Why Ports Reported by Nmap Filtered and Not the Others

Nmap is a popular open-source tool used by security experts to discover hosts and services on a computer network. It can identify open ports, services, and operating systems on a network, among other things. However, when running a scan, some ports may be reported as “filtered” rather than “open” or “closed.” 

This article will explore why this happens and what it means for your network security.

  • What are Open, Closed, and Filtered Ports?
  • Why are Some Ports Reported as Filtered?
  • Why are Some Ports not Reported as Filtered?
  • How to Determine the Cause of a Filtered Port?

What are Open, Closed, and Filtered Ports?

A network port is a communication endpoint that identifies a specific process or service running on a computer. Ports are numbered from 0 to 65535, and some well-known ports are reserved for specific services, such as port 80 for HTTP.

  • Open Port: An “open” port means that a service actively listens on that port and can receive incoming connections. 
  • Closed Port: A “closed” port means no service listening on that port, and incoming connections are rejected. 
  • Filtered Port: A “filtered” port means that there is a firewall or some other network device blocking access to that port, making it unavailable for incoming connections.

Why are Some Ports Reported as Filtered?

When Nmap scans a network, it sends packets to various ports and analyzes the response. If it receives a response, it can determine if the port is open or closed. However, if it does not receive a response, it cannot determine the status of the port. This is where the “filtered” status comes in.

A port is reported as “filtered” by Nmap when it sends packets to the port but does not receive any response. This can happen for various reasons, but the most common cause is that there is a firewall or some other network device blocking access to the port. The device could be blocking the traffic entirely or just ignoring it, making it appear as if the port is not responding.

Why are Some Ports not Reported as Filtered?

By default, Nmap only sends packets to a limited set of well-known ports, such as port 80 for HTTP or port 22 for SSH.

If a firewall is blocking a non-well-known port, Nmap will not send any packets to that port, and therefore, it will not be reported as filtered. However, if you specify a range of ports to scan, including the blocked port, Nmap will send packets to that port and report it as filtered if it does not receive a response.

How to Determine the Cause of a Filtered Port?

When Nmap reports a port as filtered, it can be challenging to determine the exact cause of the blockage, but this can be determined by following the below steps.

  • Check the Firewall Logs: If you have access to the firewall logs, you can see if the traffic to the port is being blocked.
  • Use a Different Scanning Tool: Sometimes, other scanning tools can detect blocked ports that Nmap cannot. You can use tools like hping or tcpdump to see if they can detect the blocked port.
  • Check the Port Status from the Destination: If you have access to the computer hosting the service, you can check if the port is open or closed from there. If it is closed on the host side, then it might not be the firewall blocking the port.

Conclusion

Nmap is a powerful tool for discovering hosts and services on a network, but filtered ports can complicate the process of identifying vulnerabilities and potential attack vectors. Understanding why some ports are reported as filtered and not others can help network administrators and security professionals make better decisions when it comes to securing their networks.