On Thu, Dec 21, 2000 at 11:16:58PM -0700, Erik Huizing wrote:
> I've nmap'd my machine from an external source, and come up with some odd
> results I didn't expect:
> 1080/tcp   filtered    socks
> 31337/tcp  filtered    Elite
> 
> I ran the same test on another machine I run at a different location, and
> these didn't come up. The ports aren't open when I run  # nmap localhost 
> however. 
> 
> I've also tried blocking 31337 in my ipf, but to no avail:
> block in log quick proto tcp from any to any port = 31337
> 
> when I run ipmon and ipfstat, no hits show up to 31337, but it's still
> reported as being open from the outside. 

'filtered' doesn't mean the port is open, it means there's a partial
firewall in front of your host. Are you on a cablemodem or DSL?

31337 is for 'Back Orifice', so it makes sense your ISP might choose
to filter it. (Seperate discussion about whether you have a 'real'
Internet connection if your ISP filters things without asking....)

1080 is socks, a proxy service, so your ISP is trying to prevent
mis-configured socks servers being relayed through.

From the nmap man page:

	The state is either
       'open', 'filtered', or 'unfiltered'.  Open means that  the
       target  machine  will  accept()  connections on that port.
       Filtered means that a firewall, filter, or  other  network
       obstacle  is  covering  the  port and preventing nmap from
       determining whether the port is  open.   Unfiltered  means
       that  the  port is known by nmap to be closed and no fire-
       wall/filter seems to be interfering with  nmap's  attempts
       to  determine  this.  Unfiltered ports are the common case
       and are only shown when most of the scanned ports  are  in
       the filtered state.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
All this stuff in twice the space would only look half as bad!
					      - me