Windows AdvFirewall and nmap scans

Question

I come from a Unix background but got the task of configuring a Windows firewall on a public facing server.

I find awkward that any nmap scan I perform against the public IP reports all TCP ports from 1 to 65389 as open regardless of the Windows default rule of not allowing Inbound connections that do not match a rule.

I even got locked out of remote desktop after selecting "Block All Connections" on the Inbound rule of one of the profiles but still nmap shows:

3389/tcp open ms-term-serv

How is this explained

Answer 1

You're scanning the public ip address, which is assigned to the router/firewall, some ports are NAT'ed/forwarded to the server, the rest are not. The server isn't responding to your nmap scan, the router/firewall is, except for those ports that are NAT'ed/forwarded to the server, which will be reported as open, as they should be.

That's why it appears that all ports are open on the server. you need to look at the router/firewall configuration to determine why IT is reporting those ports as open (except for those ports that are NAT'ed/forwarded to the server).

Answer 2

A public VPS, doesn't use a "router/firewall" in front of the server. The answer is missleading. @manthis: if you aren't scanning your server from localhost, but from a remote location - the terminalserver port schouldn't be reachable at all. Please check your firewall for missconfiguration or maltfunction.

You can open a listener on the server: nc -vlp <portnumber>

Try to reach it from external, to check your firewall: telnet <serverip> <portnumber>