different nmap results

Question

I have a scan on my server form outside and from inside, why results are different?

[root@xxx ~]# nmap -sV -p 0-65535 localhost

Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-16 07:59 MSK
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000015s latency).
rDNS record for 127.0.0.1: localhost.localdomain
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 4.3 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.3 ((CentOS))

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.99 seconds

AND

sh-3.2# nmap -sV -p 0-65535 xxx.com

Starting Nmap 5.51 ( http://nmap.org ) at 2011-02-16 00:01 EST
Warning: Unable to open interface vmnet1 -- skipping it.
Warning: Unable to open interface vmnet8 -- skipping it.
Stats: 0:07:49 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 36.92% done; ETC: 00:22 (0:13:21 remaining)
Stats: 0:22:05 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 00:23 (0:00:02 remaining)
Nmap scan report for xxx.com (x.x.x.x)
Host is up (0.22s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  tcpwrapped
22/tcp   open  ssh         OpenSSH 4.3 (protocol 2.0)
25/tcp   open  tcpwrapped
80/tcp   open  http        Apache httpd 2.2.3 ((CentOS))
110/tcp  open  tcpwrapped
143/tcp  open  tcpwrapped
443/tcp  open  tcpwrapped
8080/tcp open  http-proxy?

Answer 1

ssh and http have a INADDR_ANY listener, so you can see both on the loopback and extern iface (a netstat -naltp will show you ssh listening on 0.0.0.0:22 and http listening on 0.0.0.0:80).

tcpwrapped and http-proxy listen only on the external iface.

Answer 2

Two things:

1. This could be due to how your firewall is configured. When you scan localhost, it bypasses firewall rules which apply to real interfaces like eth0, and finds all services which are listening.

2. It's generally good security practice to set up network services to only listen on specific interfaces. Thus for example http-proxy on port 8080 could be configured to ignore requests on localhost.