11

When I scanned a host for open ports I came across the following result:

PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   open     http
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
3306/tcp open     mysql

What does filtered mean?

roy.stultiens
  • 138
  • 8
Rumesh Madhusanka
  • 271
  • 1
  • 2
  • 8

2 Answers2

9

Filtered is described in the NMAP Reference Guide, Chapter 15:

Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically.

Long story short - Filtered means you cannot access the port from your scanning location, but this doesn't mean the port is closed on the system itself. Closed on the other hand would mean, you can reach the port, but it is actually closed.

Demento
  • 7,249
  • 5
  • 36
  • 45
  • a closed port could also indicate a firewall blocking connections. compare basic firehol and ufw rules and corresponding nmap scans ;) – kaiya Mar 09 '21 at 10:31
3

Filtered is also a common response when scanning for UDP.

Scanning for UDP presents a number of challenges and the nmap documentation has a detailed discussion on UDP and the filtered status.

Reminder: by default, nmap scans only for TCP against the 1000 most 'popular' ports.

In the past I have used Unicornscan for this specific purpose because nmap has limitations, but there may be other tools that will perform adequately. I would suggest that you try again with a UDP scan and see what you get. Perhaps add some flags like -sV to get nmap to dig further.

Ports 139 and 445 normally use tcp while ports 137, 138 use udp.

# iptables -A INPUT -d 10.1.1.1 -p udp --dport 137 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p udp --dport 138 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp --dport 139 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp --dport 445 -j DROP

Source: Firewalling Samba

Kate
  • 6,967
  • 20
  • 23