Does filtered mean the port is open?

No. Filtered means Nmap could not determine whether it is open or closed because a firewall got in the way. It is the absence of an answer, not a yes.

Why is a closed port actually good news?

A closed result proves the host is reachable and answering: the TCP/IP stack sent a RST. You have a clear network path; there is simply no service on that port.

What does open|filtered mean?

Nmap saw no response at all and cannot tell open from filtered. It is common with UDP and with scan types like FIN, NULL, or Xmas where open and filtered both produce silence.

Views: 18

Filtered vs Closed Port in Nmap: What's the Difference

Nmap port "filtered" vs "closed"? What each state means — RST, dropped packets, or ICMP unreachable — checked in 4 steps. Free instant port check, no sign-up.

Check your domain for this issue now

Free, no sign-up. Runs the exact check this guide describes and shows what to fix.

Problem

A port scan reports filtered instead of the open or closed you expected, and it is not obvious whether the service is down, blocked, or simply unreachable.

Symptoms

A port check lists filtered (or open|filtered) rather than a definite state.
The scan is slow and stalls on certain ports while others answer instantly.
A service you know is running shows up as filtered from the outside.
Results differ depending on where you scan from.

The Difference

The states come from how the host responds, not from whether a service exists:

closed - The host is reachable and its TCP stack actively refuses. A SYN gets a RST (reset) back, as RFC 9293 (formerly RFC 793) requires for unexpected connections. Reachable, just nothing listening.
filtered - Something between you and the host drops the probe. Nmap gets no reply after several retransmissions, or an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13). A firewall or ACL is silently eating packets, so Nmap cannot tell open from closed.
open - A SYN gets a SYN/ACK. A service is listening and completing the handshake.

The short version: closed is a clear “no” from the host. Filtered is “no answer,” courtesy of a packet filter in the middle.

Diagnose with DechoNet

Port Check to see whether the port answers, refuses, or goes silent from an external vantage point.
IP Lookup to confirm you are scanning the IP you think you are, not a CDN edge or load balancer in front of the origin.
DNS Lookup to verify the hostname resolves to the host you intend to reach before reading anything into a port state.

Resolution Checklist

Confirm the target IP first. A filtered result against a CDN or proxy IP tells you nothing about the origin behind it.
If filtered: assume a firewall or security group is dropping traffic, and check inbound rules for that port and source.
If closed: the path is fine and nothing is listening - start or bind the service, then re-scan.
Scan from a second network. Filtered from one source but open from another points to source-based firewall rules.
Re-run the port check after each change and watch whether the state flips from filtered to open or closed.

When to Escalate

Escalate to the network or cloud team if filtered persists and you cannot see the firewall, security group, or ACL doing the dropping.
Escalate if scanning a host you do not own or have no authorization to test - port scanning without permission can violate policy or law.