Skip to content

On a firewall, would you rather a port be filtered or closed?

Short answer

Filtered. A filtered port silently drops the packet, so the scanner gets no response and must wait for a timeout — it learns nothing about whether the host even exists, and scanning is slowed dramatically. A closed port sends back a TCP RST, which confirms the host is alive and responding, handing the attacker reconnaissance value for free.

The instinct that "closed sounds safer than filtered" is the trap. Both block the connection, so candidates assume they are equivalent — but they leak very different amounts of information.

What each state tells an attacker

  • Closed: the host received the SYN and replied with a TCP RST. The service is not listening, but the host is provably alive and reachable. The scanner gets an instant, definitive answer.
  • Filtered: a firewall silently drops the packet. The scanner gets nothing back and must wait out a timeout before retrying, then still cannot tell whether the port is closed, the host is down, or a rule is blocking it. That ambiguity is exactly what you want to impose on an attacker.

Why filtered wins

Two reasons. First, information starvation: a drop denies the attacker confirmation that anything is even there, so they cannot cleanly map your attack surface. Second, scan cost: RSTs make scans fast and reliable, whereas drops force the scanner into slow retransmit/timeout cycles, dragging out reconnaissance and making it noisier and easier to detect. This is why a default-drop firewall policy is the standard hardening recommendation.

The honest trade-off

Silent dropping can complicate legitimate troubleshooting and slow your own diagnostics, since failures look identical to a dead host. That is a price worth paying at the perimeter.

What interviewers look for

The choice of filtered plus the reasoning: RST = confirmation and speed for the attacker, drop = no information and slow, costly scanning. Knowing Nmap's open/closed/filtered taxonomy seals it.

Likely follow-ups

  • How does Nmap distinguish open, closed, and filtered ports?
  • What is the downside of a default-drop policy for legitimate troubleshooting?
  • Why does silent dropping slow down a port scan so much?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.