Can TC ports be stealthed to ShieldsUP?

UPDATE: Somehow, "Disks .. Share disks over WAN" had been checked.

Yeah.. that is the one. Good work.. and I should have twigged by AFP being open.

It is why we always recommend people do a factory reset when they change setup to make sure everything goes back to defaults.. in any new situation.

So, my remaining questions are, why does Network Utility show some as "open," and can I get TC to stealth them?

You don't need to worry about the other ports open.. they are open from LAN side not WAN side.. so you are now fully shut off to outside world. At least AFAIK for IPv4. You cannot check directly to WAN from Network Utility.

Is your TC in bridge or router mode?

Or

asking the question another way, is your cable modem a pure modem.. ie it has only one ethernet port, or you asked and confirmed the ISP has bridged a modem router.

Or

another way to ask is what IP do you have on the WAN port of the TC? Is it a private IP like 10.x.x.x or 192.168.x.x

This is important so we know it is really the TC issue and not the main router.

I am guessing you have a pure modem and the TC is your main router and has the public IP on the WAN.

The next question is IPv6. Are you using it, as it might affect the way ports are showing.

I am surprised 548 is open to WAN.. by default that is not the case. Nor should the other two ports but in PC world they are hard to hide.

Is there an error showing on the airport utility summary page of your TC? Perhaps you can post that screenshot.. if you have a public IP just cover the last few digits. I have mine in double NAT.. but it should not have any ports open to internet.

Setup over WAN is a bad one.. and should be off.

Let me check this from network utilities. No ports are open in standard NAT mode.