Skip to content
Latchkey

nmap: Scan Ports to See What Is Reachable in CI

nmap scans a host for open ports and reports each as open, closed, or filtered, which tells you whether a firewall or a stopped service is the problem.

nmap goes beyond a single-port check: it tells closed (refused) apart from filtered (silently dropped), which is exactly the distinction between "service not running" and "firewall blocking" that CI connectivity bugs hinge on.

What it does

nmap probes the requested ports and classifies each. "open" means a service accepted the connection, "closed" means the host replied with a reset (reachable, nothing listening), and "filtered" means no reply at all (a firewall is dropping packets). That three-way result is more informative than a single nc check.

Common usage

Terminal
# scan specific ports on a host
nmap -p 5432,6379,443 db.internal
# skip host discovery (ICMP often blocked); just scan
nmap -Pn -p 5432 db.internal
# TCP connect scan, no root needed
nmap -sT -p 443 api.example.com

Options

FlagWhat it does
-p <ports>Ports to scan (list, range, or 1-65535)
-PnSkip host discovery, treat host as up
-sTTCP connect scan (no raw sockets, no root)
-sSSYN scan (faster, needs root)
-nDo not resolve hostnames
--openShow only open ports

In CI

Add -Pn in cloud and container networks where ICMP is blocked, otherwise nmap may decide the host is down and skip the scan entirely. Use -sT when running without root, since the default SYN scan needs raw-socket privileges the runner may not have.

Common errors in CI

"Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn" means discovery failed; add -Pn. A port shown as "filtered" means a firewall is dropping packets, not that the service is down; "closed" means the service is not listening. "You requested a scan type which requires root privileges" means using -sT instead of -sS.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →