NMAP Port Scanning States

NMAP Security

NMAP (Network Mapper) is a great tool for scanning your network to identify active hosts and the open/available services they have. NMAP provides quite a granular output for the port states, six in-fact, rather than just an open and closed.

I’ll give a brief overview of the three main ones you’ll come across: Open, Closed and Filtered, the other three unfiltered, open|filtered and closed|filtered i’ve not covered those ones here, but you can find out more at: https://wiki.onap.org/display/DW/Nmap

Main Three States

So let’s start with the three main states you might see when port scanning.

Open – An application/service on a host is actively allowing TCP and UDP connections to it and responding to connections (i.e. clients that are connecting to it).

Closed – A closed port unlike its name would suggest actually receives and responds to NMAP’s probes; however unlike the “open” state there is not an application listening on it. What it actually means is that there is no firewall blocking this particular port between the host performing the scan and the host being scanned.

Filtered – So the filtered state means that NMAP can’t tell if the port on the scanned host is actually open or closed because there is some sort of filtering i.e. firewalling that is preventing the probes reaching the host’s ports.

Although it would seem odd, having a host respond with either “Open” or “Filtered” is actually a better state than “Open” and “Closed”, the latter would imply that a host was wholly available to the host scanning it and its only that an application isn’t listening which means there was no response. While “Filtered” means there is something in the way of the connection, i.e. a firewall.

With respect to the “Filtered” state, the firewall might be a perimeter firewall, or a host local firewall or both; it could even be your own firewall that is causing the “Filtered” state.


Let’s have a look at a quick example, this NMAP command performs a scan of the common ports of www.bbc.co.uk, as you can see two ports are “open” for a webserver this is expected. And you can also see 98 filtered ports, i.e. firewalled ports that NMAP also checked as part of its common ports scan.

 $ nmap -F www.bbc.co.uk
Starting Nmap 7.70 ( https://nmap.org ) at 2022-09-21 17:44 BST
Nmap scan report for www.bbc.co.uk (
Host is up (0.0075s latency).
Other addresses for www.bbc.co.uk (not scanned):
Not shown: 98 filtered ports
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 3.30 seconds


If you are designing controls to block un-needed traffic then ensuring you have “defence in depth” is key. For example if you have a web server which has port TCP/80 (HTTP) and TCP/443 (HTTPS) open, then you should have a local host firewall that blocks all other inbound (to the host) traffic apart from these two ports. Then in-front of that a perimeter firewall between that host and the Internet with again only those two ports open, that way you’re ensuring multiple layers of defence between the untrusted network(s) and your trusted host. If an administrator was to enable a service e.g. SSH on the web server, it would be blocked by the local host firewall and perimeter firewall, unless you explicitly allowed it.

Image Attribution

Leave a Reply

Your email address will not be published. Required fields are marked *