Filtered vs Blocked Ports: Explained

G5 Cyber Security

1 month ago

TL;DR

Filtered ports mean a firewall is actively examining traffic and deciding whether to allow it based on rules. Blocked ports mean the firewall simply drops all traffic, without inspection.

Understanding Ports

Think of ports as doors on your computer. Each application (like web browsing or email) uses a specific door (port number) to communicate over the internet. Ports are numbered from 0 to 65535.

1. Blocked Ports

What they do: A blocked port is completely shut down. Any attempt to connect to that port will be ignored by your firewall. It’s like a door welded shut – no one gets through.
How it works: The firewall has a rule explicitly stating to drop all incoming and/or outgoing traffic on that port.
Detection: When you try to connect, you usually get an error message like ‘Connection refused’ or the connection times out.
Example (using iptables on Linux):
```
sudo iptables -A INPUT --dport 25 -j DROP
```
This command blocks all incoming traffic on port 25 (commonly used for SMTP email).

2. Filtered Ports

What they do: A filtered port means the firewall is actively looking at the connection request. It’s like a door with a security guard checking IDs before letting anyone in.
How it works: The firewall doesn’t immediately reject or accept traffic. It evaluates rules based on source IP address, destination IP address, protocol (TCP/UDP), and other factors. If no rule matches, the packet is often dropped silently.
Detection: When you scan a filtered port, tools like nmap will report ‘filtered’. This doesn’t mean it’s blocked; it just means the firewall is interfering with the connection attempt.
Example (using iptables on Linux):
```
sudo iptables -A INPUT --dport 80 -j REJECT
```
This command rejects incoming traffic on port 80 (commonly used for HTTP web traffic). While this *acts* like a block, the ‘REJECT’ action sends an ICMP message back to the sender. Using ‘-j DROP’ would filter more silently.

3. Key Differences Summarised

Feature	Blocked Port	Filtered Port
Firewall Action	Drops all traffic immediately.	Examines traffic based on rules; may drop or allow.
Connection Attempt Result	‘Connection refused’, timeout.	‘Filtered’ (as reported by scanning tools).
Inspection	No inspection.	Traffic is inspected.

4. Why does it matter?

cyber security: Filtering allows for more granular control, enabling you to allow legitimate traffic while blocking malicious attempts.
Troubleshooting: Knowing whether a port is blocked or filtered helps diagnose network issues. A ‘filtered’ port suggests a firewall rule is the cause, whereas a ‘blocked’ port might indicate a misconfiguration.