This largely depends on the used scan, and the. The nmapNmap scan types page explains the status of the port and the reasons per scan.
Some examples:
TCP SYN Scan (-sS-sS)
- Sends a TCP packet with SYN flag set - If a SYN/ACK (or SYN) is received --> Port is Open, TCP initiation accepted - If a RST is received --> Port is closed - If no response is received --> Port is considered filtered - If a ICMP Unreachable is received --> Port is considered filtered
UDP Scans (-sU-sU)
- Nmap sends a UDP Packet to the specified ports - If an ICMP Port Unreachable comes back --> Port is closed - Other ICMP Unreachable errors --> Port is filtered - Server responds with UDP packet --> Port is opened - No response after retransmission --> Port is Open|Filtered
And a "contrast"counter example that could produce different results than -sS-sS:
TCP ACK Scan (-sA-sA)
This scan neversnever determines OPEN or OPEN|Filtered: - A packet is sent with only the ACK flag - If a System is unfiltered, both Open and Closed ports will both return RST flagged packets - Ports that don't respond, or send ICMP Errors are labeled Filtered.
Basically, your results will be influenced by the scan types and extra options you add. It is important to understand how the different NMAPNmap scan types work at a higher level in order to perform a good and conclusive scan.
Multiple options might be required to get a proper view of your firewall rules.
Also, the --reason flagoption might give you more insights as to why a port is being shown differently than you expect.
