Portscan from WAN -> Why ports 53 and 80 open??

[Beowulf]

Hi,
I have scanned the WAN ports of the router with http://nmap-online.com and the result was that ports 53 (DNS) and 80 (HTTP) are open in the router with oleg-firmware installed.

My /usr/local/sbin/post-firewall is:

#!/bin/sh
# this opens the ssh port to internet! Be sure to have strong passwords!
iptables -I INPUT -m tcp -p tcp --dport 24912 -j ACCEPT

#OpenVPN access from WAN
iptables -D INPUT -j DROP
iptables -A INPUT -p udp --dport 1234 -j ACCEPT
iptables -t nat -A PREROUTING -i vlan1 -p udp --dport 1234 -j DNAT
--to-destination $4:1234
iptables -A INPUT -j DROP

iptables -D INPUT -j DROP
# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A INPUT -j DROP

I have setup the router with how-to from wengi and with the vsftp (only LAN) and vpn how-to's.

Please, can someone say why these two ports are open?
I think 53 is for DNS and 80 is HTTP (Webserver). But do I need these Ports open, because I have no Webserver running at the WAN interface. Can I somehow close these ports?

[Beowulf]

please, has nobody an idea why these WAN-ports are open?
Which ports on the WAN interface are open in the original firmware?

Please, someone should know this or you can easily check on your device...
I would appreciate every answer.

[raas]

If you close them, are you still able to browse the internet ?
if not, then you have your answer to why they are open.

I don't know if it's by design or not.

[wengi]

Hi,

The ports are for DNS and http, as you wrote above.
If you do NOT use a DNS or HTTP Server for WAN you should close these ports.
This is done with iptables. Do a forum search with "iptables open/close port".

I do not know if this is default in oleg fw (it should not!), because i use my asus as client in the LAN and not as router to connect to the internet.

wengi

[Tellus1]

That's interesting, I ran a scan from there as well (first 5000 ports), and it also says:

[...]
Not shown: 4998 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
[...]

Which is kind of weird because
a. I don't have those ports forwarded
b. The GRC.com Shields Up test claims "stealth" for all the ports I scanned.

[Beowulf]

Thank's for your answers.
I have now scanned the Router from WAN with a portscanner on my laptop which I connected from somewhere else to the internet. The result was that ports 53 and 80 are closed.

So it looks like as if the nmap online service sees maybe the 2 ports open because I access the nmap website at the moment when they scan.
But I am not an expert for networks and ports.
So is my conclusion reasonable?

Edit: Maybe I will try if the result with ports 53 and 80 open would be the same when I use a standard router instead of the asus.

Edit:
Now the quick scan with http://nmap-online.com and my DLink DI-524 Router results in:
All 100 scanned ports on [...].kabel-badenwuerttemberg.de (....) are filtered
Nmap done: 1 IP address (1 host up) scanned in 13.68 seconds

So with that router ports 53 and 80 are not open. That means my Asus with oleg's firmware has something open to the WAN which does not have to be open, right?

[Tellus1]

It's getting weirder here - or at least I don't understand something correctly. Namely, I ran another two scans on a smaller sample of ports today (the one from yesterday was the default range 1-5000) which both included 53 and 80 in the range. Both times it reported that all ports were filtered.
Also, I ran a few scans that included ports that _are_ forwarded on my side - and it reported all ports filtered as well.
I'll try it again at a later time "when the traffic calms down a bit".