nmap scans on FreeBSD showing incorrect results

[Vincent Stemen <vince.nmap () hightek org>]

Hi.

On FreeBSD 11.1 release I am getting inconsistent results from nmap version
7.40.  It is randomly showing some ports as filtered even though they are not.
I am wondering if this could be a bug in nmap when running on FreeBSD.

For comparison, I ran nmap version 7.40 on Linux Debian 4.9.30 and I do not 
have the problem.  It consistently correctly shows all unfiltered ports.

The host being scanned is running a packet filter firewall on FreeBSD 11.1.

I also ran a few of the same tests from a FreeBSD 10.3-RELEASE-p11 machine,
running nmap-7.12 and got similar inconsistent results.

On these tests, there are 5 unfiltered ports.
If it has been at least a minute or so since the last scan, it seems to output
the correct results.

# nmap  -p 1000-1040  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.026s latency).
Not shown: 36 filtered ports
PORT     STATE  SERVICE
1000/tcp open   cadlock
1001/tcp open   webpush
1002/tcp closed windows-icfw
1003/tcp closed unknown
1004/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 4.89 seconds

-------------------------------------

But if I run the scan again, I get random wrong results.

# nmap  -p 1000-1040  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:21 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.024s latency).
Not shown: 39 filtered ports
PORT     STATE  SERVICE
1000/tcp open   cadlock
1004/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 1.79 seconds

????
This is outright wrong.
Why does it only show 2 unfiltered ports?
????

-------------------------------------

It is not consistant about which ports it shows as being unfiltered.

# nmap  -p 1000-1030  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:29 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.024s latency).
Not shown: 29 filtered ports
PORT     STATE  SERVICE
1001/tcp open   webpush
1002/tcp closed windows-icfw

Nmap done: 1 IP address (1 host up) scanned in 1.77 seconds

-------------------------------------

If I scan *no more* than 10 ports, it seems to always be correct.
> From 15 on up it appears to get more and more inconsistant.

# nmap  -p 1000-1010  pt02

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-19 18:32 CDT
Nmap scan report for pt02 (xx.xx.xx.xx)
Host is up (0.025s latency).
PORT     STATE    SERVICE
1000/tcp open     cadlock
1001/tcp open     webpush
1002/tcp closed   windows-icfw
1003/tcp closed   unknown
1004/tcp closed   unknown
1005/tcp filtered unknown
1006/tcp filtered unknown
1007/tcp filtered unknown
1008/tcp filtered ufsd
1009/tcp filtered unknown
1010/tcp filtered surf

Nmap done: 1 IP address (1 host up) scanned in 3.99 seconds

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/