response, while closed means a "reject" response.

Easiest explanation is ISP filtering, but it sounds strange if you get different result from the same PC connected to the same modem, but without the router.

(Last edited by hnyman on 7 May 2014, 19:48)

Also coming from the DD-WRT world I'm surprised by the need for this.

I expect that there's a good reason for using REJECT instead of DROP though or it would have been changed to DROP (not just for ping, but all) by default years ago. Does anyone know what it is?

The reason is that REJECT and answering to pings is the RFC-defined standard.

(Last edited by metai on 18 Aug 2014, 22:53)

http://www.chrisbrenton.org/2009/07/why … rop-rules/

I've since found this too:
http://www.chiark.greenend.org.uk/~pete … -vs-reject

From here:
http://wiki.openwrt.org/doc/uci/firewal … .vs.reject

Interesting stuff indeed, though sometimes a little ambiguous. It makes you want to find a coin to flip.