According to the manual, the default Inbound rule is Block All; however, when I ran NMap TCP Connect Scan against the WAN IP, I was shocked to see some ports open. Does this mean that PCs in the same subnet can connect to my router?
Here's the result of the scan on WAN IP:
PORT STATE SERVICE
23/tcp open telnet 80/tcp open http 81/tcp open hosts2-ns 443/tcp open https
Now here's the result of the scan on the router's private IP that I assigned:
PORT STATE SERVICE
23/tcp open telnet 80/tcp open http 81/tcp open hosts2-ns 140/tcp filtered unknown 443/tcp open https
Then, I created a new Inbound rule to block access to Port 23 and the scan on WAN IP result is as follows:
PORT STATE SERVICE
23/tcp filtered telnet 80/tcp open http 81/tcp open hosts2-ns 443/tcp open https
Where was the machine running the scan PHYSICALLY connected? If you scan the WAN ip address whilst physically connected to the LAN side of the firewall, you will get erroneous results.
I ran another isolated test (not from the LAN side) and the result is the same. Standard port scanning will show no ports are open, but hen TCP connect scan was performed, ports 23, 443, 80 showed as open.
The worst part was I can telnet and access the Wewb administration page from the WAN side which makes it vulnerable for exploit.
Here's the same issue with another Netgear product:
