16

A lot of people seem to ask this question, as there are a bunch of posts about it; however I feel like none truly answer the question (that I have found).

I want to understand why Nmap decides to tell me that a specific port is "filtered" when there are technically over 60,000 "filtered" ports.

For the sake of this example...

  • My host (192.168.1.100) is listening on ports TCP 80, 443 and 3389

  • My firewall only permits TCP 80, 443, 135 and 445 (not 3389)

      192.168.1.100   80      open
  192.168.1.100   135     closed
  192.168.1.100   443     open
  192.168.1.100   445     closed
  192.168.1.100   3389    filtered

  • Since my host is not listening on TCP 135 and 445, it responds with a TCP RST, and thus it is "closed"

  • Since my firewall is not permitting TCP 3389, it is technically filtered

However, this is what I don't get: TCP ports 21, 22, 23, 24, 25, 26, etc are ALL filtered by the firewall (ie, not permitted), but Nmap only tells me this particular port (3389) is being filtered.

Why?! Should it not be a gigantic list like this:

192.168.1.100   1       filtered
192.168.1.100   2       filtered
192.168.1.100   3       filtered
192.168.1.100   4       filtered
192.168.1.100   5       filtered
    ...        ...        ...
192.168.1.100   76      filtered
192.168.1.100   77      filtered
192.168.1.100   78      filtered
192.168.1.100   79      filtered
192.168.1.100   80      open
    ...        ...        ...
192.168.1.100   131     filtered
192.168.1.100   132     filtered
192.168.1.100   133     filtered
192.168.1.100   134     filtered
192.168.1.100   135     closed
etc...
Matthias Braun
  • 421
  • 3
  • 12
Ryan B
  • 163
  • 1
  • 1
  • 5
  • Did you read [this solution](https://unix.stackexchange.com/questions/136683/why-are-some-ports-reported-by-nmap-filtered-and-not-the-others) from the Unix & Linux portal? –  Mar 28 '18 at 20:21
  • 1
    I actually came across this posting, but did not find it valuable. While the question is essentially identical to mine, the responses do not address the question. He asks: `If it's normal to see 21,25 and 1863 as "filtered", then why aren't all the other ports appearing as "filtered" too!?` This is my question. – Ryan B Mar 28 '18 at 20:41
  • 1
    Even the official explanation on NMAPs website does not address this question: `filtered : Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port.` In my scenario, NMAP cannot determine whether ports 1, 2, 3, 4, 5 ,6 etc etc are open, because a packet filtering device blocks the probes, yet...we do not see all these ports listed in the output as filtered. – Ryan B Mar 28 '18 at 20:45
  • 3
    Add `--reason -v` to your scan to see *why* Nmap chose each port state. `filtered` can mean "no response" but it can also mean "ICMP Admin Prohibited" and a few other ICMP codes. What is on the line that starts with "Not shown:" ? – bonsaiviking Mar 29 '18 at 03:02

1 Answers1

19

This largely depends on the used scan. The Nmap scan types page explains the status of the port and the reasons per scan.

Some examples:

TCP SYN Scan (-sS)

 - Sends a TCP packet with SYN flag set
 - If a SYN/ACK (or SYN) is received --> Port is Open, TCP initiation accepted
 - If a RST is received --> Port is closed
 - If no response is received --> Port is considered filtered
 - If a ICMP Unreachable is received --> Port is considered filtered

UDP Scans (-sU)

 - Nmap sends a UDP Packet to the specified ports
 - If an ICMP Port Unreachable comes back --> Port is closed
 - Other ICMP Unreachable errors --> Port is filtered
 - Server responds with UDP packet --> Port is opened
 - No response after retransmission --> Port is Open|Filtered

And a counter example that could produce different results than -sS:

TCP ACK Scan (-sA)

This scan never determines OPEN or OPEN|Filtered:

 - A packet is sent with only the ACK flag
 - If a System is unfiltered, both Open and Closed ports will both return RST flagged packets
 - Ports that don't respond, or send ICMP Errors are labeled Filtered.

Basically, your results will be influenced by the scan types and extra options you add. It is important to understand how the different Nmap scan types work at a higher level in order to perform a good and conclusive scan.

Multiple options might be required to get a proper view of your firewall rules.

Also, the --reason option might give you more insights as to why a port is being shown differently than you expect.

Matthias Braun
  • 421
  • 3
  • 12
Nomad
  • 2,359
  • 2
  • 11
  • 23