If you're running nmap from another machine somewhere out on the Internet
(as opposed to another machine on the same subnet as the machine under
test) it's possible that your Internet connection is being filtered by your
provider. I've heard of several cablemodem and DSL providers filtering
netbios-* to protect the unwashed Windows masses from sharing their
harddisk out to the world (I also know of a university that blocks *all*
incoming traffic to the ethernets in its dorm rooms). 

If this is the case, you'll get the same response when you run nmap again,
even if you add more rules to ipfilter, since the filtering is happening
before it ever gets to you.

At 02:50 PM 4/18/00 -0500, Philip Brodd wrote:
>I ran an nmap scan on my mac68k 1.4.2 machine and got these strange
>results (the actual command was nmap -v -O):
>
>---
>Interesting ports on kenny:
>Port    State       Protocol  Service
>22      open        tcp        ssh
>137     filtered    tcp        netbios-ns
>138     filtered    tcp        netbios-dgm
>139     filtered    tcp        netbios-ssn
>1080    filtered    tcp        socks
>
>TCP Sequence Prediction: Class=random positive increments
>                         Difficulty=8440526 (Good luck!)
>
>Sequence numbers: 2AD9680C 2BDC5435 2C6F6484 2D501BA2 2F60EE5A 309434CA
>Remote operating system guess: NetBSD 1.3I (after 19990119) or 1.3.4
>---
>
>I say strange because I'm not running Samba (which I assume uses those
>netbios-* services), and I'm not altogether sure what socks is.  Port 22
>is the only one I expected to see in the results; netstat -an shows
>nothing on ports 137-9 and 1080.
>
>Is this just a quirk of nmap?  If not, how do I close off these ports?
>
>Thanks.
>
>Phil Brodd
>
>