Unused ports can be stealthed, but ports can't be open and stealthed. :/ A stealth port simply has the firewall not respond to any probes and so the source of a scan doesn't receive any TCP or ICMP messages. Effectively this causes the attack to get a time out exception. So the attacker has to wonder whether or not the host really exists. If they know it exists, and a lot of the time if you are scanning a host you know it exists, then the attack receives information from open ports, since it is clearly impossible to stealth open ports. At this point, stealth ports seem somewhat meaningless if you are running a server of some sort, because all you have effectively done was cover up your closed ports which is useless to an attacker. However, if you incorporate port knocking strategies, you have a very good bet that you and whoever else you tell the secret knock to will be the only ones using your server(unless the attacker hijacks your TCP session etc. etc.). Now I know you can use port knocking with closed ports as well, but the great thing about stealth ports with port knocking is that the attacker doesn't know if his packets went in the order he sent them since he is not getting any response so even a brute force isn't guaranteed to open up your ports due to the congestion/packet loss/latency issues that exist in all packet switched networks. This makes stealth ports much more tactful then closed ports in my opinion.