Ok, maybe Brian the Braincell is having a bad day but.......

As a result of an NMAP SYN stealth scan, (nmap -sS -P0 -vv -T XXX.XXX.XXX.XXX), against my bosses home PC protected by a Linksys Cable/DSL Router, (BEFSR41) I got some results that got me thinking - which is very dangerous...... . BTW, yes - it was perfectly legal for me to scan the box before someone yells "foul".......

The results came back with a series of ports, mostly Windows ports but one that I would specifically expect to be open, as filtered..... I'll be looking more carefully at the machine tomorrow since the downloader.trojan was found on it...... I scanned a different box I know to have ports open and a linksys protecting it and the results came back as open on the ports expected and lumped together at the top as XXXX closed on the rest. On a third box protected by a linksys the results were numerous ports closed with the rest being lumped together as XXXX ports filtered.

Aside from the obvious inconsistency in the results above the question is if there is a machine on the other side of a linksys that has say port 2222 open how is NMap deciding if it is "filtered". Surely the packet would be dropped or return a "closed" putting it into the list closed. It can't be just because the packet is being dropped, (no response), because it is selecting ports I know to be open on the other side of the linksys.