Firewalls – Ports that are closed / filtered in Nmap scans


To avoid the more than 65,000 lines of mostly unusable output, Nmap sums up most "uninteresting" results in a line labeled "Not shown: 65530 filtered ports". Open ports are never reduced in this way, but closed ports (TCP RST) and filtered ports (no response or prohibited by ICMP) are only displayed if there are fewer than a certain number.

In your case, I would suggest that most ports are "filtered", but some are "closed" instead. There are many reasons why this might be the case, but the most likely ones are:

  1. Something between you and the target blocks access to these ports by spoofing RST responses. This is common in residential ISPs that block ports 137, 139 and 445, among others.
  2. The target's firewall allows these ports, but no service is running on them.

EDITED TO ADD: Based on the actual port output, I'm pretty sure this is ISP filtering (spoofing of closed-port responses). Ports 17 and 19 are commonly used as DDoS amplifiers (though UDP, not TCP). Ports 137-139 and 445 were exploited by network worms in Windows. Port 25 is intended for e-mail servers. Therefore, ISPs block them unless you buy a business class connection. I'm not sure about 111 and 136; These could legitimately be closed or blocked for some other reason. add the --Reason Option for your scan to display IP Time to Live (TTL) details in the response; Abnormally high TTL values ​​may indicate ISP locking, especially if the TTL value for open ports is a few hops lower (typically between 5 and 15 hops).