Recently I was trying to figure out what the various port states reported by Nmap really mean. This is what's actually going on:
- If a packet is intercepted by a router's access-list, the router sends back an ICMP administratively prohibited packet. This is reported as filtered port by Nmap (and probably as stealth port by some other scanners).
- If you do a TCP SYN scan of a router and the scanned port is not active, the router sends back TCP RST packet. This is reported as closed port.
- If you perform a UDP scan of a router, the router sends back ICMP port unreachable message if the UDP application is not active. This is reported by Nmap as filtered port (even though in most cases it should be equivalent to closed TCP port).
- In some cases, the router simply doesn't reply to UDP scans (for example, if you scan the discard service). This is reported as Open¦Filtered (as the scanner cannot reliably determine whether the probe was dropped due to a filter or simply not replied to).
Note: In any case, UDP scans are way more unreliable than TCP scans due to connectionless nature of UDP.
Below you'll find the debugging outputs for the most common conditions:
Successful TCP scan
Debugged with debug ip tcp packettcp0: I LISTEN 172.16.10.34:49620 172.16.0.1:80 seq 2116160324
OPTS 4 SYN WIN 1024
tcp0: O SYNRCVD 172.16.10.34:49620 172.16.0.1:80 seq 3992162774
OPTS 4 ACK 2116160325 SYN WIN 4128
tcp0: I SYNRCVD 172.16.10.34:49620 172.16.0.1:80 seq 2116160325
RST WIN 0TCP scan of a closed port
Debugged with debug ip tcp packettcp0: I LISTEN 172.16.10.34:50434 172.16.0.1:80 seq 1431055709
OPTS 4 SYN WIN 1024
TCP: sent RST to 172.16.10.34:50434 from 172.16.0.1:80TCP scan blocked by an access-list
Debugged with debug ip icmpICMP: dst (172.16.0.1) administratively prohibited unreachable sent to 172.16.10.34UDP scan of an unreachable port
Debugged with debug ip udp and debug ip icmpUDP: rcvd src=172.16.10.34(37312), dst=172.16.0.1(8), length=8
ICMP: dst (172.16.0.1) port unreachable sent to 172.16.10.34
