Hello,
Welcome to the forum ! We hope you enjoy your time here, and find this to be a friendly and helpful place.
Now I'm no OpenBSD expert, but I have used it on and off over the years, so I have a passing familiarity with it, at least. Looking at your packet filter configuration, those rules essentially mean:
- Do not perform packet filtering on the loopback interface
- Block stateless traffic (i.e. traffic we were not expecting that seems to be part of a connection we are unaware of)
- Track the state of traffic
- Do not permit remote connections to the X11 server
- Do not permit outbound TCP or UDP access for the user "_pbuild" (which is used for builds of Ports - as in, third-party software packages, not network ports)
This is I believe pretty much the out-of-the-box default packet filter configuration, and is fine for starters. It does not explicitly prevent inbound or outbound connections to any other port, service or user beyond those specified above.
So none of these speak directly to your DHCP client, which you appear to have running. So when nmap is reporting this port as being either open or filtered, I'd lean towards it being open, since it does not appear to be filtered based on your current packet filter configuration. Of course if you have another hardware or software firewall running on the hop before the OpenBSD host itself then this port may well indeed still be getting filtered, but if the BSD packet filter is your only firewall, then this port is probably open.
As to whether or not this poses a security risk - the only definitive answer I can really give is "perhaps". If you're not actually needing to run a DHCP client on this server, and if it has a fixed IP, then the best solution is simply to disable this service. If you are running the DHCP client to get this OpenBSD box's IP at boot time, then you may wish perhaps to restrict access to this port to just the IP of your DHCP server.
Likewise for NAT traversal on port 4500 - if you're not needing to run a VPN service, then just disable the service(s) bound to this port, and that would be the best solution. If you are needing to run such a service (and if it's a service which actually depends on or requires access to this port) then again locking it down to just those IPs that need to talk to the port, if possible, would be best.
The one that has me stumped however is your UDP port 0 being in a potentially open state. I can't think what would actually be listening for connections on port 0. Perhaps this is simply a quirk of how OpenBSD reports UDP connectivity, or something, as I certainly can't replicate this on any Linux environment I have access to. Generally speaking port 0 is not a valid port for an inbound service, so this one remains a mystery.
Anyway, that's that - basically the short version would be "if you don't need a service disable it; if you do need a service and you know for sure that it will only ever need to talk to certain known IPs, then firewall it off to just those IPs".
Hope this helps !