I'm trying to connect to an application that requires a few unusual ports (galleon / TiVo) and, for some reason, they seem to be blocked. I am running Ubuntu 6.06, desktop version, and I never intentionally configured a firewall (since I've got a netscreen between my linux box and the world).

Here's what I don't understand. The firewall seems to be passing everything through:

sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

but nmap shows that some ports are closed and/or filtered. When I run it while the server application is running, I get:

sudo nmap -sU -sT -p "T:1099,T:7288,U:5353,T:1527,U:2190,T:8081" localhost

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-08-08 10:37 PDT
Interesting ports on localhost (127.0.0.1):
PORT STATE SERVICE
1099/tcp open unknown
1527/tcp open tlisrv
2190/udp open|filtered unknown
5353/udp open|filtered unknown
7288/tcp closed unknown
8081/tcp closed blackice-icecap

If I run it with the server application stopped, I get:

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-08-08 10:57 PDT
Interesting ports on aparicio (192.168.198.211):
PORT STATE SERVICE
1099/tcp closed unknown
1527/tcp closed tlisrv
2190/udp closed unknown
5353/udp closed unknown
7288/tcp closed unknown
8081/tcp closed blackice-icecap

Nmap finished: 1 IP address (1 host up) scanned in 0.188 seconds

What is happening? And what is blackice-icecap. Neither synaptic nor "man -k blackice" turns up anything. What about tlisrv?

I'm running nmap on the machine being tested, and either "localhost" or the external IP address gives the same results.

Thanks for the help.

To see what is running that is using port 1527 you should issue this command: "netstat -pant" This will list all open connections and all ports that are opened and what program is actually using this connection or port.

Also when it list "blackice-icecap" as port 8081 it is only listing that because that is what is commonly used for port 8081. It's closed anyway so it doesn't really matter. No program is taking up 8081. Same goes for tlisrv. Use netstat to see what it really is.

The reason some ports show up as open|filtered is because they are UDP ports. If a UDP port is open, then a probe packet to that port will simiply be accepted and no reply will be sent (that is how UDP works). If the UDP port is closed, then a ICMP message is sent in reply, so the scanner actually gets back a reply. The difficulty is that if a systems firewall is configured to drop packets to that port, then no reply is sent back either. So the scanner has no way to distinguish between an open port or a filtered port, as they are simply judged by a lack of a response to the probe packet. See the nmap man page section on UDP scanning for more details.

Note that "scanning yourself" can give you weird results (especially with UDP scans) and can give you an incorrect picture of your firewall security. Ideally you would want to scan from a seperate system inside and outside of the LAN.

Also note that your firewall is effectively off (it is set to accept everything) so everything you are seeing is the scan interacting with the applications or network stack.