Re: Filtered v. Closed v. Open

[alias () securityfocus com]

On Friday 19 September 2003 21:46, Jonathan Sanders wrote:

> What is the difference between a filtered port and an open port?

I assume you use Nmap. In this context, a port is registered as closed when 
there is no prossess running that listens to conections to that port. 
Normally you receive a RST as a responce. On the other hand, you have a port 
reported as filtered when a firewall blocks packets and (typically) drops 
them ( -j DROP). Then no responce comes back. Note that a filtered port is 
unknown to you whether it is open or closed.

>  When doing a port scan using nmap, I had several come back
> saying 25/tcp was an open port, but after checking, the supposed host
> did NOT have SMTP service running.

How did you check? It is possible that a prossess other than an mail server to 
run at port 25/tcp. Did you try -sV at the command line? It works miracles 
from Nmap 3.40 onwards.

> So 25 being open just means the firewall is allowing that traffic right even 
> though there's no service running on that port?

No. Open is a port when it will accept() connections, therefore a process must 
be running and listening to that port. And yes, to see a port as open, the 
firewall must allow access to it.

> Guess my question is still what is the difference
> between filtered, closed and open ports. 

A post to nmap-hackers () insecure org or nmap-dev () insecure org would be more 
illuminating (and presumably correct)

> Thanks...
> Jonathan

Anytime
CG

____________________________________________________________________
http://www.freemail.gr - äùñåÜí õðçñåóßá çëåêôñïíéêïý ôá÷õäñïìåßïõ.
http://www.freemail.gr - free email service for the Greek-speaking.

---------------------------------------------------------------------------
----------------------------------------------------------------------------