From a security standpoint is there that much of a diffrence? Both port states obviously do not allow traffic on the specified port to pass.

Filtered simply sends back a reject response, while a closed port must wait for a timeout.

So, besides a filtered port being a dead giveaway that a firewall is present, does one provide any other significant benefit over the other?

Yeah, i wondered about it as well.

I found some of the replies to be enlightning here: http://www.dslreports.com/forum/remark,7610828

Thanks bud

interesting dude ive always wondered about this

In my opinon, I never filter, I just close. That way, even if somebody did hack me, it would give the thought that I could be not connected at the moment. If it's refused, then you know the person is alive, then you could try getting back in through your original (or any other) hole.

I agree with northernsky. I use the analogy of the cops coming to your place and looking for you. Having a filtered port is like them knocking on the door, and you saying "I'm not here". Having a closed port is like them knocking on the door, and no one answering. With a filtered port, you know there is an active system behind that port.

nice analogy Maffuster.

I prefer port closing as i think with filtering it just says comeon try another method and for true hackers the machine presents more of a challenge to them.

I am smoking , but surely if a port is closed then a RST will get sent back, rather than a filtered port that will just time out?

Well, I don't think the question was about the difference in what's sent back, the question was is there a difference from a security standpoint and I think yes there is.

Here is the Actual difference:
Closed Port:
- If you send a SYN to a closed port, it will respond back with a RST.
Open Port:
- If you send a SYN to an open port, you should receive a SYN/ACK.
Filtered Port:
- The packet is simply dropped and you receive no response (not even a RST).

As far as from a security standpoint, to most hackers, when they see closed they don't think of a firewall, they think the service is just not running. When I see filtered, and its a port I want to get to, I instantly think, oh, ok, is there some backdoor I can punch thru the firewall? Can I DOS the firewall? Can I remotely administer the firewall?

Showing a closed doesn't really alert an attacker to anything, however, there is the advantage that by filtering, you just totally ignore the traffic, where as in a closed port, you actually have to go thru sending out a RST... I would imagine that this could be leveraged in a DOS attack.

(I agree with you 100%, was just concerned that the definitions being the wrong way round might confuse n00bs. If it times out, its filtered, not closed.)

Personally I'd go for filtered every time. If a box doesn't have any public services on it then the lack of any response to an unknown address means a potential attacker doesn't even know the target is there for certain (assuming ICMP is filtered, too). And if someone decides to port scan the range anyway, its going to take a long time

I take your point that filtered can indicate that there is a firewall, especially if a mix of closed and filtered comes back, but the network architecture doesn't always lend itself to discovering that a firewall exists in this way. Port unreachables and the like can be too useful for an attacker, I'd encourage ppl to run p0f (v2) and try the 'fingerprint whatever told me to go away' mode if they don't believe me.

Filtered generally means that an ACL is applied. ie as peple previously mentioned firewall, or in the case of a Cisco router a ACL has been applied to its VTY for management purposes..

A good point to note is that commonly you will see an open port that has not service running behind it(after testing) if behind a firewall.. Use this port (ie install a listner ) on this port as it has been a misconfiguration by the FW admin..

I enjoy making security clones. For instance, I will code a little prog in c that looks just like a dos shell. Afterwhich, I will use nc -l -e myprogram.exe -p 31337. Keep in mind that this is just a few printf statements so no harm can come of it. What the user on the other end doesn't realize is that their IP along with every last string they type is being stored in a database. After the user disconnects, the program will block their IP from connecting again.

Open ports can be just as good as closed or filtered,

you wanna post the code? interesting philosphy

I read abt a tool on securiteam or somewhere i dont remember . It replies to port scans on all ports and so the scanners show all ports open and sometimes even scanner crashes as it gets so many replies from all ports (They showed screenshots ) .

Didnt remember the name lemme search .

Here is it http://www.securiteam.com/tools/5HP0K0KD6E.html